Compare commits
No commits in common. "4287dbbcc6c7efd586e1cb679a60abcd2b85d6f6" and "d2d26433a9b23c400d1a13af5b9effd06e60ffef" have entirely different histories.
4287dbbcc6
...
d2d26433a9
|
@ -2,6 +2,5 @@
|
||||||
|
|
||||||
## Instructions
|
## Instructions
|
||||||
|
|
||||||
1. Install [`marp-cli`](https://github.com/marp-team/marp-cli)
|
1. Install [`marp-cli`](#stagex:matrix.org)
|
||||||
2. Run `marp <file.md>` to create an html file
|
2. Run `marp <md_file.md>` to create an html file
|
||||||
3. Open file using browser
|
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 27 KiB |
Binary file not shown.
Before Width: | Height: | Size: 29 KiB |
Binary file not shown.
Before Width: | Height: | Size: 76 KiB |
Binary file not shown.
Before Width: | Height: | Size: 704 KiB |
Binary file not shown.
Before Width: | Height: | Size: 13 KiB |
|
@ -1,233 +0,0 @@
|
||||||
# OpenPGP Workshop
|
|
||||||
|
|
||||||
[important reference](img/iceberg.png)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## What is OpenPGP
|
|
||||||
|
|
||||||
* OpenPGP is an open standard for encrypting and decrypting data, as well as
|
|
||||||
creating and managing digital signatures.
|
|
||||||
|
|
||||||
* It is based on the PGP (Pretty Good Privacy) protocol, which was originally
|
|
||||||
developed by Phil Zimmermann in the 1990s.
|
|
||||||
|
|
||||||
* Uses asymmetric / public key cryptography
|
|
||||||
|
|
||||||
<!--
|
|
||||||
What are some useful ways we can use OpenPGP:
|
|
||||||
* Email encryption and signing
|
|
||||||
* Signing git commits
|
|
||||||
* SSH
|
|
||||||
* Password management
|
|
||||||
-->
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Implementations
|
|
||||||
|
|
||||||
* GPG
|
|
||||||
* Gnu Privacy Guard
|
|
||||||
* Best known and most widely used
|
|
||||||
* Great starting point
|
|
||||||
|
|
||||||
* There are lots of other implementations of OpenPGP:
|
|
||||||
* https://www.openpgp.org/software/developer/
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## How Does It Work?
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Encrypt / Decrypt
|
|
||||||
|
|
||||||
![Encryption vs Decryption diagram](img/encrypt-decrypt.png)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Sign / Verify
|
|
||||||
|
|
||||||
![Signing vs Verifying diagram](img/sign-verify.png)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Diffie Helman Key Exchange
|
|
||||||
|
|
||||||
![Diffie Helman Key Exchange diagram](img/diffie-helman.png)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## OpenPGP Anatomy
|
|
||||||
|
|
||||||
* Many components but key ones are:
|
|
||||||
* Public Key
|
|
||||||
* Private Key
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Let's Try It!
|
|
||||||
|
|
||||||
* Most OS come with GPG pre-installed (not Windows!)
|
|
||||||
|
|
||||||
* `gpg --version`
|
|
||||||
* `man gpg`
|
|
||||||
* **THESE FOLLOWING KEYS WILL NOT BE SECURE, DO NOT USE THEM FOR ANYTHING OTHER THAN THIS EXERCISE!**
|
|
||||||
* Generate keypair: `gpg --expert --full-gen-key`
|
|
||||||
* 1, 4096, Enter (3072), Enter (0), y, "Test Key", <your_email>, Enter (""), O, "password1"
|
|
||||||
* Use a unique email otherwise you will have issues with the exercise that follows
|
|
||||||
* During generation, **mash input devices for added entropy**
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Test Your GPG Key
|
|
||||||
|
|
||||||
* `gpg --list-keys`
|
|
||||||
* `echo "super secret text" > test.txt && cat test.txt`
|
|
||||||
* `gpg --encrypt --recipient <email/ID> test.txt`
|
|
||||||
* `gpg -er <email/ID> <filename> && cat test.txt.gpg`: notice it's a binary
|
|
||||||
* You can use `--armor/-a` to encode it as ASCII so you can send the encrypted data as text
|
|
||||||
* `gpg --armor -er <email/ID> test.txt && cat test.txt.asc`
|
|
||||||
* `rm test.txt && ls`
|
|
||||||
* `gpg --decrypt test.txt.gpg > test.txt`
|
|
||||||
* `gpg --decrypt test.txt.asc > test.txt`
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Sharing Your Public Key 🔑
|
|
||||||
|
|
||||||
* `gpg --list-keys`
|
|
||||||
* `gpg --export --armor <email/ID> > <name>.asc`
|
|
||||||
* `gpg --import <name>.asc`
|
|
||||||
|
|
||||||
* Task: pair up and exchange your keys, encrypt data to each other, then decrypt the message so you can tell your partner the contents of the message
|
|
||||||
* Tip: you may encrypt the data to multiple people
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Verifying Signatures 📝
|
|
||||||
|
|
||||||
* Go to: https://www.qubes-os.org/downloads/
|
|
||||||
* Download:
|
|
||||||
* Qubes-R*.iso
|
|
||||||
* Cryptographic hash values
|
|
||||||
* Detached PGP signature
|
|
||||||
* Qubes release signing key
|
|
||||||
|
|
||||||
* They have a guide that's worth reading: https://www.qubes-os.org/security/verifying-signatures/
|
|
||||||
* Task: verify the signatures for the software are valid
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Solution
|
|
||||||
|
|
||||||
* `gpg --import qubes-release-*`: import qubes signing key
|
|
||||||
* `gpg --verify *.DIGESTS`: verify signature
|
|
||||||
* `sha256sum -c Qubes-<...>.iso.DIGESTS`: verify hashes match
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Secure Key Management 🔒
|
|
||||||
|
|
||||||
* You should assume your computer is compromised
|
|
||||||
|
|
||||||
* How do we protect the GPG private key?
|
|
||||||
|
|
||||||
* Never expose them to an untrusted environment
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Basic: On-board generation:
|
|
||||||
* YubiKey offers generating keys inside of the YubiKey
|
|
||||||
* Cryptographic attestation keys were never exposed available: https://developers.yubico.com/PGP/Attestation.html
|
|
||||||
* CON: can't back up the keys
|
|
||||||
* PRO: simple setup
|
|
||||||
|
|
||||||
---
|
|
||||||
## Advanced - cold / virtualization
|
|
||||||
|
|
||||||
* Can use `gpg` / `sq` / `keyfork` to derive
|
|
||||||
|
|
||||||
* Key is to derive keys in a secure environment:
|
|
||||||
* Airgapped system (preferred)
|
|
||||||
* [AirgapOS](https://git.distrust.co/public/airgap): A full-source-bootstrapped, deterministic, minimal, immutable, and offline, workstation linux distribution designed for creating and managing secrets offline.
|
|
||||||
* Virtual machine on a hypervisor via hardware virtualization (ok for some threat models)
|
|
||||||
|
|
||||||
* [Hashbang GPG Guide](https://book.hashbang.sh/docs/security/key-management/gnupg/): helpful guide for GPG - good resource for beginners who want to do the advanced setup
|
|
||||||
|
|
||||||
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools): great for loading keys onto smart cards
|
|
||||||
* Can use a variety of smart cards: NitroKey3, SoloKey, Yubikey
|
|
||||||
* NitroKey and SoloKey are fully open which is great for verifiability - may requires flashing firmware
|
|
||||||
|
|
||||||
* [Quorum Key Management](https://docs.distrust.co/qkm/)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Backup Trick 🧙
|
|
||||||
|
|
||||||
* Generate long lived keys
|
|
||||||
|
|
||||||
* Load them onto smart card
|
|
||||||
|
|
||||||
* Take plaintext key data and put it in a dir
|
|
||||||
|
|
||||||
* Encrypt the dir to your public key
|
|
||||||
|
|
||||||
* Delete keys so that only ones that remain are on smart cards (recommended to have at least 2 or 3, for redundancy)
|
|
||||||
|
|
||||||
* Smart cards have a "brick" after x attempts feature
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## SSH Usage
|
|
||||||
|
|
||||||
* OpenPGP keys can be used for SSH as well 🪄:
|
|
||||||
* `gpg --export-ssh-key <email/keyID>`
|
|
||||||
|
|
||||||
* Set up shell to use smart card for ssh:
|
|
||||||
```
|
|
||||||
# always use smart card for ssh
|
|
||||||
unset SSH_AGENT_PID
|
|
||||||
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
|
|
||||||
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
|
||||||
fi
|
|
||||||
```
|
|
||||||
---
|
|
||||||
|
|
||||||
## Git Usage
|
|
||||||
|
|
||||||
* You can sign commits using OpenPGP / GPG
|
|
||||||
|
|
||||||
```~/.bashrc
|
|
||||||
GPG_TTY=$(tty)
|
|
||||||
export GPG_TTY
|
|
||||||
```
|
|
||||||
|
|
||||||
```~/.gitconfig
|
|
||||||
[user]
|
|
||||||
email = <email>
|
|
||||||
name = <name>
|
|
||||||
signingKey = <key_id>
|
|
||||||
[commit]
|
|
||||||
gpgSign = true
|
|
||||||
[merge]
|
|
||||||
gpgSign = true
|
|
||||||
[gpg]
|
|
||||||
program = gpg
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Further Studies
|
|
||||||
|
|
||||||
* [keyoxide](https://keyoxide.org/): decentralized tool to create and verify decentralized online identities
|
|
||||||
|
|
||||||
* [pass](https://www.passwordstore.org/): Unix based `gpg` password manager
|
|
||||||
|
|
||||||
* [OpenPGP for application developers](https://openpgp.dev/book/): Deep dive on OpenPGP
|
|
||||||
|
|
||||||
* [Sequoia](https://sequoia-pgp.org/): alternate OpenPGP implementation in rust
|
|
||||||
|
|
||||||
* [openpgp-card](https://codeberg.org/openpgp-card)
|
|
||||||
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools)
|
|
||||||
* [ssh-agent](https://codeberg.org/openpgp-card/ssh-agent)
|
|
Loading…
Reference in New Issue