The GNU Privacy Handbook (1999)
gnupg.orgFor a much more gentle (and illustrated) introduction do public-key encryption, GnuPG and how to use it with email (Thunderbird + Enigmail), see FSF's Email Self-Defense:
https://emailselfdefense.fsf.org/
Tactical Tech's Security in-a-Box has more detailed, step-by-step, multiple platform guides for the same tools:
https://securityinabox.org/en/guide/thunderbird/windows
Thank you.
I've been meaning to write up the adventure I had setting up my Yubikey 4 together with GnuPG. Most of my work was cribbed off of this guide: https://www.jfry.me/articles/2015/gpg-smartcard/
But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh
Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.
It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.
I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.
There is NitroKey[0], which seemed to me like a good alternative to Yubikey, but I haven't ordered either yet so I can't say I have first-hand experience. But much luck if you decide to go with it, something I'm looking more and more into, especially since I too use password-store and it would be good having an easier to use setup that is still secure.
Nitrokey claims on their homepage that the firmware of the Storage version of NitroKey can be updated by software. This seems to mean that there's someone out there with a key that can sign arbitrary code that can be loaded as an update and gains access to the crypto material on the device.
I had a look through their instructions and I'm not sure if there is a signing process that happens. You have to enable firmware access from the app, and then it's a bog standard DFU flash to load the new firmware.
Does it require you to perform any physical actions on the dongle? If not, why can't I straightforwardly extract keys if I own the machine the dongle is attached to?
Wow, this is so old (1999) it's terrible. It recommends generating DSA keys.
Interesting as a historic artefact, but please don't follow this guide, search for something more recent.
I'd be curious to read what article is better, so you who search, please share your findings
For always up to date guides try the CryptoParty Handbook: https://www.cryptoparty.in/learn/handbook
Timely link, as I have been reading about Gnupg that last couple of days. I will say that I feel its use is a bit complicated, but I did find a nice guide at Riseup:
I'd advise against using this guide.
The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.
Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.
first page: "You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits". Definitely do not follow this guide nowadays :D
Good ol' times. Wonder if one can make a Google query to get old keys, ripe for cracking
This 1999 article makes me feel old fashioned: I still use GnuPG from the command line, as detailed in this privacy manual. I also use encrypted file systems on my laptops, but when I need to communicate with customers and maintain the privacy of their materials, I still use ZIP and GnuPG.