Week 1: Notes on PGP – Pretty Good Privacy, GPG, WOT [0/3]

Most of these notes were written on the go, while implementing things, following tutorials and articles online. However, they have also been subsequently refined and re-organised to aid in clarity and provide some level of organisation.

Personal notes:

  1. While I’ve documented many projects in the past, and had some exposure to PGP and using GPG – the guidance and push from has for lack of better words: provided a sense of purpose and contentment. This in turn has calmed my mind and reassured me that writing down a procedure in detail, especially in a reproducible format is a worthy practice.
  2. These notes are recorded in Org mode documents in Emacs, i.e literate programming was deployed to record code, notes, tasks and reminders and much more, by virtue of using Emacs. The notes are a part of a mind mapping system available via the org-brain package.

Summary / Review [1/7]

The summary covers close to a week’s work I guess, starting from my induction into .

  1. Created a new GPG key pair.
  2. Made progress in learning the fundamentals of PGP and the keypair concept.
  3. Published public key on MIT’s keyserver
  4. Connected with , , etc on IRC. (started setting my brain on fire?)
  5. Setup Weechat, to stay connected to IRC continuously as a session in a tmux server on my VPS hosted on Linode.
  6. Setup Emacs to run as a daemon, connected via emacsclient on tmux.
  7. started reading up blog articles and got introduced to V.
  8. Short exploration on pingbacks the general difficulty in implementing this in a static blog.
  9. Started preparing to setup a LEMP stack on the VPS and host my website there.
  10. Vague plans of using V to version control all my files.
  11. Got connected to younghands.club
  12. Improved happiness and content levels by increased engagement with brilliant people ?
  13. [ ] Need to improve reading and retention rate on complex topics in trilema, ossasepia and others on the blog role.
  14. [ ] Must learn more about eulora. I had planned to setup on the mac last weekend and did not get to it.
  15. [ ] Must look into asciilifeform‘s implementation of v.py (V versioning system) and formulate a plan of action. At first look, I have absolutely not an inkling of what is going on, and I am worried it will take a lifetime to do this.
  16. [ ] a clear way to transfer private keys between computers ?
  17. [ ] Failed at installing necessary R libraries on the VPS to test UMAP. This could be because of lack of RAM.
  18. [X] Setup org2blog package to publish posts quickly from Emacs.
  19. [ ] Learn more about how org2blog actually works.

Somethings I wish I was better at:

  1. rapidly deploying remote servers with my config.
  2. understanding of security and firewall setup.
  3. quickly sharing encrypted files with anybody via posting it on my server.
  4. dockerising the whole thing
  5. understanding of software architecture.

[2019-07-23 Tue] Note: I tried to publish my first post on younghands.club. However, it was extremely cumbersome for the page loading, and subsequent handling, editing the draft etc. I need to investigate the reason behind this behavior and revert findings to diana_colman.

Perhaps by virtue of using Emacs, my tolerance for a slow interface appears to have become extremely low. In any case, I’ve just setup org2blog and am able to directly control any publishing (posts/pages/tags etc) from within Emacs (with a single key press).

Init. [0/1]

  • Background
    • PGP: pretty good privacy.
    • OpenPGP : internet standard. Commonly used for email encryption.
    • GPG : GNU Privacy Guard: software tool that implements the openPGP standard
    • PGP : owned by Symantec.
  • ExpressVPN link : article about PGP.
  • used to encrypt text, files, entire disks.
  • encryption basically converts plaintext (readable) to a ciphertext (unreadable)
  • purpose: keep data content private and ensure authenticity of all communication and files.
  • Exact opposite of keeping you anonymous. Basically digital proof that I wrote a statement or reviewed a file.
  • Need to create a public and private key
  • private key stays on the computer.
  • public key can be safely uploaded to the web.
  • caution is needed to not mix up the (public/private) keys.
  • public key is used to lock or encrypt
  • private key is used to unlock or decrypt

Essentially: if I am sending an email to somebody, I would encrypt it using his public key. This means that he can decrypt it only if he has a corresponding private key.

While generating a key, use the command :

gpg --full-gen-key

to get the detailed list of options to customise the key including the key size. For example, in Debian, it seems to assume a default and possibly arbitrary value of 3096. I’ve chosen 4096. There is supposely a negligible performance difference in daily use, but it is not definitive.

  • biggest current problem is verifying that a public key belongs to you.
  • somebody with my private key can post as me.
  • Web of trust: method to solve this problem.
    • The idea is that perhaps a trusted friend of yours has met you.
  • create a PGP key and back it up.
  • expressVPN recommends > 2-3 years as expiration.
  • use the maximum size possible (4096?) and atleast 2048 bits.
  • revocation certificate
    • This can be left public if desired. Essentially a certificate used to revoke a public key.
  • Signing files: options are
    • enrypt + sign
    • encrypt
    • sign (endings are usually .asc or .sig)
      • gpg --verify file.sig
      • PGP key of the signatory is required to verify the signature.
      • knowing who encrypted the file may be valuable to know. Anonymity will require creating new PGP keys for each person.
  • possible to upload PGP key to facebook and receive all updates and notifications in encrypted form.
  • PGP not designed to protect metadata.
    • metadata can include file names, headers, sizes, creation dates etc.
    • PGP does not encrypt names of files or headers of emails.
  • Good practices
    • encrypt key with a strong password
    • use multiple keys in multiple situations.
    • regularly replace PGP keys.
  • [ ] zero access encryption (?)
  • Freecodecamp article link
  • Beginner’s guide to PGP link
  • PGP certificate: public key with extra data attached to aid verification that the key belongs to you.
  • A GPG key contains a primary keypair and a subkeypair. The primary keypair is used for signing. The subkeypair is used for encryption. Other people’s encrypted messages are encrypted to the public subkey. The private subkey is used to decrypt messages.
  • You will be able to see that the short key ID in the decryption output is not that of the main public key. This short key ID will be visible in the output of gpg –list-keys

as the short key ID of the subkey of the main public key.

http://edgecasesoftware.com/articles/basic_gpg_commands

Notes on key Management [0/1]

  • susceptibility to man-in-the-middle attack
  • somebody could ensure that the wrong public key is used to encrypt the information.
  • somebody could intercept your network traffic, supply the wrong public key, decrupt the message and then use the intended public key to send across an altered message.
  • it becomes harder when multiple IP’s are used to download the public key.
  • Web of trust (WOT): use your private key, as a member of WoT to sign somebody else’s public key saying that you know the person.
  • [ ] how can I secure my key and transfer it at need between different computers.

WTF is Deedbot ??

  • Note taken on [2019-07-23 Tue 09:16]
    Deedbot is likely to be a bot that makes it easier to manage registration of public keys and identities in the web of trust. I bet it does a lot of other things too.

How to import a key

--import command is common for public and private keys.

For me to communicate a private message with somebody, I will need their public key.

For those registered with Deedbot, it is possible to find the users public key using their IRC nickname. The Deedbot help page is a useful reference for commands: http://deedbot.org/help.html

Message deedbot from any channel for the public key of a specified IRC handle.

/msg deedbot !!key shrysr
/msg deedbot !!key diana_coman

On the deedbot channel itself, it is sufficient to type !!key shrysr

This command to deedbot will in turn provide a url where the public key is available, and this should be imported. One way of doing this is to save the key into a file and import it with gpg.

On Emacs, I can just paste the key into a buffer and use EPA to import the keys from a region. Easy as pie.

Setting ultimate trust for an imported key: [0/1]

  1. List the keys
  2. Extract the ID
  3. Edit the key using gpg

This will list all the keys which have been imported into gpg. Note that 2 keys are mine, and there are 2 other keys, one of diana_coman and another from TheJollyRoge, who cleared up my confusions on .

Note: the key could be TheJollyRoge’s , or belong to somebody else.

gpg --list-keys

This reads the keys stored in the file pubring.kbx. This could vary from system to system. Note the trust levels shown as ultimate.

  • [ ] How can I import the known gpg keys to other computers?

List private or secret keys: As learned in an excellent explanation on , I understood that list --secret-keys, will list the public keys for which you possess the private key. So from the keys above, only my keys should be listed below.

gpg --list-secret-keys --fingerprint

Alternatively, use the fingerprint command to obtain the RSA number. Both --list-keys and fingerprint seem to provide the same details of output, except that fingerprint does not provide any spaces in the key, and is easier to copy.

gpg –fingerprint sr@eml.cc

I am experimenting with is using different email addresses for different keys. This could help me identify them quickly, instead of extracting the key id repeatedly. These aliases can be created in fastmail and by default will arrive in the same inbox.

One annoying messsage that pops up is regarding an untrusted key. To trust a key : at the gpg prompt, type trust and set the ultimate setting. The gpg prompt is reached by the --edit-key command.

gpg --edit-key

Sending the public key to a server

Replce key_id with your own.

# gpg --send-keys --keyserver pgp.mit.edu key_id
gpg --send-keys --keyserver pgp.mit.edu 211A199BC99152DEFA326D792E4554DE8D51E8D9

Exporting your key to share with someone:

The generated file mygpg.key is the public key that can be shared with anyone. The email address will help specify the target key. In all the commands below, your_email@address.com can be replaced with the key.

gpg --output ~/mygpg.key --armor --export your_email@address.com

The same cane be done with the private key. Now mygpg.key is the private key. This can be used for import purposes on another machine.

gpg --output ~/mygpg.key --armor --export-secret-keys [your_email@address.com/key]

Beware of exporting a private key.

Deleting keys

  • gpg --delete-keys for public keys
  • gpg --delete-secret-keys for private keys

Making Encryption easy with Emacs

  • Note taken on [2019-07-20 Sat 18:25]
    I need to find a way to decrypt files that are provided as links on the web. This would make it easier to share encrypted content.

M-x epa* is your friend. Just start typing epa to find a list of commands. With this I can import / delete keys, encrypt and decrypt files right from emacs, almost eliminating the need to remember the verbose gpg commands. This is actually very convenient.

I can select the required key when I choose to encrypt a file. I can also choose a particular key as default, if desired within Emacs.

Technically, it is already a lot easier with GUI based tools for typical operations. This is as easy as right click on a file and choose to encrypt. I must have installed the software sometime back, because it was already available on my mac.

As of now, when I find a public key I want to import, I just copy it into a scratch buffer in Emacs and call epa-import-keys-region. I’ve just imported trilema‘s public key to reinforce the concept. I can send him an encrypted message.

WOT Web of Trust [0/2]

References:[0/1]

  • [ ] TBH: I did a lot of link hopping, and multi-tasking while compiling these live notes. This is probably a fraction of the web pages I actually covered. I need to improve on the procedure of religiously collecting my references.
  • http://edgecasesoftware.com/articles/basic_gpg_commands : This is a nice reference for gpg commands, and the website also contains guides to getting up on WOT. I made these notes, intending them to cover some areas edgecasesoftware did not.

Write a Comment

Comment