- While I’ve documented many projects in the past, and had some exposure to PGP and using GPG – the guidance and push from #ossasepia has for lack of better words: provided a sense of purpose and contentment. This in turn has calmed my mind and reassured me that writing down a procedure in detail, especially in a reproducible format is a worthy practice.
- These notes are recorded in Org mode documents in Emacs, i.e literate programming was deployed to record code, notes, tasks and reminders and much more, by virtue of using Emacs. The notes are a part of a mind mapping system available via the org-brain package.
Summary / Review
The summary covers close to a week’s work I guess, starting from my induction into #ossasepia.
- Created a new GPG key pair.
- Made progress in learning the fundamentals of PGP and the keypair concept.
- Published public key on MIT’s keyserver
- Connected with #gnupg, #ossasepia, #emacs etc on IRC. (started setting my brain on fire?)
- Setup Weechat, to stay connected to IRC continuously as a session in a tmux server on my VPS hosted on Linode.
- Setup Emacs to run as a daemon, connected via emacsclient on tmux.
- started reading up #ossasepia blog articles and got introduced to V.
- Short exploration on pingbacks the general difficulty in implementing this in a static blog.
- Started preparing to setup a LEMP stack on the VPS and host my website there.
- Vague plans of using V to version control all my files.
- Got connected to younghands.club
- Improved happiness and content levels by increased engagement with brilliant people ?
[ ]Need to improve reading and retention rate on complex topics in trilema, ossasepia and others on the blog role.
[ ]Must learn more about eulora. I had planned to setup on the mac last weekend and did not get to it.
[ ]Must look into
asciilifeform‘s implementation of v.py (V versioning system) and formulate a plan of action. At first look, I have absolutely not an inkling of what is going on, and I am worried it will take a lifetime to do this.
[ ]a clear way to transfer private keys between computers ?
[ ]Failed at installing necessary R libraries on the VPS to test UMAP. This could be because of lack of RAM.
[X]Setup org2blog package to publish posts quickly from Emacs.
[ ]Learn more about how org2blog actually works.
Somethings I wish I was better at:
- rapidly deploying remote servers with my config.
- understanding of security and firewall setup.
- quickly sharing encrypted files with anybody via posting it on my server.
- dockerising the whole thing
- understanding of software architecture.
Note: I tried to publish my first post on younghands.club. However, it was extremely cumbersome for the page loading, and subsequent handling, editing the draft etc. I need to investigate the reason behind this behavior and revert findings to
Perhaps by virtue of using Emacs, my tolerance for a slow interface appears to have become extremely low. In any case, I’ve just setup org2blog and am able to directly control any publishing (posts/pages/tags etc) from within Emacs (with a single key press).
- PGP: pretty good privacy.
- OpenPGP : internet standard. Commonly used for email encryption.
- GPG : GNU Privacy Guard: software tool that implements the openPGP standard
- PGP : owned by Symantec.
- ExpressVPN link : article about PGP.
- used to encrypt text, files, entire disks.
- encryption basically converts plaintext (readable) to a ciphertext (unreadable)
- purpose: keep data content private and ensure authenticity of all communication and files.
- Exact opposite of keeping you anonymous. Basically digital proof that I wrote a statement or reviewed a file.
- Need to create a public and private key
- private key stays on the computer.
- public key can be safely uploaded to the web.
- caution is needed to not mix up the (public/private) keys.
- public key is used to lock or encrypt
- private key is used to unlock or decrypt
Essentially: if I am sending an email to somebody, I would encrypt it using his public key. This means that he can decrypt it only if he has a corresponding private key.
While generating a key, use the command :
to get the detailed list of options to customise the key including the key size. For example, in Debian, it seems to assume a default and possibly arbitrary value of 3096. I’ve chosen 4096. There is supposely a negligible performance difference in daily use, but it is not definitive.
- biggest current problem is verifying that a public key belongs to you.
- somebody with my private key can post as me.
- Web of trust: method to solve this problem.
- The idea is that perhaps a trusted friend of yours has met you.
- create a PGP key and back it up.
- expressVPN recommends > 2-3 years as expiration.
- use the maximum size possible (4096?) and atleast 2048 bits.
- revocation certificate
- This can be left public if desired. Essentially a certificate used to revoke a public key.
- Signing files: options are
- enrypt + sign
- sign (endings are usually .asc or .sig)
gpg --verify file.sig
- PGP key of the signatory is required to verify the signature.
- knowing who encrypted the file may be valuable to know. Anonymity will require creating new PGP keys for each person.
- possible to upload PGP key to facebook and receive all updates and notifications in encrypted form.
- PGP not designed to protect metadata.
- metadata can include file names, headers, sizes, creation dates etc.
- PGP does not encrypt names of files or headers of emails.
- Good practices
- encrypt key with a strong password
- use multiple keys in multiple situations.
- regularly replace PGP keys.
[ ]zero access encryption (?)
- Freecodecamp article link
- Beginner’s guide to PGP link
- PGP certificate: public key with extra data attached to aid verification that the key belongs to you.
- A GPG key contains a primary keypair and a subkeypair. The primary keypair is used for signing. The subkeypair is used for encryption. Other people’s encrypted messages are encrypted to the public subkey. The private subkey is used to decrypt messages.
- You will be able to see that the short key ID in the decryption output is not that of the main public key. This short key ID will be visible in the output of gpg –list-keys
as the short key ID of the subkey of the main public key.
Notes on key Management
- susceptibility to man-in-the-middle attack
- somebody could ensure that the wrong public key is used to encrypt the information.
- somebody could intercept your network traffic, supply the wrong public key, decrupt the message and then use the intended public key to send across an altered message.
- it becomes harder when multiple IP’s are used to download the public key.
- Web of trust (WOT): use your private key, as a member of WoT to sign somebody else’s public key saying that you know the person.
[ ]how can I secure my key and transfer it at need between different computers.
WTF is Deedbot ??
- Note taken on
Deedbot is likely to be a bot that makes it easier to manage registration of public keys and identities in the web of trust. I bet it does a lot of other things too.
How to import a key
--import command is common for public and private keys.
For me to communicate a private message with somebody, I will need their public key.
For those registered with Deedbot, it is possible to find the users public key using their IRC nickname. The Deedbot help page is a useful reference for commands: http://deedbot.org/help.html
Message deedbot from any channel for the public key of a specified IRC handle.
/msg deedbot !!key shrysr /msg deedbot !!key diana_coman
On the deedbot channel itself, it is sufficient to type
This command to deedbot will in turn provide a url where the public key is available, and this should be imported. One way of doing this is to save the key into a file and import it with gpg.
On Emacs, I can just paste the key into a buffer and use EPA to import the keys from a region. Easy as pie.
Setting ultimate trust for an imported key:
- List the keys
- Extract the ID
- Edit the key using gpg
This will list all the keys which have been imported into gpg. Note that 2 keys are mine, and there are 2 other keys, one of
diana_coman and another from
TheJollyRoge, who cleared up my confusions on #gnupg.
Note: the key could be TheJollyRoge’s , or belong to somebody else.
This reads the keys stored in the file
pubring.kbx. This could vary from system to system. Note the trust levels shown as ultimate.
[ ]How can I import the known gpg keys to other computers?
List private or secret keys: As learned in an excellent explanation on #gnupg, I understood that
list --secret-keys, will list the public keys for which you possess the private key. So from the keys above, only my keys should be listed below.
gpg --list-secret-keys --fingerprint
Alternatively, use the fingerprint command to obtain the RSA number. Both
--list-keys and fingerprint seem to provide the same details of output, except that fingerprint does not provide any spaces in the key, and is easier to copy.
gpg –fingerprint email@example.com
I am experimenting with is using different email addresses for different keys. This could help me identify them quickly, instead of extracting the key id repeatedly. These aliases can be created in fastmail and by default will arrive in the same inbox.
One annoying messsage that pops up is regarding an untrusted key. To trust a key : at the
gpg prompt, type
trust and set the ultimate setting. The gpg prompt is reached by the
Sending the public key to a server
key_id with your own.
# gpg --send-keys --keyserver pgp.mit.edu key_id gpg --send-keys --keyserver pgp.mit.edu 211A199BC99152DEFA326D792E4554DE8D51E8D9
The generated file
mygpg.key is the public key that can be shared with anyone. The email address will help specify the target key. In all the commands below,
firstname.lastname@example.org can be replaced with the key.
gpg --output ~/mygpg.key --armor --export email@example.com
The same cane be done with the private key. Now
mygpg.key is the private key. This can be used for import purposes on another machine.
gpg --output ~/mygpg.key --armor --export-secret-keys [firstname.lastname@example.org/key]
Beware of exporting a private key.
gpg --delete-keysfor public keys
gpg --delete-secret-keysfor private keys
Making Encryption easy with Emacs
- Note taken on
I need to find a way to decrypt files that are provided as links on the web. This would make it easier to share encrypted content.
M-x epa* is your friend. Just start typing epa to find a list of commands. With this I can import / delete keys, encrypt and decrypt files right from emacs, almost eliminating the need to remember the verbose gpg commands. This is actually very convenient.
I can select the required key when I choose to encrypt a file. I can also choose a particular key as default, if desired within Emacs.
Technically, it is already a lot easier with GUI based tools for typical operations. This is as easy as right click on a file and choose to encrypt. I must have installed the software sometime back, because it was already available on my mac.
As of now, when I find a public key I want to import, I just copy it into a scratch buffer in Emacs and call
epa-import-keys-region. I’ve just imported
trilema‘s public key to reinforce the concept. I can send him an encrypted message.
WOT Web of Trust
- See notes on key management above. Essentially, with WOT (and Deedbot), a member can use his private key to sign a new members public key, thus endorsing the new persons identity.
[ ]TBH: I did a lot of link hopping, and multi-tasking while compiling these live notes. This is probably a fraction of the web pages I actually covered. I need to improve on the procedure of religiously collecting my references.
- http://edgecasesoftware.com/articles/basic_gpg_commands : This is a nice reference for gpg commands, and the website also contains guides to getting up on WOT. I made these notes, intending them to cover some areas edgecasesoftware did not.