GNU Privacy Guard

GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP (Pretty Good Privacy) standards. The Platform team uses GPG to generate and manage the pubilc and private keys they use for file encryption and decryption, signing of Git commits, and for SSH access to various systems.

Once installed, team members will have access to GPG's functions via the cli.

macOS

Requirements

• Homebrew
• OpenSSH

Installing GPG on macOS

Use Homebrew to install GPG by entering the following in the cli and following the on-screen instructions:

$ brew install gnupg

Linux

Requirements

• OpenSSH

Installing GPG on Linux

• Ubuntu/Debian

  $ apt install gpg
  

• RHEL/Fedora

Key Generation

Generate a master key

1. Generate a master key:

   $ gpg --expert --full-generate-key
   

2. Select (ECC sign only):

   Please select what kind of key you want:
      (1) RSA and RSA (default)
      (2) DSA and Elgamal
      (3) DSA (sign only)
      (4) RSA (sign only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
      (9) ECC and ECC
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (13) Existing key
     (14) Existing key from card
   Your selection? 10
   

   Select Curve 25519:

   Please select which elliptic curve you want:
      (1) Curve 25519
      (3) NIST P-256
      (4) NIST P-384
      (5) NIST P-521
      (6) Brainpool P-256
      (7) Brainpool P-384
      (8) Brainpool P-512
      (9) secp256k1
   Your selection? 1
   

   Select an expiration:

   Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
   Key is valid for? (0)
   

3. Associate a user id with the newly generated key:

   GnuPG needs to construct a user ID to identify your key.
   
   Real name: kmitnick@vt.edu
   Email address: kmitnick@vt.edu
   Comment: testing
   You selected this USER-ID:
       "kmitnick@vt.edu (testing) <kmitnick@vt.edu>"
   

4. Verify your new key is associated with the uid you expect, and is enabled for Signing and Cert generation:

   $ gpg -k kmitnick@vt.edu
   pub   ed25519 2023-04-14 [SC]
      6BD6FC926DC6C6D46B4F725B2B1E270B47DB1308
   uid           [ultimate] Kevin Mitnick (testing) <kmitnick@vt.edu>
   

Generate an encryption subkey

1. Edit the master key:

   $ gpg --expert --edit-key kmitnick@vt.edu
   

   Choose to addkey, and select ECC encrypt only:

   gpg> addkey
   Please select what kind of key you want:
      (3) DSA (sign only)
      (4) RSA (sign only)
      (5) Elgamal (encrypt only)
      (6) RSA (encrypt only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (12) ECC (encrypt only)
     (13) Existing key
     (14) Existing key from card
   Your selection? 12
   

2. Select Curve 25519, and set an expiration earlier than that of the master key:

   Please select which elliptic curve you want:
      (1) Curve 25519
      (3) NIST P-256
      (4) NIST P-384
      (5) NIST P-521
      (6) Brainpool P-256
      (7) Brainpool P-384
      (8) Brainpool P-512
      (9) secp256k1
   Your selection? 1
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 2y
   

3. Verify you have a new subkey for Encryption

   sec  ed25519/2B1E270B47DB1308
        created: 2023-04-14  expires: never       usage: SC  
        trust: ultimate      validity: ultimate
   ssb  cv25519/CB4687B62B16CAF3
        created: 2023-04-14  expires: 2025-04-13  usage: E   
   [ultimate] (1). Kevin Mitnick (testing) <kmitnick@vt.edu>
   

4. Save your new configuration

   gpg> save
   

Generate an authentication subkey

1. Generate an authentication subkey:

   $ gpg --expert --edit-key kmitnick@vt.edu
   

   Select the addkey option, and ECC set your own capabilities:

   gpg> addkey
   Please select what kind of key you want:
      (3) DSA (sign only)
      (4) RSA (sign only)
      (5) Elgamal (encrypt only)
      (6) RSA (encrypt only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (12) ECC (encrypt only)
     (13) Existing key
     (14) Existing key from card
   Your selection? 11
   

2. Toggle the available options until only Authentication is enabled:

   Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
   Current allowed actions: Sign 
   
      (S) Toggle the sign capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? s
   
   Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
   Current allowed actions: 
   
      (S) Toggle the sign capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? a
   
   Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
   Current allowed actions: Authenticate 
   
      (S) Toggle the sign capability
      (A) Toggle the authenticate capability
      (Q) Finished
   

3. Again select Curve 25519, and set an expiration (ideally, earlier than the master key)

   Please select which elliptic curve you want:
      (1) Curve 25519
      (3) NIST P-256
      (4) NIST P-384
      (5) NIST P-521
      (6) Brainpool P-256
      (7) Brainpool P-384
      (8) Brainpool P-512
      (9) secp256k1
   Your selection? 1
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 2y
   

4. Verify you have a new subkey for Authentication:

   sec  ed25519/2B1E270B47DB1308                                                
        created: 2023-04-14  expires: never       usage: SC                     
        trust: ultimate      validity: ultimate                                 
   ssb  cv25519/CB4687B62B16CAF3                                                
        created: 2023-04-14  expires: 2025-04-13  usage: E                      
   ssb  ed25519/D8C413AFD85D7A62
        created: 2023-04-14  expires: 2025-04-13  usage: A
   [ultimate] (1). Kevin Mitnick (testing) <kmitnick@vt.edu>                    
   

5. Save your configuration:

   gpg> save
   

Signing Git commits

Once GPG keys have been generated Git can be configured to use them for signing.

1. First find your GPG keyid:

   $ gpg --list-secret-keys --keyid-format long
   sec   ed25519/2B1E270B47DB1308 2023-04-14 [SC]
         6BD6FC926DC6C6D46B4F725B2B1E270B47DB1308
   uid                 [ultimate] Kevin Mitnick (testing) <kmitnick@vt.edu>
   ssb   cv25519/CB4687B62B16CAF3 2023-04-14 [E] [expires: 2025-04-13]
   ssb   ed25519/D8C413AFD85D7A62 2023-04-14 [A] [expires: 2025-04-13]
   

2. Run the following commands to configure Git:

   $ git config --global user.signingkey 2B1E270B47DB1308
   $ git config --global commit.gpgsign true
   

3. Any future commits can now be signed with inclusion of the S flag:

   $ git commit -S -m "foo bar"