PGP for Developers

Transcript

1. PGP for Developers @ecmendenhall

2. Pretty good privacy Send sensitive information: passwords, secrets, keys !

   Receive sensitive information ! Store sensitive information in source control ! Sign your code so users can verify it ! Wrap insecure protocols

3. Pretty good privacy > “Our twelve test participants were generally

   > educated and experienced at using email, yet only > one third of them were able to use PGP 5.0 to > correctly sign and encrypt an email message when > given 90 minutes in which to do so. Furthermore, > one quarter of them accidentally exposed the > secret they were meant to protect in the process” ! —-“Why Johnny Can’t Encrypt” http://www.gaudior.net/alma/johnny.pdf

4. Pretty good privacy NAME git-reflog - Manage reflog information !

   SYNOPSIS git reflog <subcommand> <options> ! ! DESCRIPTION The command takes various subcommands, and different options depending on the subcommand: ! git reflog expire [--dry-run] [--stale-fix] [--verbose] [--expire=<time>] [--expire-unreachable=<time>] [--all] <refs>... git reflog delete ref@{specifier}... git reflog [show] [log-options] [<ref>] ! ! Reflog is a mechanism to record when the tip of branches are updated. This command is to manage the information recorded in it. ! The subcommand "expire" is used to prune older reflog entries. Entries older than expire time, or entries older than expire-unreachable time and not reachable from the current tip, are removed from the reflog. This is typically not used directly by the end users -- instead, see git-gc(1).

5. Install GPG PGP is an open standard. We’ll use Gnu

   Privacy Guard (GPG), a free and open source implementation. ! OS X: brew install gpg or http://gpgtools.org/ Ubuntu: sudo apt-get install gnupg2 Windows: http://www.gpg4win.org/

6. PGP provides… Privacy: Encryption Authentication: Integrity, Nonrepudiation

7. PGP does not provide… Metadata Privacy: Subject lines, headers Identity

   verification: Is this really your key?

8. Public key crypto https://www.youtube.com/watch?v=3QnD2c4Xovk

9. Generating a new key $ !

10. Generating a new key $ gpg --gen-key !

11. Generating a new key $ gpg --gen-key ! gpg (GnuPG)

    2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? !

12. Generating a new key $ gpg --gen-key ! gpg (GnuPG)

    2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1

13. Generating a new key RSA keys may be between 1024

    and 4096 bits long. What keysize do you want? (2048)

14. Generating a new key RSA keys may be between 1024

    and 4096 bits long. What keysize do you want? (2048) 4096

15. Generating a new key Please specify how long the key

    should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)

16. Generating a new key Please specify how long the key

    should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0

17. Generating a new key Please specify how long the key

    should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 ! Key does not expire at all Is this correct? (y/N)

18. Generating a new key Please specify how long the key

    should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 ! Key does not expire at all Is this correct? (y/N) y

19. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name:

20. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander

21. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander Email address:

22. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander Email address: [email protected]

23. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander Email address: [email protected] Comment:

24. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander Email address: [email protected] Comment: ! You selected this USER-ID: “Keith Alexander <[email protected]>” ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

25. Generating a new key GnuPG needs to construct a user

    ID to identify your key. ! Real name: Keith Alexander Email address: [email protected] Comment: ! You selected this USER-ID: “Keith Alexander <[email protected]>” ! Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

26. Generating a new key You need a Passphrase to protect

    your secret key.

27. Generating a new key Enter passphrase:

28. Generating a new key Enter passphrase: **********************************

29. Generating a new key Enter passphrase: ********************************** Please reenter passphrase:

30. Generating a new key Enter passphrase: ********************************** Please reenter passphrase:

    ********************************** ! !

31. Generating a new key Enter passphrase: ********************************** Please reenter passphrase:

    ********************************** ! We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

32. Generating a new key gpg: key 76DE234F marked as ultimately

    trusted public and secret key created and signed. ! gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u pub 4096R/76DE234F 2014-07-10 Key fingerprint = 51F0 E1D4 E737 B3CF 4466 456C 2741 7EBB 76DE 234F ! uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10

33. Listing keys $ gpg -—list-keys

34. Listing keys $ gpg -—list-keys ! gpg: checking the trustdb

    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10

35. Listing keys $ gpg -—list-keys ! gpg: checking the trustdb

    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10

36. Export your public key $

37. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    !

38. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    ! $

39. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    ! $ ls

40. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    ! $ ls keith_pubkey.asc ! $

41. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    ! $ ls keith_pubkey.asc ! $ cat keith_pubkey.asc

42. Export your public key $ gpg -—export —-armor > keith_pubkey.asc

    ! $ ls keith_pubkey.asc ! $ cat keith_pubkey.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) ! mQINBFO+Dc8BEACli07maa/Xj1gRfLyNMzv3dTByTPkgFXY7k7cLxsK5DBL6jsvb FgcbylXbvMHGH/jgD7D+2VenXjwPYxeNORJ6lnGHOvKcAp2lRVtdFgkBuzDztirt gZBrbtE7nbujjakx4oTB9C0hUqSn0E8JmFvQkCBZZuWRZ3HAZKbzRUaoWrpgYRU8 JI8TWyg3I1dwxzlgIKkhklVeG8up74wsOwQyutOxEUDrM+X26Z4NOSHNNf2B3DrM wjUvFu+j2eThM1Zt6Un7UoInfeNdONzBWYPEBdGppmUAKzglH+zxov2czFj02fQL zZ/4sY7KNf9C417YNLfIZ4ZuZVhL0pTmqSN/7/o9Un726sJxJfzlbDjJ9GI8C72n a/koFNs8M1fYskT2q6u9/w35798bFUw/rcCNzfOQIr07ZGBYC51NuGMMlRn8/3kf

43. Export your public key 96JTCE24dyYEzkAuCipxK0C/C2q82/bVF1WPZnzX+c0kv9OKr5y4xoCiqzaY5K2C 5bGwrXKwAdqAUL1WON/h87TPLNuVuOSbdNEWuK/50madhxaKbTiCuQN/E8xwIcEY rkKmodurJGTer8n7QeytuVza0nPEu14T4tObKMrpHYNEz87yps+f/D3lAa1h9w3e onHgeCEXzSqQQTI4JDxS+aAaUvB4w9pZrzQ4jFkYVAA0MIbyYGBoYJNQw4MBbdBF Z/1GW1thp2VJT3VWhAgoguYnydSazkZrQ3CKgv0/46NSRPIFoaeVjOWneT4o+hvM dhhLmtwVk3eb9nIyEQZp9tPwx+52/hom9F+Sk2BNEsimLnDV8snlPRP4Lfk9AfR5

    JOQD6HB1wWViF4BFGBL/jKyuB52q/sBLD4nvx/hrOmtBsqdrAeRC2mhVd4HNb1Dg NfnZzXB6i05t/6yUlYxaa1ZVSnSehoYmBZ1FrwFuk93zwBcoWW3nxbpckwfxbRq6 Ajt0R8/9Vhl7grxH0xAcgfBfa973iv7JkQxUfbLnDiIM37s6v7T10XjHsINb17Zs 1YRwtRM= =Z6sT -----END PGP PUBLIC KEY BLOCK----- $

44. Try it! Copy your public key into an email message

    and send it to [email protected] ! (Send plaintext if possible)

45. Decrypt Adele’s response $

46. Decrypt Adele’s response $ gpg —-decrypt reply.asc

47. Decrypt Adele’s response $ gpg —-decrypt reply.asc ! Hello, !

    here is the encrypted reply to your email. ! I have received your public key ID 27417EBB76DE234F, described as `Keith Alexander <[email protected]>'. ! Below please find the public key of [email protected] the friendly OpenPGP email robot. ! Yours sincerely, [email protected] ! -----BEGIN PGP PUBLIC KEY BLOCK-----

48. Good key hygiene Generate a revocation certificate ! Back up

    your private key and revocation cert ! Seriously, back it up

49. Send sensitive config $

50. Send sensitive config $ cat message.txt

51. Send sensitive config $ cat message.txt ! Hey Sandro, !

    Here’s the API key and secret for our Sorting.io account: ! SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd ! Connor ! $

52. Send sensitive config $

53. Send sensitive config $ gpg --keyserver pgp.mit.edu --search-keys 8thlight.com !

54. Send sensitive config $ gpg --keyserver pgp.mit.edu --search-keys 8thlight.com !

    gpg: searching for "8thlight.com" from hkp server pgp.mit.edu (1) Sandro Padin <[email protected]> 4096 bit RSA key 9E691D66, created: 2014-01-27 (2) Connor Mendenhall <[email protected]> 2048 bit RSA key BA6447F3, created: 2013-07-30 (3) Colin Jones <[email protected]> 2048 bit RSA key A82D3A63, created: 2012-11-03 (4) Doug Bradbury <[email protected]> 2048 bit RSA key 64D9887B, created: 2012-08-01 ! Keys 1-4 of 4 for "8thlight.com". Enter number(s), N)ext, or Q)uit>

55. Send sensitive config $ gpg --keyserver pgp.mit.edu --search-keys 8thlight.com !

    gpg: searching for "8thlight.com" from hkp server pgp.mit.edu (1) Sandro Padin <[email protected]> 4096 bit RSA key 9E691D66, created: 2014-01-27 (2) Connor Mendenhall <[email protected]> 2048 bit RSA key BA6447F3, created: 2013-07-30 (3) Colin Jones <[email protected]> 2048 bit RSA key A82D3A63, created: 2012-11-03 (4) Doug Bradbury <[email protected]> 2048 bit RSA key 64D9887B, created: 2012-08-01 ! Keys 1-4 of 4 for "8thlight.com". Enter number(s), N)ext, or Q)uit> 1

56. Send sensitive config gpg: requesting key 9E691D66 from hkp server

    pgp.mit.edu gpg: key 9E691D66: public key "Sandro Padin <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ! $

57. Send sensitive config gpg: requesting key 9E691D66 from hkp server

    pgp.mit.edu gpg: key 9E691D66: public key "Sandro Padin <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ! $ gpg —-list-keys

58. Send sensitive config gpg: requesting key 9E691D66 from hkp server

    pgp.mit.edu gpg: key 9E691D66: public key "Sandro Padin <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ! $ gpg —-list-keys /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10 ! pub 4096R/9E691D66 2014-01-27 [expires: 2018-01-27] uid Sandro Padin <[email protected]> sub 4096R/55913676 2014-01-27 [expires: 2018-01-27]

59. Send sensitive config $ gpg --fingerprint "Sandro Padin" ! pub

    4096R/9E691D66 2014-01-27 [expires: 2018-01-27] Fingerprint = 20C7 8310 4EA6 39F4 45E7 847A 4ED0 DA57 9E69 1D66 ui Sandro Padin <[email protected]> sub 4096R/55913676 2014-01-27 [expires: 2018-01-27]

60. Send sensitive config $ gpg --encrypt —-sign —-armor -r [email protected]

    message.txt ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! gpg: 55913676: There is no assurance this key belongs to the named user ! pub 4096R/55913676 2014-01-27 Sandro Padin <[email protected]> Primary key fingerprint: 20C7 8310 4EA6 39F4 45E7 847A 4ED0 DA57 9E69 1D66 Subkey fingerprint: B7D4 BAB6 027B C1F9 A0BB 5112 5B0A DCCB 5591 3676 !

61. Send sensitive config It is NOT certain that the key

    belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. ! Use this key anyway? (y/N) y ! $ cat message.txt.asc ! -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (GNU/Linux) ! hQIMA1sK3MtVkTZ2ARAAqL8KrnK3klnJ8L5IV8nFdg2yrQHdXZZKct1E7Swni1ai EySbWDGXSkysP4UwGPszmExEaZ3mwm216m2HeYG9wsmIRzx5FmzuqdYg0H+MuRsc pIEBPNa9MeWbRYK+8tCi1RDH5fdrd89Pi0j0n0zXw+4tAEw6hQexs9Pw1H4lvZm8 DFYxlApwlX6YIFfXXYldhgZ81yEBsu5KCM3IOyFmyIiBpbSt3ov6TtuhCEfRfNbV ivwaVuyO3g0aKZS3/Khkhu+FCHWQH52273JTyDodSswywGa80bQD3TyyAEyJWwWp

62. Send sensitive config $ rm message.txt

63. Receive private messages $

64. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    !

65. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    $ !

66. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    $ gpg —-list-keys ! ! !

67. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    $ gpg —-list-keys ! /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10 ! pub 4096R/9E691D66 2014-01-27 [expires: 2018-01-27] uid Sandro Padin <[email protected]> sub 4096R/55913676 2014-01-27 [expires: 2018-01-27] ! $ !

68. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    $ gpg —-list-keys ! /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10 ! pub 4096R/9E691D66 2014-01-27 [expires: 2018-01-27] uid Sandro Padin <[email protected]> sub 4096R/55913676 2014-01-27 [expires: 2018-01-27] ! $ gpg --keyserver pgp.mit.edu —-send-keys 76DE234F !

69. Receive private messages $ gpg -—export —-armor -o keith_pubkey.asc !

    $ gpg —-list-keys ! /home/ubuntu/.gnupg/pubring.gpg ------------------------------- pub 4096R/76DE234F 2014-07-10 uid Keith Alexander <[email protected]> sub 4096R/89C65041 2014-07-10 ! pub 4096R/9E691D66 2014-01-27 [expires: 2018-01-27] uid Sandro Padin <[email protected]> sub 4096R/55913676 2014-01-27 [expires: 2018-01-27] ! $ gpg --keyserver pgp.mit.edu —-send-keys 76DE234F gpg: sending key 76DE234F to hkp server pgp.mit.edu

70. Sharing your public key Don’t rely on keyservers: share your

    key from a domain you own, over SSL ! Share your full fingerprint where possible, not just the first 8 characters

71. Tamper-proof code $ !

72. Tamper-proof code $ ls ! !

73. Tamper-proof code $ ls Makefile src xkeyscore ! $ !

74. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig —-detach-sig xkeyscore ! ! !

75. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig —-detach-sig xkeyscore ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! $ !

76. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig —-detach-sig xkeyscore ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! $ ls ! !

77. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig —-detach-sig xkeyscore ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! $ ls Makefile src xkeyscore xkeyscore.sig ! $ !

78. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig —-detach-sig xkeyscore ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! $ ls Makefile src xkeyscore xkeyscore.sig ! $ gpg -—verify xkeyscore.sig ! !

79. Tamper-proof code $ ls Makefile src xkeyscore ! $ gpg

    —-output xkeyscore.sig -—detach-sig xkeyscore ! You need a passphrase to unlock the secret key for user: “Keith Alexander <[email protected]>” 4096-bit RSA key, ID 76DE234F, created 2014-07-10 ! $ ls Makefile src xkeyscore xkeyscore.sig ! $ gpg -—verify xkeyscore.sig gpg: Signature made Thu Jul 10 20:08:27 2014 CDT using RSA key ID 76DE234F gpg: Good signature from "Keith Alexander <[email protected]>"

80. Store sensitive config $

81. Store sensitive config $ cat secrets.env

82. Store sensitive config $ cat secrets.env SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd DB_PASSWORD=hunter2 !

    $

83. Store sensitive config require 'dotenv' Dotenv.load ! api_key = ENV['SUPER_SECRET_API_KEY']

    SortingIO::API.new(api_key)

84. Store sensitive config $ cat secrets.env SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd DB_PASSWORD=hunter2 !

    $

85. Store sensitive config $ cat secrets.env SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd DB_PASSWORD=hunter2 !

    $ gpg --encrypt -r [email protected] -r [email protected] -o secrets.env.gpg secrets.env ! $

86. Store sensitive config $ cat secrets.env SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd DB_PASSWORD=hunter2 !

    $ gpg --encrypt -r [email protected] -r [email protected] -o secrets.env.gpg secrets.env ! $ gpg -o secrets.env.gpg —-symmetric secrets.env ! $

87. Store sensitive config $ cat secrets.env SUPER_SECRET_API_KEY=fc44a9de4a2a97a0dcaaca16d3c9b2b9e2ed031e API_TOKEN=152052948eb58063fd DB_PASSWORD=hunter2 !

    $ gpg --encrypt -r [email protected] -r [email protected] -o secrets.env.gpg secrets.env ! $ gpg -o secrets.env.gpg —-symmetric secrets.env ! $ echo ‘secrets.env’ >> .gitignore

88. More resources http://futureboy.us/pgp.html ! https://help.riseup.net/en/security/message-security/ openpgp/best-practices ! http://www.pgpi.org/doc/pgpintro/