`
thoughtbot
Keep Ruby Weird
Pretty Good Weekly (calebthompson.io/pretty-good)
Slide 3
Slide 3 text
What is PGP
Slide 4
Slide 4 text
StreetPass for nerds
Slide 5
Slide 5 text
• Pretty Good Privacy (OpenPGP) is
a standard that enables encrypted
communication between
individuals.
Slide 6
Slide 6 text
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
!
You may have received an email with a "NONAME" or
"signature.asc" attachment and wondered what it was, or you
might have seen an "armored" email wrapped in something like
this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
!
iQEcBAEBCAAGBQJUqFYaAAoJEBYhrcKgrOcK1PwIAKmBHbUwz8jC0vMWwMi5dOQc
ZSYCAy0D5r6xRinItelIx0cHFkys3kVIYpEyXRlfHz6EwRJsJcIohcqAMK+xmxtD
ZwWjv0QkY0upDBZOnG0Zm4D13hTFLP19RSi5nYMH0ozNVsOCwiizIOYeAvcnzUaC
mXLK9eY5lsFUmDVtc7sU9N1pAHoR/yXrGYVLm8Q4W3NMIjrWMfg4SuMKDcg7wapR
wYNI97EYeYVG7n3DTvATtWgWpLnLpsHYcAe4dA7qLvOiz4x4eyz02Z7jNjXXyF0c
kQAA1BHcYeCjn01QeRkNkM+8t/GmydTJ5Ui81kEHrtFWkaqqI7LK6jBMhMz/yt4=
=bJzJ
-----END PGP SIGNATURE-----
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Okay, Thanks for
Coming.
Slide 9
Slide 9 text
• This is a PGP-signed message,
and it is cryptographically verifiable
as having been signed by a
specific key and representing a
specific message.
Slide 10
Slide 10 text
• PGP also allows you to encrypt
messages, so that only intended
recipients who control their secret
keys can read them.
Slide 11
Slide 11 text
• Messages might be actual
messages, but they can also be
things like hashes of software
packages, which means you can
be sure that a package came from
a specific key.
Slide 12
Slide 12 text
• Debian, RVM, Apache, Kernel.org,
Aptitude, and others use this to
help increase security pretty much
for free (from the end-user
perspective).
Slide 13
Slide 13 text
• how to generate keys
Slide 14
Slide 14 text
• how to send and receive encrypted
messages
Slide 15
Slide 15 text
• how to sign other people’s keys
Slide 16
Slide 16 text
• how to trust other people’s keys
Slide 17
Slide 17 text
• but not only how
Slide 18
Slide 18 text
• what all of that means
Slide 19
Slide 19 text
• why we would ever want to do it
Slide 20
Slide 20 text
Let’s install the thing
Slide 21
Slide 21 text
• OpenPGP is a standard (RFC
4880)
Slide 22
Slide 22 text
• pgp is a implementation owned by
Symantec
Slide 23
Slide 23 text
• GnuPG, or GNU Privacy Guard (or
GPG), is a FOSS implementation of
OpenPGP
Slide 24
Slide 24 text
• gpg, gpg2, gpg21
Slide 25
Slide 25 text
• classic, stable, modern
Slide 26
Slide 26 text
brew install gnupg2
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
brew uninstall gnupg2 gpg-agent dirmngr
Slide 29
Slide 29 text
brew tap homebrew/versions
brew update
brew install gnupg21
Slide 30
Slide 30 text
cp ~/.gnupg ~/.gnupg.stable
Slide 31
Slide 31 text
Generating a key
Slide 32
Slide 32 text
• To get anywhere with PGP, you'll
need to have a keypair.
Slide 33
Slide 33 text
A keypair is composed of two parts
Slide 34
Slide 34 text
• A public key, which you'll publish,
allows others to encrypt messages
to you and verify messages from
you.
Slide 35
Slide 35 text
• A private key, which you'll keep
secret and safe, allows you to
decrypt the messages encrypted
to your public key and to sign
messages so that others can verify
they are from you.
Slide 36
Slide 36 text
• Algorithms which separate keys
into public/private pairs are more
secure for several reasons,
including that the private key
should never be on the Internet.
Slide 37
Slide 37 text
$ gpg --full-gen-key
Slide 38
Slide 38 text
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
Slide 39
Slide 39 text
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Slide 40
Slide 40 text
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Tue Dec 22 17:53:00 2015 CST
Is this correct? (y/N) y
=
Slide 41
Slide 41 text
• This step allows you to limit the length of time your keys will be valid for.
• It's possible to refresh the key before it expires so you're not losing a key
if it runs out of time and you still have access to it.
• If you lose your secret key, it will automatically invalidate when it expires.
• I didn't want to bother with refreshing my key regularly, so mine never
expires. Several others at thoughtbot have an expiration for 1 year after
the key was generated.
• It’s best to have one, just remember to refresh your key at whatever
interval you define.
Slide 42
Slide 42 text
GnuPG needs to construct a user ID to identify your
key.
!
Real name: Caleb Thompson
Email address: [email protected]
Comment:
You selected this USER-ID:
"Caleb Thompson "
!
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Slide 43
Slide 43 text
• Enter a passphrase.
• It’s like a password, but longer and
more secure
• It’s the weakest part of this whole
system, so make it as strong as you can
• Make sure nobody’s watching you set it
Slide 44
Slide 44 text
gpg: key D658D2CC marked as ultimately trusted
public and secret key created and signed.
!
pub rsa4096/D658D2CC 2014-12-22 [expires: 2015-12-22]
Key fingerprint =
7CCF 75EC 8930 D351 3A35 D4AF 78DA E141 D658 D2CC
uid [ultimate] Caleb Thompson
sub rsa4096/11597F23 2014-12-22 [expires: 2015-12-22]
$ cat "Hi how are you" > innocent-msg
$ gpg --detach-sign --output innocent-msg.sig
innocent-msg
Slide 61
Slide 61 text
• Verifying signatures
Slide 62
Slide 62 text
$ # For a clearsigned message (or other signatures
that include the message):
$ gpg --decrypt msg.sig
Slide 63
Slide 63 text
Hi
gpg: Signature made Sat Jan 3 13:12:21 2015 CST using RSA key ID A0ACE70A
gpg: Good signature from "Caleb Thompson " [full]
gpg: aka "Caleb Thompson " [full]
gpg: aka "Caleb Thompson " [full]
Slide 64
Slide 64 text
$ # For a detached signature:
$ gpg --verify innocent-msg.sig innocent-msg
Slide 65
Slide 65 text
gpg: Signature made Sat Jan 3 13:12:21 2015 CST using RSA key ID A0ACE70A
gpg: Good signature from "Caleb Thompson " [full]
gpg: aka "Caleb Thompson " [full]
gpg: aka "Caleb Thompson " [full]
Slide 66
Slide 66 text
Signing a key: what and how?
Slide 67
Slide 67 text
• Signing a key uses the same (or
similar) mechanics internally as
signing a message
Slide 68
Slide 68 text
• Has different semantic meaning:
Slide 69
Slide 69 text
• Assert that you’ve verified identity
(driver’s licence, passport, etc.)
Slide 70
Slide 70 text
• Assert that you’ve verified that you
have the right key
Slide 71
Slide 71 text
• Assert that you’ve verified
ownership (can use private key)
Slide 72
Slide 72 text
• Assert that you’ve verified
ownership (can use private key)
• (It’s less common to actually do this
step)
Slide 73
Slide 73 text
• Announces to the world that if they
trust you to verify these things, they
can trust that the keys of people
you have signed are more likely to
represent the people they want to
communicate with.
Slide 74
Slide 74 text
• Fundamental to the Web of Trust
Slide 75
Slide 75 text
No content
Slide 76
Slide 76 text
$ gpg --sign-key --ask-cert-level Terence
Slide 77
Slide 77 text
pub rsa2048/5BE915C7
created: 2013-11-27 expires: 2016-11-26 usage: SC
trust: marginal validity: full
sub rsa2048/1B1DAFC7
created: 2013-11-27 expires: 2016-11-26 usage: E
[ full ] (1). Terence Lee
!
!
pub rsa2048/5BE915C7
created: 2013-11-27 expires: 2016-11-26 usage: SC
trust: marginal validity: full
Primary key fingerprint: 43C9 BCC5 3DE7 C6D8 DD79 D42E FB54 F2C6 5BE9 15C7
!
Terence Lee
!
This key is due to expire on 2016-11-26.
Slide 78
Slide 78 text
How carefully have you verified the key you are
about to sign actually belongs
to the person named above? If you don't know what
to answer, enter "0".
!
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
!
Your selection? (enter '?' for more information):
Slide 79
Slide 79 text
(1) I have not checked at all.
Slide 80
Slide 80 text
(2) I have done casual checking.
Slide 81
Slide 81 text
(3) I have done very careful checking.
Slide 82
Slide 82 text
Are you sure that you want to sign this key with your
key "Caleb Thompson
" (D658D2CC)
!
I have checked this key casually.
!
Really sign? (y/N) y
Slide 83
Slide 83 text
• Somehow get the key to Terence
Slide 84
Slide 84 text
Be Pragmatic
$ gpg --send-keys 5BE915C7
Slide 85
Slide 85 text
Be really safe
• Sign each UID separately
• Export UIDs to separate files
• Encrypt each UID and email to the
associated email address
• Include instructions for importing encrypted
keys and pushing to a keyserver
Slide 86
Slide 86 text
Get my key
$ gpg --recv-keys A0ACE70A
Slide 87
Slide 87 text
Sign my key
$ gpg --fingerprint [email protected]
pub rsa2048/A0ACE70A 2013-08-12
Key fingerprint =
B432 C068 2FD1 C2D0 6A8B 3951 1621 ADC2 A0AC E70A
uid [ full ] Caleb Thompson
uid [ full ] Caleb Thompson
uid [ full ] Caleb Thompson
sub rsa2048/545CA4DF 2013-08-12
Slide 88
Slide 88 text
Trusting a key: Should I do it?
Slide 89
Slide 89 text
• First of all, trust is private and local
Slide 90
Slide 90 text
• Unlike keysigning, it is never
broadcast
• So you can be honest about it.
Slide 91
Slide 91 text
• Having trusted keys makes the
Web of Trust more useful to you
Slide 92
Slide 92 text
• Marking a key as trusted means
that keys that key has signed are
implicitly trusted at a higher level
Slide 93
Slide 93 text
• Not “would this person take a bullet
for me”
Slide 94
Slide 94 text
• How much do you trust them to
verify identities (as we did in the
key signing section)
gpg> trust
pub rsa4096/D658D2CC
created: 2014-12-22 expires: 2015-12-22 usage: SC
trust: ultimate validity: ultimate
sub rsa4096/11597F23
created: 2014-12-22 expires: 2015-12-22 usage: E
[ultimate] (1). Caleb Thompson
[ultimate] (2) Caleb Thompson
!
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
!
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
!
Your decision? 4
Slide 97
Slide 97 text
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Slide 98
Slide 98 text
gpg> save
Key not changed so no update needed.
Slide 99
Slide 99 text
Sending encrypted mail
Slide 100
Slide 100 text
Signing Git commits & tags
Slide 101
Slide 101 text
Signing software releases
Slide 102
Slide 102 text
PGP and You
http://robots.thoughtbot.com/pgp-and-you
Slide 103
Slide 103 text
Keysigning Party !!1!
Slide 104
Slide 104 text
• You should have a key now
• You know how to verify and sign a
key
Slide 105
Slide 105 text
• Come up to the podium with your laptop
• Share your name and key id
• Wait for us to get your key
• Confirm your fingerprint
• Show us your ID