GNU Privacy Guard#
GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP (Pretty Good Privacy) standards. The Platform team uses GPG to generate and manage the pubilc and private keys they use for file encryption and decryption, signing of Git commits, and for SSH access to various systems.
Once installed, team members will have access to GPG's functions via the cli.
macOS#
Requirements#
Installing GPG on macOS#
Use Homebrew to install GPG by entering the following in the cli and following the on-screen instructions:
Linux#
Requirements#
Installing GPG on Linux#
-
Ubuntu/Debian
-
RHEL/Fedora
Key Generation#
Generate a master key#
-
Generate a master key:
-
Select (ECC sign only):
Select Curve 25519: Select an expiration:Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 10
-
Associate a user id with the newly generated key:
-
Verify your new key is associated with the uid you expect, and is enabled for Signing and Cert generation:
Generate an encryption subkey#
- Edit the master key:
Choose to addkey, and select ECC encrypt only:
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key (14) Existing key from card Your selection? 12
- Select Curve 25519, and set an expiration earlier than that of the master
key:
Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y
- Verify you have a new subkey for Encryption
- Save your new configuration
Generate an authentication subkey#
- Generate an authentication subkey:
Select the addkey option, and ECC set your own capabilities:
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key (14) Existing key from card Your selection? 11
- Toggle the available options until only Authentication is enabled:
Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Possible actions for a ECDSA/EdDSA key: Sign Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished
- Again select Curve 25519, and set an expiration (ideally, earlier than the
master key)
Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y
- Verify you have a new subkey for Authentication:
sec ed25519/2B1E270B47DB1308 created: 2023-04-14 expires: never usage: SC trust: ultimate validity: ultimate ssb cv25519/CB4687B62B16CAF3 created: 2023-04-14 expires: 2025-04-13 usage: E ssb ed25519/D8C413AFD85D7A62 created: 2023-04-14 expires: 2025-04-13 usage: A [ultimate] (1). Kevin Mitnick (testing) <kmitnick@vt.edu>
- Save your configuration:
Signing Git commits#
Once GPG keys have been generated Git can be configured to use them for signing.
-
First find your GPG keyid:
$ gpg --list-secret-keys --keyid-format long sec ed25519/2B1E270B47DB1308 2023-04-14 [SC] 6BD6FC926DC6C6D46B4F725B2B1E270B47DB1308 uid [ultimate] Kevin Mitnick (testing) <kmitnick@vt.edu> ssb cv25519/CB4687B62B16CAF3 2023-04-14 [E] [expires: 2025-04-13] ssb ed25519/D8C413AFD85D7A62 2023-04-14 [A] [expires: 2025-04-13]
-
Run the following commands to configure Git:
-
Any future commits can now be signed with inclusion of the S flag: