| View previous topic :: View next topic |
| Author |
Message |
forgotten1
Guru
Joined: 11 Jan 2005
Posts: 477
Location: East Coast, USA
|
 Posted: Wed Jul 26, 2006 1:47 am Post subject: HOWTO: Gnupg / OpenPGP Smartcard / Dual OS |
 |
|
HOWTO: Gnupg / OpenPGP Smartcard / Dual OS
| I wrote: | | Golden Rule Revisited - "Share unto others as you would have them share unto you" |
CHANGE LOG:
| Code: | 20060728 - smartcard USE flag is necessary for (gnupg). Modified instruction.
- Correct typos.
20060725 - Initial post. |
NOTICE: This HOWTO has been tested on a Dell Inspiron 600m. Although I cannot guarantee this will work on other hardware, it should. As always, the user of this information is responsible for any outcome experienced. This also assumes your windows installation has the proper smartcard reader driver installed and functioning correctly.
SUPPORT: As a reminder, this is not a support forum. If you have any difficulties with this HOWTO and require extra help, PM me.
CONTINUAL IMPROVEMENT: I will accept any constructive criticism that will improve this document. Please PM me with your suggestions.
SUMMARY: This HOWTO describes the process of setting up GnuPG to work with an OpenPGP Smartcard in dual operating systems (i.e. Gentoo GNU/Linux and XP). Additional optional hardware requirements are two <=64MB flashdrives. This is a record of my lessons learned.
Why did I bother with this approach? I wanted to be able to use gnupg in both operating system environments, since I use both in the course of work and 'play.' This describes a process of storing the keys and configuration settings on two flashdrives, which makes your usage of gnupg more portable. It also describes using the OpenPGP smartcard as storage for the subkey secret keys. The primary secret key is stored on a separate flashdrive, increasing security. The additional benefit to using the flashdrives to store config settings and keys, is that there is less risk to compromising them, as they can be removed from the machine when not needed. Enough of the sales pitch.
Lets Get To It:
First, this assumes you already have a smartcard reader, and OpenPGP (or equivalent) smart card to use. It also assumes you have the smartcard reader driver installed and operational. If you have an O2Micro OZ711EC1 reader, the driver installation instructions can be found in this post:
HOWTO: Install 02Micro OZ711EC1 Smartcard Reader Driver (https://forums.gentoo.org/viewtopic-t-482152.html)
- Install gnupg. The 'smartcard' USE flag is necessary. If gnupg is compiled without it, gpg will error out with a 'Invalid option' when attempting to use commands for editing the card or viewing it's status.
| Code: | echo 'app-crypt/gnupg smartcard' >> /etc/portage/package.use
emerge gnupg |
Prepare 2 usb flashdrives. One will be used for normal daily operation of gnupg, the second will be used to store the primary secret keying. The total size of the configuration files isn't that large, if you can find 16MB flashdrives, they should suffice. They will be reformatted and ext2 filesystems installed. Gnupg likes a file system that can handle file locking.
An additional benefit to applying ext2 filesystems to the flashdrives is you gain additional security through obscurity. If someone finds the flashdrive and plugs it into a windows machine to see what is on it, they will not see anything, unless they have installed an ext2 filesystem driver, which will be a very small population indeed. This will not be true of course, if they are found by someone using unix/linux. And you can create additional partitions, but be advised that windows only sees the first partition.
You will need two open USB ports. Insert the first flashdrive and enter the following:
| Code: | fdisk /dev/sda
p <Note partitions, should just be one>
d <Delete all partitions present>
n
p
1
<Hit enter for first cylinder>
<Hit enter for last cylinder>
a
1
t
83
w
q
mke2fs /dev/sda1 -b 4096 -c -c -L SAFE
tune2fs -c -1 -e continue /dev/sda1
mkdir -p /mnt/usb/gnupg
chown <username>:users /mnt/usb/gnupg
chmod 700 /mnt/usb/gnupg |
Insert the second flashdrive and enter the following:
| Code: | fdisk /dev/sdb
p <Note partitions, should just be one>
d <Delete all partitions present>
n
p
1
<Hit enter for first cylinder>
<Hit enter for last cylinder>
a
1
t
83
w
q
mke2fs /dev/sdb1 -b 4096 -c -c -L UNSAFE
tune2fs -c -1 -e continue /dev/sdb1
mkdir -p /mnt/usb2/gnupg
chown <username>:users /mnt/usb2/gnupg
chmod 700 /mnt/usb2/gnupg
|
Modify /etc/fstab. Here we make the separate flashdrives available to the normal user. There must be a cleaner way to do this (udev?), I just haven't figured it out yet. Until then this is how I get it done.
| Code: | <Open up /etc/fstab and make the following modifications>
/dev/sda1 /mnt/usb ext2 noauto,users,rw 0 0
/dev/sdb1 /mnt/usb2 ext2 noauto,users,rw 0 0 |
You are now prepared to setup your OpenPGP smartcard to use subkeys only. This follows the reference identified below very closely.
Insert smartcard into slot. If you own a 600m also, the correct orientation for inserting the smartcard, is the contacts should face up not down
Login as your normal user.
Create normal gpg gpg secret key. To be safe, do this when not plugged into the internet on a machine you trust. You can skip this if you have already created one. Feel free to modify the defaults if you wish, but they should suffice. This step comes from the GNU Privacy Handbook referenced below.
| Code: | gpg --gen-key
<select the default key, 1>
<select default keysize, 2048>
<select expiration, 0>
<enter your name, or an alias if you are really sensitive about your privacy>
<enter a passphrase, create a good one>
<enter a comment if you wish> |
Generate a revocation certificate. Not mandatory, just good practice.
| Code: | | gpg --output revoke.asc --gen-revoke <enter key number, the number after 1024D/> |
Trust yourself?
| Code: | gpg --edit-key <name or keyID>
trust
<enter your trust level of yourself>
quit |
Kill gpg-agent. Login as root in a separate console and run the following:
Logout of the root user console, and switch back to the normal user console.
Create subkeys for use on the card. I personally chose expiration dates of 1 year, but you are free to choose whatever you want. But if you do choose a definite expiration date, do be careful making your entry. If you type 1 instead of 1y (for a key to expire in one year), the key will expire the next day. But you can change the expiration date later should you make an error. This HOWTO will not cover that exercise.
NOTE: I experienced errors when generating the keys. I resolved this by opening a dummy document in a separate console. Then I typed a bunch of garbage into the document for 3 to 5 minutes, then generated the key. And I repeated this process prior to generating each key. If you successfully generate the first key (3) and the second fails (1), save the first one that generated correctly. Then type more junk into the dummy document, then retry the generation of the subkey that failed, and continue until all three are generated.
| Code: | gpg --edit-key <key-ID, or email, or name for key created previously>
addcardkey
<Generate the keys in order, using this sequence: 3,1,2>
quit |
Backup public and secret keyrings.
| Code: | cp ~/.gnupg/secring.gpg ~/.gnupg/secring.gpg.backup
cp ~/.gnupg/pubring.gpg ~/.gnupg/pubring.gpg.backup |
Store secring.gpg on USB flashdrive. I'm not overly concerned about backing up the pubring.gpg as it can be regenerated if necessary from secring.gpg. This HOWTO will not cover that exercise.
NOTE: It is paramount that you maintain strong physical security over this flashdrive.
| Code: | mount /mnt/usb2
cp ~/.gnupg/secring/gpg /mnt/usb2/gnupg
umount /mnt/usb2
<remove and secure this flashdrive> |
Remove master key from the keyring. Your key ID is the combination of eight letters and numbers after 1024D/ or just use your name or email address.
| Code: | gpg --edit-key <yourkeyID>
key 1
delkey
y
save |
Export secret subkeys to file.
| Code: | | gpg --export-secret-subkeys <yourkeyID> > ~/.gnupg/sub.secring |
Remove secret master key from the secret keyring.
| Code: | gpg --delete-secret-keys <yourkeyID>
y
y |
Reimport your subkey stubs.
| Code: | | gpg --import < ~/.gnupg/sub.secring |
Reimport your complete public keyring.
| Code: | | gpg --import < ~/.gnupg/pubring.gpg.backup |
If you want to see what your key looks like now, run the following. You can compare it against the reference linked below.
| Code: | gpg --edit-key <yourkeyID>
quit |
Remove all backups from the machine.
| Code: | rm ~/.gnupg/sub.secring
rm ~/.gnupg/*.backup |
Add encryption subkeys to ~/.gnupg/gpg.conf. The encryption subkey IDs are those listed as "usage: E". Open up ~/.gnupg/gpg.conf in an editor and add the following lines:
You will have two of them. You will prefix your encryption key IDs with '0x' and suffix them with '!'. An example looks like: 0x13EF00D0!
| Code: | hidden-encrypt-to 0x<encryption subkey ID>!
hidden-encrypt-to 0x<encryption subkey ID>!
default-recipient 0x<encryption subkey ID>!
default-recipient 0x<encryption subkey ID>!
<save and close> |
Move keys and configuration files to USB flashdrive. If you are already in the /home/<user>/.gnupg directory you can ignore the first step.
| Code: | cd ~/.gnupg
mount /mnt/usb
cp * /mnt/usb/gnupg |
Modify ~/.bashrc. The .bashrc you are concerned with is the user's .bashrc which you have been using for normal operation of gpg. If you are configuring multi-useri-user system, then you might want to modify /etc/skel/.bashrc instead. The purpose of the below modification is to change the gpg home directory to that of a usb flashdrive. Adjust the directory location to suit your own requirements.
| Code: | <open /home/<username>/.bashrc and add the following>
alias gpg="gpg --homedir /mnt/usb/gnupg" |
Alternatively you could add the following to .bashrc:
| Code: | | export GNUPGHOME=/mnt/usb/gnupg |
I experimented with using GPGHOME, but was not successful.
Now let's test to make sure everything works expectedly. Remove the smartcard, and flashdrive. Either label the flashdrives, or keep them separate. Reboot your machine, login as the normal user, and run the following:
| Code: | | gpg --edit-key <name, email, or yourkeyID> |
You should get an error that looks like this:
| Code: | gpg: keyblock resource '/mnt/usb/gnupg/secring.gpg': file open error
gpg: keyblock resource '/mnt/usb/gnupg/pubring.gpg': file open error |
If you did not get this error, then you did not add the modification to your /home/<user>/.bashrc file as shown above. If you received the error message then proceed with the next test below.
Insert the flashdrive containing the config file, and key rings (not the one containing only the main secret ring. Insert the smartcard, and run the following command:
| Code: | mount /mnt/usb
gpg -e <path to file>/<any file>
gpg -d <path to same file>/<same file>.gpg |
If the above worked correctly, you should be asked to enter your PIN, and then you wil see the decrypted file. If it failed saying 'no valid OpenPGP data found, then you forgot to add '.gpg' to the end of the filename.
Now remove the smartcard and repeat decryption. It should not work, and gpg should ask you for the card:
| Code: | | gpg -d <path to same file>/<same file>.gpg |
If the last test worked as expected, then proceed.
Remove contents of /home/<user>/.gnupg. If you are extra security conscious, then you would wipe this folder with the appropriate program, this exercise is not documented in this HOWTO.
| Code: | cd ~/.gnupg
rm *
cd ..
rmdir .gnupg |
We are now done with the first phase. Unmount the usb flashdrive, and remove the smartcard. We will now setup GnuPG properly in WinXP
Download and install the Ext2 IFS driver for Windows. I tried the ext2fsd driver from sourceforge.net, but it was found to be unstable. I experienced the blue screen of death a few times. This one seems to be more mature and bug free. You can obtain the driver from this link:
(http://www.fs-driver.org/download.html)
Install the driver, and reboot the machine. If you are dual-booting XP and GNU/Linux, you don't have to create new drive letters for the Linux partitions, but it gives you the option to.
Download and install GnuPG 1.4.4 compiled for Microsoft Windows. You can obtain the download from the link below. You should also verify the sha-1 checksum, which can be found at the www.gnupg.org download page.
(ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.4.exe)
The installation is self-explanatory. Other than choosing your language, I'd leave the defaults alone, as the tools will come in handy later.
Configure GnuPG 1.4.4 compiled for Microsoft Windows. We will be setting homedir directory to the USB flash drive. This can be done through editing the registry, modifying an environment variable, or using the --homedir option every time you run gpg. The GPGHOME environment variable is the option we will use. Before you start, plug in your flashdrive to see what drive letter it is given.
Right click 'My Computer', select the 'Advanced' tab, then click the 'Environment Variables' button.
Click the 'New' button in the top user section. Enter the following values:
| Code: | Variable name: GPGHOME
Variable value: <usb drive letter>:\gnupg |
Now test again to ensure everything works as expected. Go ahead and insert the smartcard, if you removed the flashdrive, plug it in also. Open up a command window and run the following commands:
| Code: | gpg -e <path to file>\<any file>
gpg -d <path to same file>\<same file>.gpg |
You should be asked for your PIN, and then the decrypted contents should be displayed. Now remove the smartcard, and run the following:
| Code: | | gpg -d <path to same file>\<same file>.gpg |
You should get a long list of errors with the last one complaining that decryption failed. That's what we want. Now properly remove the USB flashdrive and run the following:
| Code: | | gpg -e <path to file>\<any file> |
You should get two file open errors and you will be asked for a user ID. No matter what you type in as a user ID, you should receive a 'no such user' complaint. Hit enter to exit this loop.
You have now tested the system and found it properly working (excluding unknown bugs of course). From here on out, all you need are our smartcard, and the flashdrives. You will need the second one, containing the master secret key, when it's time to sign other keys etc. This HOWTO does not cover that exercise.
Good luck. Remember, if you have troubles, PM me, this isn't a support forum. And I welcome any suggestions for improvement of this HOWTO.
References:
The GNU Privacy Handbook (http://www.gnupg.org/gph/en/manual.html)
The GnuPG Smartcard HOWTO (http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html)
GnuPG Frequently Asked Questions (http://www.gnupg.org/documentation/faqs.html)
Using your Card with subkeys only (https://www.fsfe.org/en/card/howto/subkey_howto)
www.gnupg.org
www.winpt.org
www.gpg4win.org
_________________
Return the Favor | Problem fixed? Add [Solved] to your title | Google the Forums |
|
| Back to top |
|
 |
jhmartin
Tux's lil' helper
Joined: 03 Sep 2003
Posts: 95
|
| Posted: Thu Aug 31, 2006 5:20 pm Post subject: |
|
|
| Is there anyplace online in the US to purchase a card? |
|
| Back to top |
|
|
forgotten1
Guru
Joined: 11 Jan 2005
Posts: 477
Location: East Coast, USA
|
| Posted: Thu Aug 31, 2006 7:50 pm Post subject: |
|
|
As far as I know, the OpenPGP cards are not available in the US. I purchased two cards for a reasonable price from distributors of the card, kernel concepts. The link for information on the card can be found here:
http://www.kernelconcepts.de/products/security-en.shtml
Purchasing information is found using the "how to order" link on the top right side of the page.
_________________
Return the Favor | Problem fixed? Add [Solved] to your title | Google the Forums |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
