user:ruza:gpg2-modern
Table of Contents
GPG modern (2.1) with Elliptic curves
Being an elliptic curves fan for whatever reason (NSA-aware, early adopter, bored geek,…) you are forced to compile GnuPG for yourself or use Debian experimental.
Before doing anything be sure to read carefully and fully understand this article https://www.gnupg.org/faq/whats-new-in-2.1.html You've been warned!
Oficial variant
Recommended way described in GnuPG wiki is much simpler than the following guide which uses debian experimental in schroot.
sudo make -f build-aux/speedo.mk native INSTALL_PREFIX="/usr/local"
actually works well.
Debian experimental schroot variant
Use if oficial variant is not functional.
Create chroot environment (Debian Jessie)
start sudo from your regular user (this is important step to have SUDO_USER environment variable set)
- First we create an directory and prepare environment:
export MY_CHROOT=/data/virtuals/schroot-deb-experimental sudo -E su echo -e "My Chroot:\t$MY_CHROOT\nWhoAmI:\t\t$(whoami)\nSUDO_USER:\t$SUDO_USER" mkdir -p $MY_CHROOT chown $SUDO_USER $MY_CHROOT
- Install software needed to create an schroot environment:
aptitude install schroot debootstrap
- Configure chroot:
cat <<EOF >>/etc/schroot/schroot.conf [experimental] description=Debian experimental directory=$MY_CHROOT groups=sbuild,root,$SUDO_USER users=$SUDO_USER root-groups=root,sbuild EOF
- Now we will create and modify the content of the chroot:
debootstrap jessie $MY_CHROOT echo "proc $MY_CHROOT/proc proc defaults 0 0" >> /etc/fstab mount proc $MY_CHROOT/proc -t proc echo "sysfs $MY_CHROOT/sys sysfs defaults 0 0" >> /etc/fstab mount sysfs $MY_CHROOT/sys -t sysfs echo "/home/$SUDO_USER/.gnupg/ $MY_CHROOT/home/$SUDO_USER/.gnupg/ none bind 0 0" >> /etc/fstab mount "$MY_CHROOT/home/$SUDO_USER/.gnupg/" cp /etc/hosts $MY_CHROOT/etc/hosts cp /proc/mounts $MY_CHROOT/etc/mtab grep $SUDO_USER /etc/passwd >> $MY_CHROOT/etc/passwd egrep ^$SUDO_USER /etc/group >> $MY_CHROOT/etc/group mkdir -p $MY_CHROOT/home/$SUDO_USER chown $SUDO_USER $MY_CHROOT/home/$SUDO_USER
add experimental repository
Debian experimental is not an distro variant, its just a bunch of packages in the repo.
- we are entering newly created chroot environment
chroot $MY_CHROOT /bin/bash
- now we will upgrade jessie to experimental branch\\ as a ROOT INSIDE chroot apt-get update echo 'deb http://ftp.debian.org/debian experimental main'
/etc/apt/sources.list.d/experimental.list apt-get update apt-cache policy gnupg2 apt-get -t experimental install gnupg2 apt-get install bash-completion
Make keyring backup
- AS a NORMAL USER
BACKUP="/home/$SUDO_USER/.gnupg-$(date +%F).backup.tbz" tar cjvf $BACKUP /home/$SUDO_USER/.gnupg/ chmod 400 $BACKUP ### TRIPLECHECK YOUR HAVE AN BACKUP !!! (there are big changes in gpg 2.1 and might need to reimport some keys or downgrade)
- verify chrooted env works
schroot -p -c chroot:experimental -- gpg2 --version gpg (GnuPG) 2.1.1 libgcrypt 1.6.2 ...
sChroot shell access
- btw
schroot -p -c chroot:experimental ... gives you an full shell access
Make chrooted binaries executable from non-schroot environment
sudo -E su
- now we symlink to universal script /usr/local/bin/run-deb-exp.sh that runs symlink basename in chroot:
root@DebExp@azur:/usr/bin$ for file in $(dpkg -L gnupg2 gnupg-agent dirmngr|grep bin); do [ -f $file ] && echo "mv $file $file.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh $file";done mv /usr/sbin/applygnupgdefaults /usr/sbin/applygnupgdefaults.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/sbin/applygnupgdefaults mv /usr/sbin/addgnupghome /usr/sbin/addgnupghome.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/sbin/addgnupghome mv /usr/bin/gpg2 /usr/bin/gpg2.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg2 mv /usr/bin/gpgconf /usr/bin/gpgconf.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgconf mv /usr/bin/gpgparsemail /usr/bin/gpgparsemail.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgparsemail mv /usr/bin/kbxutil /usr/bin/kbxutil.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/kbxutil mv /usr/bin/watchgnupg /usr/bin/watchgnupg.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/watchgnupg mv /usr/bin/gpg-agent /usr/bin/gpg-agent.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg-agent mv /usr/bin/gpg-connect-agent /usr/bin/gpg-connect-agent.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg-connect-agent mv /usr/bin/gpgkey2ssh /usr/bin/gpgkey2ssh.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgkey2ssh mv /usr/bin/symcryptrun /usr/bin/symcryptrun.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/symcryptrun mv /usr/bin/dirmngr /usr/bin/dirmngr.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/dirmngr mv /usr/bin/dirmngr-client /usr/bin/dirmngr-client.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/dirmngr-client
- /usr/local/bin/run-deb-exp.sh
cat /usr/local/bin/run-deb-exp.sh #!/bin/bash # schroot -p -c chroot:experimental -- gpg2 "$@" CHROOT_PREFIX="/data/virtuals/schroot-deb-experimental" export LD_LIBRARY_PATH="${CHROOT_PREFIX}/lib/x86_64-linux-gnu:${CHROOT_PREFIX}/usr/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}" ${CHROOT_PREFIX}/usr/bin/$(basename $0) "$@"
in case you went into trouble with your keydb (like “invalid packet”/“key not found” errors) fix it by reimporting your keys from backup: ! notice that export is using gpg1 with homedir where backup is, while import is made by gpg2.1
gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export-secret-key 0xF7EEAF5998FFFC1D gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export 0xF7EEAF5998FFFC1D gpg-chrooted --import F7EEAF5998FFFC1D_pub.gpg gpg-chrooted --allow-secret-key-import --import F7EEAF5998FFFC1D_priv.gpg
Other software integrationn
finally configure all your software to use /usr/bin/gpg2 (/usr/bin/gpg is default). no longer need to start gpg-agent. it is started automagically (… did you've read that “What's new in 2.1” article?)
Enigmail
path to gpg is configurable in enigmail .. verify in enigmail Console
Gajim
path to gpg in gajim seems to be hardcoded .. do cd /usr/bin/ && mv gpg gpg.ORIG && ln -s /usr/bin/gpg2 gpg
Using ECC in GPG2.1+
- ECC are available in expert mode only. Beware, parameter order is important.
gpg2 --expert --edit-key 0xKEYID
- it is not possible at this time create Curve 25519 key for encryption purposes (“unknown eliptic curve” error)
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 12 Please select which elliptic curve you want: (1) Curve 25519 (2) NIST P-256 (3) NIST P-384 (4) NIST P-521 (5) Brainpool P-256 (6) Brainpool P-384 (7) Brainpool P-512 Your selection? 1 gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard. Use this curve anyway? (y/N) y Key is valid for? (0) 3y Key expires at Tue 09 Jan 2018 08:31:25 AM CET Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: agent_genkey failed: Unknown elliptic curve gpg: Key generation failed: Unknown elliptic curve
user/ruza/gpg2-modern.txt · Last modified: 2015/01/10 09:36 by ruza