Michael On Everything Else

GPG Kung Fu

There must be something in the water in the U.S. because in the course of a week I have received emails from three different people regarding encryption. And this is awesome! I hope to see more use of encryption in emails to me — even for the most trivial of emails.

Diving back into GPG though has reminded me of some kung fu that should be passed on to others:

Change the single, default keyserver to an SKS pool

Servers in the SKS pool are monitored for health and removed from the pool if a problem is detected. Also, keys are synchronized across the pool, adding redundancy.

Communicate with the pool over an encrypted channel; hkps

Simply add the following as a keyserver:

hkps.pool.sks-keyservers.net

“This pool only include servers that have been certified by the sks-keyservers.net CA, of which the certificate can be found at https://sks-keyservers.net/sks-keyservers.netCA.pem”

Keep your keys refreshed

Keys expire or get revoked (I revoked my old work PGP key when I left the architecture firm) but unless you are keeping your keychain refreshed, you will be oblivious to expired or revoked keys. It is easy to update your entire keychain via the commandline:

gpg --refresh-keys

I have read that this could be a vulnerability in that anyone listening to your connection or monitoring the server could know all the keys you want to refresh, thus mapping out all your connections to other people. If this concerns you, you can look into parcimonie.sh, which refreshes individual keys at rangomized intervals, each over a unique, single-use TOR circuit (awww shiiiiiit).

I have played around with it and it works but not “out of the box” as I expected. Contact me if you are having problems with it and I will try to help.

Generate a revoking certificate

Speaking of revoked keys, if you have not already done so, go now and generate a revoking certificate for your private key (substituting any key identifier, such as a key ID or an email address for “mykey” below):

gpg --output revoke.asc --gen-revoke mykey

Store that cert somewhere safe (not on your laptop). Now if you forget your password or lose your private key, you can use the revoking cert to let others know that the key should no longer be used (assuming they keep their keychain refreshed).

Creating the perfect GPG keypair

This last bit of kung fu-ness is my favorite. It involves creating a master keyring and a day-to-day keyring. The day-to-day keyring will have the ability to do everything except sign other keys. But since the day-to-day keyring only has subkeys on it, if it is lost or otherwise compromised, you can revoke those subkeys (because you already generated a revoking certificate and kept it in your lockbox at home).

It is a long process but well worth it for peace of mind. The instructions are from Alex Cabal.

Enjoy and keep those encrypted emails coming!

GPG Fingerprint: 3B21 775B 4A6C F026 C03A 7B2F C4A2 FD1F 3920 83BF
Key Expires: 2016-12-28
Click to view my key (or right-click and "save as" to download)