GPG in Everyday Use

GPG (GNU Privacy Guard) is a widely-used security tool and is recognized as the most well-known open-source implementation of PGP (Pretty Good Privacy). GPG offers a broad range of applications, and I've previously written several articles covering its features and usage. However, the content was scattered and unstructured, so this article serves as a comprehensive guide to its everyday use.

It's important to note that while GPG is feature-rich, it has faced criticism for its complexity, slow updates to its standards, and the many legacy issues it carries. For instance, this article provides an in-depth analysis of GPG's problems and alternative tools. However, this article won't delve into those security debates. Every user has different requirements for privacy and security, and the tools you choose should be based on your specific needs. This article focuses solely on GPG itself, so readers may need some background knowledge of security, privacy, and cryptography concepts to follow along smoothly. Despite its limitations, GPG remains a unique historical artifact, and there likely won't be another design quite like it in the future. GPG has already fulfilled its mission, and its eventual phase-out could be inevitable. Understanding GPG is, in a way, learning about this piece of history. However, many people have long hoped for a simpler tool that could replace GPG's core functions. Fortunately, developers have responded to this need by introducing the "age (上げ)" specification, which envisions the future of encryption tools. Users can now easily use the Go version of age or the Rust version rage. Additionally, tools like passage (a pass replacement) and the related YubiKey plugin offer convenient alternatives that I hope readers will find helpful.

For those looking to dive deeper into using GPG with a YubiKey, you can refer to this guide. I've also listed some official GPG and Yubico documentation below, though some of it may be outdated.

• The GNU Privacy Handbook
• Gnu Privacy Guard (GnuPG) Mini Howto (English)
• How to use the Fellowship Smartcard
• Yubico PGP

With that said, this article is divided into two main parts: first, an overview of GPG's basic functions, including generating, viewing, adding, and deleting keys, as well as key backup and recovery. The second part covers enhancing security with GPG Smart Cards using a YubiKey. You can navigate directly to the sections of interest using the table of contents below.

Table of Contents

• Basic GPG Functions
  • Generating a Key
  • Viewing Keys
  • Adding Keys
  • Deleting Keys
  • Exporting Keys
  • Importing Keys
  • Trusting Keys
  • Backing Up and Restoring Keys
• GPG and Smart Cards
  • YubiKey Management Tools
  • Configuring a YubiKey
  • Transferring Keys to a YubiKey
  • What to Do If Your YubiKey Gets Locked
• Conclusion

Basic GPG Functions

GPG has many functions, primarily centered around encryption and authentication. Before diving into these features, let's start by generating a GPG key.

Generating a Key

$ gpg --expert --full-generate-key

If you're generating a key for a YubiKey, keep in mind its specific limitations. For YubiKey 5.2.3 and newer, I recommend selecting (9) ECC and ECC. For the Elliptic Curve choice, if you're unsure, go with (1) Curve 25519. If you're okay with a slight performance trade-off, you can opt for (5) NIST P-521 or (8) Brainpool P-512. For older YubiKeys that don't support ECC, I suggest choosing (1) RSA and RSA (default) and setting the key length to 4096.

Viewing Keys

Once you have your GPG keys, you can view them with the following command:

$ gpg --list-keys

You can distinguish the key's purpose by the codes in the [] brackets:

E   Encrypt
S   Sign
C   Certify
A   Authentication
?   Unknown capability

Adding Keys

Many guides suggest creating a master key and then adding subkeys for different purposes, such as signing, encryption, and authentication. While this approach may seem more advanced and convenient, its actual security benefits are debatable. Many GPG users publicly share their keys or upload them to key servers, and having subkeys makes it easier to update compromised or expired keys while keeping the master key secure. However, from a security perspective, generating new keys entirely is often safer. If you're not using key servers, the convenience of subkeys becomes less significant. Therefore, consider whether adding subkeys aligns with your needs.

If you do need to add a key, start by entering key-edit mode:

$ gpg --expert --edit-key [UID]

Then enter addkey to add a new key.

You can select based on your needs. For instance, if you want to add an Authentication key (which isn't created by default), you might choose (11) ECC (set your own capabilities). After selecting it, you'll see something like:

...
Current allowed actions: Sign
...

This indicates the key's current capabilities. You can turn off the Sign capability by selecting S, then enable Authentication by selecting A, and finally exit by selecting Q. Fill in the remaining details according to your preferences.

Deleting Keys

If you need to delete keys, you can do so with these commands to remove both the secret and public keys:

$ gpg --delete-secret-key [UID]
$ gpg --delete-key [UID]

To delete both at once, use:

$ gpg --delete-secret-and-public-keys [UID]

Exporting Keys

To share your keys, you'll need to export your public key:

$ gpg --export --armor [UID]

If you need to export your private key (typically for backups), use:

$ gpg --export-secret-keys --armor [UID]

For more details on backups, refer to the backup and restore section.

Importing Keys

A key part of GPG's functionality is communicating with others, which often involves importing public keys or restoring previously exported keys:

$ gpg --import [Filename]

Trusting Keys

After importing a key, you can set its trust level to help manage your keys more effectively. Here's how:

$ gpg --edit-key [UID]
gpg> trust

Then, follow the prompts to select the appropriate trust level.

Backing Up and Restoring Keys

Understanding GPG's features is important, but so is backing up your keys to avoid potential loss. For a comprehensive backup process, you can refer to this article. Here's a quick way to back up your GPG keys in ASCII format:

$ gpg --armor --export > pgp-public-keys.asc
$ gpg --armor --export-secret-keys > pgp-private-keys.asc
$ gpg --export-ownertrust > pgp-ownertrust.asc

Store these files in a secure location, such as an external hard drive that isn't connected to the internet.

To restore your keys from backup, run these commands:

$ gpg --import pgp-public-keys.asc
$ gpg --import pgp-private-keys.asc
$ gpg --import-ownertrust pgp-ownertrust.asc

That's it—you've now backed up and restored your keys! The key to avoiding issues is maintaining a consistent backup routine and securely storing those backups. If you're able, encourage others around you to use GPG or the "age" tools mentioned earlier. Promoting secure communication helps create a safer online environment for everyone.

GPG and Smart Cards

For those looking to enhance GPG security further, using a Smart Card is essential. A Smart Card provides a layer of physical isolation for your keys, making them more secure than storing them solely on your computer. Among Smart Card manufacturers, YubiKey is one of the most popular choices, so this guide will focus on it, though the principles apply to other brands as well.

YubiKey Management Tools

Although we won't need the YubiKey management tools for this guide, I'll briefly introduce them. There's the relatively simple YubiKey Manager and the more advanced YubiKey Personalization tool, both of which offer CLI and GUI options.

To install YubiKey Manager and enable the pcscd.service, follow these steps:

$ pacman -S yubikey-manager-qt
$ sudo systemctl enable pcscd
$ sudo systemctl start pcscd

For YubiKey Personalization, you only need:

$ pacman -S yubikey-personalization-gui

Once installed, you should see your YubiKey when launching the tool. If it's not detected, try rebooting your system.

Configuring a YubiKey

Now, let's start editing and configuring your YubiKey:

$ gpg --card-edit

Once in card-edit mode, you can use the help command to see available options.

For those interested, you can also update the card's owner information. Additionally, running list shows all the card's details.

Our main focus, though, is changing the YubiKey's PINs. A GPG card has two PINs: one used each time you access it and an Admin PIN for high-privilege operations. There's also a Reset Code for resetting the PIN. By default, after three incorrect attempts, the YubiKey locks, requiring either the Admin PIN or Reset Code to unlock it. If the Admin PIN is entered incorrectly three times, all data on the card is wiped. You can monitor these attempts with the PIN retry counter visible after running list. When you first receive a YubiKey, the default PIN is 123456, and the Admin PIN is 12345678, both of which are obviously insecure. Let's start by changing them.

First, enter admin to access admin commands, then enter passwd and follow the prompts to update the PINs.

For YubiKey 5.2.3 and later, you can also enable KDF (Key Derived Function) for added security. A few points to consider: KDF can only be enabled if no keys are loaded onto the YubiKey, and once enabled, it cannot be disabled unless you reset the card. Older GPG versions won't be compatible with KDF, so avoid enabling it if you need to use legacy software. To enable KDF, enter admin for admin commands and then kdf-setup.

Once the PIN is updated, you're ready to load your GPG keys onto the YubiKey.

Transferring Keys to a YubiKey

Caution! Before transferring keys to your YubiKey, understand that this process is one-way. Once keys are loaded onto the YubiKey, they cannot be extracted. Also, ensure your public key is backed up, as retrieving it from the YubiKey is tedious. For recovery tips, see this article. Make the necessary backups before proceeding.

With that in mind, you can edit your keys with:

$ gpg --edit-key [UID]

If you're using an older GPG version, you'll first need to enter toggle before proceeding. However, upgrading to the latest GPG version is the recommended approach. Selected keys are marked with *, and only one key should be selected at a time, so remember to deselect the previous key when switching.

The process involves placing the relevant keys into the appropriate YubiKey slots. YubiKey 5.2.3 and later have four slots: Authentication, Decryption, Signature, and Attestation. Let's assume you've generated a set of keys and added an Authentication Key following the methods described earlier. This setup would give you a Master Key marked [SC] and two Subkeys marked [E] and [A].

1. Start by moving the Master Key (the Primary Key) to the YubiKey's Signature slot:

• Enter keytocard
• When asked, "Really move the primary key? (y/N)", type y
• Select (1) Signature key

2. Next, transfer the Subkey marked [E] to the YubiKey:

• Enter key 1 to select the first Subkey
• Repeat the above steps, then select (2) Encryption key

3. Finally, transfer the Subkey marked [A]:

• Re-enter key 1 to deselect the first Subkey
• Enter key 2 to select the second Subkey
• Repeat the steps above and select (3) Authentication key

4. Exit by typing quit and confirm the changes.

If you now run gpg --list-secret-keys, and see > markers (e.g., sec> and ssb>), the transfer was successful.

What to Do If Your YubiKey Gets Locked

If your YubiKey gets locked due to errors or if you need to start fresh, don't worry. You can reset it with the following command (note: this will erase all GPG information on the YubiKey, so proceed carefully):

$ gpg --edit-card
gpg/card> factory-reset

Conclusion

I hope this guide helps you use GPG more effectively in your daily life. As a widely recognized encryption tool, GPG has left a significant mark on the world of digital security. Personal privacy and security are not just rights but responsibilities we must all uphold. Using encryption tools is no longer just about keeping secrets but about defending freedom. GPG stands as a milestone in the pursuit of personal encryption freedom. I'm glad to see more reliable and convenient security tools emerging, but the fight to protect security and freedom is far from over. I sincerely hope more people with the skills and passion will contribute to the open-source community and let the spirit of freedom flourish across different fields. At the same time, we must remain vigilant against threats to security and freedom.

Als die Nazis die Kommunisten holten,
habe ich geschwiegen;
ich war ja kein Kommunist.

Als sie die Sozialdemokraten einsperrten,
habe ich geschwiegen;
ich war ja kein Sozialdemokrat.

Als sie die Gewerkschafter holten,
habe ich nicht protestiert;
ich war ja kein Gewerkschafter.

Als sie die Juden holten,
habe ich geschwiegen;
ich war ja kein Jude.

Als sie mich holten,
gab es keinen mehr, der protestieren konnte.

—— Friedrich Gustav Emil Martin Niemöller

Let's remember that the pursuit of freedom is not just for ourselves but for those around us and those we love. May we learn from history and work together for a better future (´,,•ω•,,)♡