GPG, subkeys smartcard and computer

[Andrew Gallagher]

Stefano,

I meant to reply last night, but didn't fancy writing this out on a
phone keyboard. No need to resend questions - this tends to be a
high-latency list for people in odd time zones, working from home, on
the move etc.

NB all the below is IMHO, YMMV etc. :-D

On 16/02/17 15:04, Stefano Tranquillini wrote:
> 
> I can't get my head around on how to use GPG in the "correct" way to
> guarantee the maximum result. That is: protect, at the best, my 
> privacy and also don't get the system too complicated.

Both of those are subjective criteria... ;-)

> My ideal setup is:
> 
> * Master generated on offline pc and stored in a cold storage * 
> subkeys for the pc (main pc, that I use everyday) - i need 
> (A)utenticate (E)encrypt (S)ign keys * subkeys for the smartcard - 
> if I use a pc of someone else, and as backup for what is worth. (In 
> the future I may switch to just the smartcard, removing the keys 
> from pc, but I would like to have the keys on the pc for time being)
> * I would like to avoid moving the master ouside the offline pc/cold
> storage

What you describe is a common scenario for those who want a little more
physical security than a standard online key. If you are not an
experienced gnupg user maybe you should try using the defaults for a
while until you are comfortable. If you make a mess of encryption you
run the risk of either a) losing access to your encrypted data or b)
leaving your encrypted data wide open. You can choose for yourself
which scenario is worse. ;-)

But if you know what you're doing, then:

Personally, if you have a smartcard I see no advantage in keeping the
subkeys on your laptop (so long as you have a backup). If you want to
take things one step at a time that's up to you - just understand that
keeping an online copy of your subkeys negates the security advantages
of having a smartcard, the point of which is that the key material
never gets stored in a format accessible by malware.

If you want to use your key on a friend's PC, just beware that if you
don't trust it enough to keep a copy of your actual key on, you may not
trust it enough to not alter your messages or keylog your PIN.
Compromising the key material is the sexy bit of cryptanalysis, but
it's usually much easier to work around security measures than break
through them.

> Create the master:
> 
> I should create the master on a device that is not my primary one 
> and that is not online. It seems kind of freak approach to me, but
> I can understand why. Once created, I backup it to a file which I 
> store on a usb key or somewhere outside of computers. With the 
> master I can create, later, subkeys for what I need and the revoke 
> certificate in case of compromised subkeys.  Other than the master 
> key, do I've to export anything else (not talking of subkeys yet, 
> that's next topic)?

Back up the entire .gnupg directory just to be sure. Technically, you
can make do with just a backup of the secret keyring, but it will make
your life a lot easier if you back up the public keyring and your
trustdb also.

> When creating the master, I've two possibility: (i) use the dafault
>  setting that results in a (SC) key or (ii) set it as only (C). The 
> best solution seems to be the second, right? 
> (http://security.stackexchange.com/questions/32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-tie-certification-with-sig).
>
>
> 
Is it worth to use that approach or, as of today, the (i) is fine? I
> still don't get the full benefit of one or the other solution

The second is a "cleaner" solution, but makes no practical difference.
If you have S capability on your primary key but never use it, only
your subkey signatures will ever exist, and only the subkey will
therefore ever be checked. And if your primary is compromised you have
worse problems. ;-)

> Create the subkey
> 
> With the master key I can create subkeys. I should do it from the 
> offline pc in which I created the key, or import the master in a pc 
> and then create the subkeys (it doesn't sound so safe though). Now:

If you import your master to an online PC, you lose the advantages
of keeping it offline in the first place. See below.

> o  should each subkey be for only one scope (A) (S) (E) or is it 
> fine if one key does  two or three scopes (ASE) or (SE)?

If you are using a smartcard, it is normal practice to generate a
separate subkey for each usage. It is no harm, and has the advantage
that you can rotate them separately.

One thing that you should NEVER do is have E on a subkey that has any
other capability, as there are known methods of tricking a user into
decrypting data by getting them to sign a specially crafted plaintext.
This is difficult to achieve in PGP, but better to be safe than sorry.

> o once subkeys are creted I've to export them and also their revoke 
> certifications (do they have one)? correct?

You do not create a revocation for subkeys, only for the primary. If
you still have access to the primary you can revoke a subkey at any
time. Revocations are only for when you lose control of your primary.

I personally don't keep revocations, just multiple offline copies of
my primary. This only works because I consider it vanishingly unlikely
that I will forget my passphrase. YMMV.

> o I've a smartcard, but I've also a pc, should I create 6 subkeys,
> 2 for A, 2 for S and 2 for E and move the 3 A S E to the yubikey
> and the other 3 to the pc?.

Having more than one E subkey is a worthless exercise - most software
will encrypt to the most recently created E subkey, meaning that
whichever one you create first will never be used (and thus won't be
able to decrypt anything).

Having multiple S and A subkeys is doable, but this just means that
your correspondents will have to check against both. Some systems will
only authenticate against the most recently created A subkey. It may be
more trouble than it's worth to manage multiple current subkeys this
way. IMO, better stick to just one of each.

> o moving the keys on the smartcard is done via "keytocard" but to 
> move the keys on the pc I've to export subkeys, will this export 
> also the keys on the smartcard and then I'll need the smartcard to 
> access some of those? how can I decide what to import where?

If you run "keytocard" and then save your changes, you will delete the
on-disk copy of those subkeys. They will only then exist on the
smartcard. I normally don't recommend this, as it means you have no way
to back up your E subkey, and if your smartcard breaks you then lose
access to all data encrypted to it. If you are keeping your master
offline, there is IMO little extra risk in also keeping an offline
copy of your E subkey. In order to do this, once you run "keytocard" on
all three subkeys you should immediately quit gnupg *without saving*.
This will ensure that the on-disk copy is not deleted.

If you need to keep a copy of your subkeys on a laptop or other device,
use --export-secret-subkeys and transfer just that file to the device.
Again, I don't see the point in doing this for a laptop if you have a
smartcard - the only use case I have found for it is if you have a
device such as a smartphone that can't read smartcards. This does of
course mean that your subkeys are now more vulnerable to malware than
they would be if they were stored only offline and on the smartcard.
This is a compromise that you will have to decide is worth the
convenience or not. On the other hand, not all software will import
bare subkeys, so again this may be of little actual use.

> o Do I've to rexport my public key or anything else to let the
> world know my subkeys?

In general, any time you create, change the expiry on or revoke a
primary key, subkey or ID you should republish your public key.

> Am I missing anything? Or is there anything that can guide me to 
> achieving my goals?

If you want to keep an offline copy of your secret key material, I
recommend Tails (https://tails.boum.org). There are some hoops to jump
through to get a persistent storage partition set up, but it is well
supported and designed for the use case of managing sensitive data
offline. It has the advantage that you don't need a separate offline
computer for your key storage, but can boot your normal PC from a USB
key and be reasonably confident that the secret key material will stay
on the USB key.

I have written a tool to (mostly) automate the above procedure, but it
is still not ready for production use. Contact me off-list if you'd
like to help test.

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170217/cc31f676/attachment.sig>