s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 09:13:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved optional subkeys expiry date extension step to guide

Browse Source
This commit is contained in:
Sun Knudsen 2021-12-27 06:58:41 -05:00
parent f4e5790e2a
commit 64c704ff5d
No known key found for this signature in database
GPG Key ID: 1FA767862BBD1305
1 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
how-to-generate-and-air-gap-pgp-private-keys-using-gnupg-tails-and-yubikey/README.md
View File

@ -29,7 +29,7 @@ Listed: true
> Heads-up: if keyboard layout of computer isnt “English (US)”, set “Keyboard Layout”. > Heads-up: if keyboard layout of computer isnt “English (US)”, set “Keyboard Layout”.
Click “+” under Additional Settings”, then “Administration Password”, set password, click “Add” and finally “Start Tails”. Click “+” under Additional Settings”, then “Administration Password”, set password, click “Add” and finally “Start Tails”.
### Step 2: establish network connection using ethernet cable or Wi-Fi and wait for Tor to be ready ### Step 2: establish network connection using ethernet cable or Wi-Fi and wait for Tor to be ready
@ -587,12 +587,14 @@ Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes
> Heads-up: files stored in `tails` include private keys which, if lost, results in loosing ones cryptographic identity (safeguard backup mindfully). > Heads-up: files stored in `tails` include private keys which, if lost, results in loosing ones cryptographic identity (safeguard backup mindfully).
> Heads-up: never unlock `tails` on macOS (or any other computer that isnt air-gapped and hardened). > Heads-up: one should never unlock `tails` on macOS (or any other computer that isnt air-gapped and hardened).
### Step 22: insert and provision YubiKey ### Step 22: insert and provision YubiKey
> Heads-up: default user PIN is `123456` and default admin PIN is `12345678`. > Heads-up: default user PIN is `123456` and default admin PIN is `12345678`.
> Heads-up: one should set different PIN for user vs admin and never use admin PIN on macOS (or any other computer that isnt air-gapped and hardened).
```console ```console
$ gpg --card-edit $ gpg --card-edit
@ -877,17 +879,29 @@ Using a randomly generated lock code: cce9181f4a97bac00459419986510d40
Lock configuration with this lock code? [y/N]: y Lock configuration with this lock code? [y/N]: y
``` ```
### Step 27 (optional): extend expiry date of signing, encryption and authentication subkeys (required once a year) ### Step 27: shutdown computer
#### Mount backup volume (formatted using exFAT) 👍
---
## Subkeys expiry date extension guide (on Tails)
### Step 1: boot to Tails and set admin password
> Heads-up: if keyboard layout of computer isnt “English (US)”, set “Keyboard Layout”.
Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and finally “Start Tails”.
### Step 2: mount backup volume (formatted using exFAT)
Click “Places”, then “Home”, then backup volume (“Samsung BAR” in example below), enter admin password and finally click “Authenticate”. Click “Places”, then “Home”, then backup volume (“Samsung BAR” in example below), enter admin password and finally click “Authenticate”.
#### Mount VeraCrypt encrypted volume ### Step 3: mount VeraCrypt encrypted volume
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and finally click “Unlock”. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and finally click “Unlock”.
#### Import master key ### Step 4: import master key
```console ```console
$ gpg --import /media/amnesia/Tails/master.asc $ gpg --import /media/amnesia/Tails/master.asc
@ -901,13 +915,13 @@ gpg: secret keys imported: 1
gpg: no ultimately trusted keys found gpg: no ultimately trusted keys found
``` ```
#### Set master key ID environment variable ### Step 5: set master key ID environment variable
```shell ```shell
KEY_ID=0xC2709D13BAB4763C KEY_ID=0xC2709D13BAB4763C
``` ```
#### Extend expiry date of signing, encryption and authentication subkeys ### Step 6: extend expiry date of signing, encryption and authentication subkeys
```console ```console
$ gpg --edit-key $KEY_ID $ gpg --edit-key $KEY_ID
@ -993,13 +1007,13 @@ ssb* ed25519/0x1E7B69B238FFA21B
gpg> save gpg> save
``` ```
#### Export public key to VeraCrypt encrypted volume ### Step 7: export public key to VeraCrypt encrypted volume
```console ```console
$ gpg --armor --export $KEY_ID > /media/amnesia/Tails/pub.asc $ gpg --armor --export $KEY_ID > /media/amnesia/Tails/pub.asc
``` ```
#### Copy public key to backup volume ### Step 8: copy public key to backup volume
Replace `Samsung BAR` with backup volume name and `johndoe` with name associated to master key. Replace `Samsung BAR` with backup volume name and `johndoe` with name associated to master key.
@ -1007,16 +1021,14 @@ Replace `Samsung BAR` with backup volume name and `johndoe` with name associated
cp /media/amnesia/Tails/pub.asc "/media/amnesia/Samsung BAR/johndoe.asc" cp /media/amnesia/Tails/pub.asc "/media/amnesia/Samsung BAR/johndoe.asc"
``` ```
#### Dismount VeraCrypt encrypted volume ### Step 9: dismount VeraCrypt encrypted volume
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes” and finally click “x”. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes” and finally click “x”.
### Step 28: shutdown computer ### Step 10: shutdown computer
👍 👍
---
## Usage guide (on macOS) ## Usage guide (on macOS)
### Step 1: install [Homebrew](https://brew.sh/) ### Step 1: install [Homebrew](https://brew.sh/)