GPG (Pete's notes)

• General
• Install MacGPG
• Configure GPG
• Generate PGP keys
• Register public key with key servers
• Make Mac Mail understand PGP
• Managing keys (keyrings and the keychain)
  • Managing keys with command lines
  • Managing keys with GPG_Keychain_Access
  • Managing keys with Seahorse
• Store PGP keys on a flashdrive
• Erase and partition the flash drive
• Copy the gnupg directory to the flash drive
• Copy the SSH id_dsa file to the flash drive
• ABKey: MacCPC integration with Address Book

General

UCAR security policy requires that all sysadmins be capable of reading and writing email messages that are encrypted with PGP. GPG is the Gnu (free) version of PGP. MacGPG is GPG for the Mac.

There are several resources for information about PGP and GPG. Here are the ones I liked best:

Install MacGPG

As of 2008-12-19, there seem to be two ways to install the latest PGP software for Mac Mail.

1. Install GnuPG with fink and then install GPGMail, and hook them together.
2. http://macgpg2.sourceforge.net/

On 2008-12-18, I used fink to install gnupg 2.0.9 on my Intel Mac, as follows:

(as root)
fink install gnupg2

That installed several things in /sw/bin, including gpg2 and gpg-agent. Now you have the basic encryption/decryption software.

To add a PGP interface to Mac Mail, install GPGMail. Download it and do something like

cp -R /Volumes/GPGMail_d55_Leopard/GPGMail.mailbundle ~/Library/Mail/Bundles

Then tell the Mac Mail app about it with

defaults write com.apple.mail EnableBundles -bool yes
defaults write com.apple.mail BundleCompatibilityVersion -int 3

To allow GPGMail to find the gpg software, I did this:

defaults write com.apple.mail GPGOpenPGPExecutablePath /sw/bin/gpg2

I learned some of the rest of this at http://www.swissunixsupport.com/mactips. That webpage says that gnupg2 requires that a gpg-agent process be running and that you need a package called pinentry-mac.app to handle display of dialog boxes. I followed the directions and then found that I could decrypt messages even when gpg-agent wasn't running. I got pinentry at http://media.arthurkoziel.com/pinentry-mac.0.02-1.tar.gz. I copied pinentry-mac.app to /Applications, then put this in ~/.gnupg/gpg-agent.conf (create if it doesn't exist):

pinentry-program "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"

Restart Mail, then in Mail, right-click on the toolbar and select Customize Toolbar.... Drag Decrypt and Authenticate onto the toolbar. This step is more to provide a visual indicator that PGP is integrated into Mail than anything else - I may not use these buttons. Then do a New Message and customize its toolbar and drag the Signed and Encrypted buttons onto its toolbar.

Of course, the PGP parts of Mail work better if Mail has access to your PGP private key, which means your USB drive needs to be mounted and the gnupg.dmg disk image needs to be mounted.

What follows is what I did before I used fink.

Configure GPG

Edit the ~/.gnupg/gpg.conf file. Set:

default-key E4BA9BEC
keyserver hkp://subkeys.pgp.net
keyserver-options auto-key-retrieve no-include-revoked


Generate PGP keys

		oryx$ gpg --gen-key
		gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
		This program comes with ABSOLUTELY NO WARRANTY.
		This is free software, and you are welcome to redistribute it
		under certain conditions. See the file COPYING for details.

		Please select what kind of key you want:
		(1) DSA and Elgamal (default)
		(2) DSA (sign only)
		(5) RSA (sign only)
		Your selection? 1
		DSA keypair will have 1024 bits.
		ELG-E keys may be between 1024 and 4096 bits long.
		What keysize do you want? (2048)
		Requested keysize is 2048 bits
		Please specify how long the key should be valid.
		0 = key does not expire
		<n>  = key expires in n days
		<n>w = key expires in n weeks
		<n>m = key expires in n months
		<n>y = key expires in n years
		Key is valid for? (0) 0
		Key does not expire at all
		Is this correct? (y/N) y

		You need a user ID to identify your key; the software constructs the user ID
		from the Real Name, Comment and Email Address in this form:
		"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

		Real name: Pete Siemsen
		Email address: siemsen@ucar.edu
		Comment:
		You selected this USER-ID:
		"Pete Siemsen <siemsen@ucar.edu>"

		Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
		You need a Passphrase to protect your secret key.

		We need to generate a lot of random bytes. It is a good idea to perform
		some other action (type on the keyboard, move the mouse, utilize the
		disks) during the prime generation; this gives the random number
		generator a better chance to gain enough entropy.
		+++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++
		We need to generate a lot of random bytes. It is a good idea to perform
		some other action (type on the keyboard, move the mouse, utilize the
		disks) during the prime generation; this gives the random number
		generator a better chance to gain enough entropy.
		+++++++++++++++.+++++.+++++..++++b+.+++++++++++++++b+++++k..x
		gpg: /Users/siemsen/.gnupg/trustdb.gpg: trustdb created
		gpg: key E4BA9BEC marked as ultimately trusted
		public and secret key created and signed.

		gpg: checking the trustdb
		gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
		gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
		pub   1024D/E4BA9BEC 2006-05-23
		Key fingerprint = D311 1402 4026 21AF 2F81  D861 4172 CF6A E4BA 9BEC
		uid                  Pete Siemsen <siemsen@ucar.edu>
		sub   2048g/331EA98A 2006-05-23

		oryx$
	

Verify your keys with

gpg --fingerprint

Generate a public key with

gpg --export --armor siemsen@ucar.edu > ~/.gnupg/my-key.asc

Register public key with key servers

To allow other users to get your public key, you want to register it with keyservers.

If/when the UCAR hkp server is up, register my public key with the UCAR keyserver:

gpg --send-keys --keyserver hkp://keyserver.ucar.edu E4BA9BEC

Register my public key with the public keyservers:

gpg --send-keys --keyserver pgp.mit.edu E4BA9BEC
gpg --send-keys --keyserver hkp://subkeys.pgp.net E4BA9BEC

Register public key with UCAR Security

First, register your public key with the UCAR keyserver as described above. Then get a paper copy of the form and fill in the fields with the key ID and fingerprint displayed by this command:

gpg --fingerprint

Hint: the fingerprint is 10 blocks of 4 hexadecimal characters, and the key ID is the last 8 characters of the fingerprint.

Once accepted, the UCAR security guys will sign the key that you stored in the UCAR keyserver, which verifies that it is valid. Then they'll send me a test email message that is encrypted. I'll have to read the message and respond to it to demonstrate that I can do PGP email.

Make Mac Mail understand PGP

Use GPGMail.

Subscribe to gpgmail-users-on@sente.ch.

Download GPGMail-10.4.dmg. Open it and click on Install GPGMail.app. It'll install GPGMail in ~/Library/Mail/Bundles.

Managing keys (keyrings and the keychain)

Each person has a public key. To make the key available so others can send encrypted mail to the person, each person should publicize their public key on a keyserver, and/or put their public key on a webpage somewhere. To read signed or encrypted mail sent to you, you need to have the sender's public key. To ease the problem of accessing other people's public keys, gpg maintains a "keyring" in ~/gnupg/pubring.gpg. That keyring is different than the Mac "keychain", even though the Mac keychain is capable of storing PGP keys. Most people (me included) store public keys it their keyring, and don't use the Mac keychain to store public keys. This is mainly because the methods for updating the keyring use the "gpg" command, and the Mac Mail PGP system uses keyring, not the keychain. As I understand it, there's no benefit to storing public keys in the keychain. You store their keys in the keyring as you learn them, and the mail reader uses the keys to decrypt mail and/or to verify signatures in mail messages.

To facilitate sharing keys easily, people can register their keys in a public keyserver. I use one of two keyservers: keyserver.ucar.edu or pgp.mit.edu. The first is the keyserver maintained by the UCAR security guys, and holds the keys of all the UCAR sysadmins. The second is the MIT one that is public.

GPG can be configured to look up keys on one keyserver automatically. GPG won't forward on key lookups - it only talks to one keyserver. I configured GPG to look them up from the UCAR keyserver.

Keys that you retrieve from a keyserver might be bullshit, so after you retrieve a key you have to assign it a "validity" or "trustworthiness" level. Once it's been trusted, Mac Mail with GPGMail can decrypt mail messages from the person. You only have to import a person's public key and then trust it once - the trust level you assign is stored with the key in your keyring.

If MacMail displays "Missing Key 0xaaaaaaaa", then you need to load the key into your local keyring. I use the command line. You can get the person's key from a keyserver, or as a block of text that you get from the person's webpage or something.

To get a person's key from a keyserver, first use the person's email address to find the their key ID:

			oryx$ gpg --search-keys --keyserver hkp://subkeys.pgp.net Alex_Hsia@noaa.gov
			gpg: searching for "Alex?Hsia@noaa.gov" from hkp server subkeys.pgp.net
			(1)     Alex Hsia 
			1024 bit DSA key 80C14108, created: 2003-03-27
			(2)     Alex Hsia 
			1024 bit DSA key 1D663A0A, created: 2003-03-27
			Keys 1-2 of 2 for "Alex?Hsia@noaa.gov".  Enter number(s), N)ext, or Q)uit > q
			oryx$
		

Then, use the their key ID to load the person's key into the keyring:

			oryx$ gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0x80C14108
			gpg: requesting key 80C14108 from hkp server subkeys.pgp.net
			gpg: key 80C14108: public key "Alex Hsia " imported
			gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
			gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
			gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
			gpg: next trustdb check due at 2011-01-22
			gpg: Total number processed: 1
			gpg:               imported: 1
			oryx$
		

After you do that, if you click on another email message in MacMail and click back on the original message, MacMail should show "The message has been signed with PGP" instead "Missing Key 0xaaaaaaaa".

Managing keys with command lines

To see the keys in your local keyring:

gpg --list-keys

To load a key into the local keyring, cut the key id from wherever and paste it into one of these:

gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xaaaaaaaa
gpg --recv-keys --keyserver ldap://keyserver.ucar.edu 0xaaaaaaaa

To sign a key that's in your keyring:

gpg --sign-key AAAAAAAA

To assign a trust level to a key, it's easiest to use GPG_Keychain_Access.

Managing keys with GPG_Keychain_Access

GPG_Keychain_Access is a crappy GUI application for managing your GPG keyring. It's crappy because it's not fully GUI - it sometimes just opens Terminal to execute a gpg command line. It's also crappy because I couldn't get Key->Retrieve from Keyserver... to work. GPG_Keychain_Access displays keys and lets you import/export/delete them.

If you want to assign a trust level (a.k.a.) validity, highlight an entry and do GPG->Update Trust Database.... It'll open a Terminal window to ask for the trust level - kludgy. Then, it doesn't let you assign trust levels for a specific key, but only for whatever keys don't have trust levels defined - so how do you change the trust level of a key?

Managing keys with Seahorse

Because GPG_Keychain_Access seems so kludgy, I downloaded Seahorse from http://seahorse.sourceforge.net/.

I got http://ftp.gnome.org/pub/GNOME/sources/seahorse/0.8/seahorse-0.9.1.tar.gz and Stuffit Expander created a seahorse-0.9.1 directory under Desktop. I copied it to /usr/src. When I tried to build it, it complained because XML::Parser wasn't in the Perl libraries. Seahorse seems to have lots of other dependencies, so I gave up. Sigh.

Initialize a PETES KEYS flash drive

I keep my SSH keys and my GPG keys on a flash drive. This section describes how to write my secrets to an empty flash drive.

Erase and partition the flash drive

1. Insert the flash drive into the Mac
2. Start Disk Utility
3. Select the flash drive
4. select the Partition tab
5. For Volume Scheme, select 1 Partition
6. Set the Name to PETES KEYS
7. Set the Format to MS-DOS File System (FAT16)
8. Click Partition
9. Click Partition in the pull-down verification box

Copy the gnupg directory to the flash drive

CSAC requires that sysadmins keep their GPG keys on a flashdrive. Greg Woods described how to do it on Macs in PGPUSBFlashFilesystems. Greg's description mentions FAT32, but I use FAT16 because it's just as good for drives smaller than 128GB, it's what the Mac Disk Utility can create, and according to some documentation it avoids weirdness with Finder.

NCAR best practice is to store my GPG secret key on a flashdrive in an encrypted form, so that if I lose the flashdrive, others won't be able to get the key. They recommend creating an AES-encrypted disk image on the flashdrive.

1. Insert the flash drive into the Mac
2. Start Disk Utility
3. File->New->Blank Disk Image...
4. Set Save As to gnupg
5. Set Where to PETES KEYS
6. Set Size to 2.5 MB
7. Set Encryption to AES-128
8. Leave Format as read/write disk image
9. Click Create
10. set the password to one you'll remember

At this point, you're either creating your primary flashdrive, or making a backup flashdrive. Either way, you need to have a secret key (secring.gpg file) to put on the new flashdrive. This file is usually stored only on flashdrives - it is only on the Mac's hard disk while you are in the process of creating flashdrives. When you first create your primary flashdrive, your secring.gpg file is sitting in ~/.gnupg because you created it as described in the Generate PGP keys section of this document. When you are making a backup flashdrive, you need to put a temporary copy of the secring.gpg file onto the Mac's hard disk like so:

1. insert your primary flashdrive
2. mount the gnupg disk image
3. cp /Volumes/gnupg/secring.gpg ~/.gnupg
4. eject the gnupg disk image
5. eject the primary flashdrive

Now comes the one-time step: copying the secret key to the flash drive and deleting it from the Mac. From this point forward, you'll need to have your flashdrive inserted in order to sign or decrypt email. Also, to initialize new flashdrives, you'll have to copy the gnupg disk image from one flashdrive to another - like my ssh key, it's not anywhere on the Mac's hard disk.

1. mount the new flashdrive
2. mount the gnupg disk image
3. cp ~/.gnupg/secring.gpg /Volumes/gnupg
4. rm ~/.gnupg/secring.gpg

Then configure GPG to get the secret key from the flashdrive. Edit ~/.gnupg/gpg.conf and set

#
# I added these 2006-06-02 to implement getting my secret key from my
# flashdrive. See
#
# http://netserver.ucar.edu/intro/staff/siemsen/tools/gpg.html#diskimage
#
no-default-keyring
keyring ~/.gnupg/pubring.gpg
secret-keyring /Volumes/gnupg/secring.gpg


Copy the SSH id_dsa file to the flash drive

See my USB flash drive notes details.

ABKey: MacGPG integration with Address Book

ABKey is a plug-in for Address Book that shows GPG information in Address Book entries. See http://www.far-blue.co.uk/projects/keymanager.html. It works, but as the author warns, you have to move the mouse over an email address in an Address Book entry to make activate it.