Crypto Party 2014/GPG
- goals and non-goals
- asynchronous tasks
- start downloading if you haven't already
- keybase invite: email firstname.lastname@example.org
Some of this will be a repeated theme in other parts of the crypto presentations, so if you don't understand it all right away, don't worry. No one does right away and several of these things will be repeated which will make it easier.
a public key and a private (secret) key. You must not share your private key with anyone. You want everyone to know your public key. The latter is more difficult than the former.
When GPG is set up correctly, you can encrypt messages such that only the recipients that you've chosen (only the people with the keys you specified) can read the message. The NSA, GMail, etc. won't be able to read your message. Snowden suggests that if used properly, GPG has still not been broken by the NSA. (Repetition of some non-goals.)
As I mentioned before, the main challenge with GPG is getting everyone else to know, with confidence, which public key is really yours. We'll talk today about two different ways to accomplish that: Web-of-Trust key-signing and the Keybase directory of keys and proofs.
Let's generate a keypair
Reminder: you create a public and a private key at the same time. We refer to these as both "keys" even though really your public key is typically used as a lock. Anyone with your public key can lock a message such that only the paired private key can open it. Let's make a new keypair.
- From GPG Keychain Access, click "New" in the toolbar.
- Enter your name and primary email address. (Nota bene: GPG doesn't confirm these.)
- Advanced options -- what are these? Leave them as is. (Don't worry about expiration, you can change it later.)
- Passphrase -- a good idea, but not mandatory. You have to be able to remember (or write down) your passphrase if you choose one.
- Leave "Upload public key" unchecked for now.
- Move your mouse about and mash on the keyboard. Encryption depends, more than anything else, on random number generation.
You're done! If you're curious, let's see what you created.
- Right click on your new key in the list and click Export.
- Leave "Include secret key..." unchecked.
- Save the .asc file on your desktop.
- Open it in a text editor. Cool.
Let's use a keyserver
You all need each other's keys! Let's upload your public key to a keyserver and download somebody else's public key so you can encrypt a message for them.
We recommend this keyserver: hkp://keys.gnupg.net (really, any one is fine, just don't use MIT's)
- Right click on your new key and click Send public key to Keyserver
Done! Alternative, email your public key to a friend:
- Right click on your new key and click Mail Public Key... (requires Mail.app)
Now, download a key of your neighbor's.
- Click Search and type in the full name or email address of one of your friends.
- Note: it can take a few minutes for keys to propagate, so be patient.
- Click the checkbox and then Retrieve key.
Done! How do you know that you got the key for the actual person you were looking for, and not an impostor? (Hint: you don't.)
Send an encrypted email
For Mail.app on Mac OS
With the GPGMail plugin installed, you should see icons for signing and encrypting in the message compose window.
- Sign an email: click the little signature icon (or confirm that it's already clicked).
- Encrypt an email: in the To: box, include the email address of the friend's key that you retrieved from the key server.
- Click the lock icon to encrypt the message.
- Click send.
Did your friend receive the message? Does their client decrypt the contents and/or verify the signature?
First we need to import keys (your private key and your friend's public key).
- In GPGTools, select multiple of your friends' keys from the list and click the Export button.
- Save the file to your desktop: friends-keys.asc.
- Click the Mailvelope icon in your browser, and then Options.
- Click Import keys in the sidebar.
- Click Browse... and choose the .asc file you created earlier. Then Submit. Confirm success!
You also need to import both your public and private keys, the full keypair.
- In GPGTools, select your name from the list and click the Export button.
- Check the "Include secret key" checkbox.
- Save the file to your desktop: secret.asc.
- Click Import keys in the sidebar of the Mailvelope options.
- Click Browse... and choose secret.asc file you created earlier. Then Submit. Confirm success!
- Important: delete the secret.asc file from your desktop.
Now in the Display Keys tab you should see your friends names and your own name (with a double key next to it, both public and private).
Now, to GMail!
- Click Compose.
- Inside the compose box, click the pen on paper icon. This opens a separate (secure?) window.
- Type your message.
- Click the lock icon.
- Choose the recipient (by default, it'll grab the email address of the recipient if you already added that in the GMail window). Remember, encryption is per-recipient. Click Add. Then Ok.
- Your message is replaced with a block of gibberish.
- Click the signature icon.
- Choose your private key and click Ok. Enter your passphrase and click Ok.
- Looks good? Now click Transfer to move it back into GMail.
- Add a subject (notice that this part isn't encrypted! the NSA is guaranteed to read it closely).
- Click Send.
Decrypting a message in GMail
- When you receive the message, click on it in your inbox.
- You should see some GPG gibberish, and then a locked envelope icon above it.
- Click the locked envelope.
- Enter the passphrase for your private key, as necessary, and click Ok.
Prove your key is yours with Keybase
Remember to email email@example.com to get your invitation.
The invitation email notes that this is only if you're really going to use Keybase, set up a full profile, etc. as they're letting few people in this early on for testing purposes. But let's give it a try!
- Follow the link in the invitation email.
- Enter an email address (not particularly important) and choose a username (not particularly important) and a long password.
- First things first, add your public key, that's the whole point!
- You can also generate a keypair right here in the browser if you didn't make one before. I don't yet recommend this, but you can try it and it'll make certain things easier in subsequent steps. I promise not to judge you.
- You have to paste in the ASCII-armored public key, all that gibberish we looked at before.
- To be clever, GPG has a handy contextual menu item for this.
Okay, you've uploaded it, but now to prove it.
You can install the keybase command line client, or use "hard core" mode which I'll show you here. (This lets us inspect a little bit and see what's actually going on underneath.)
- Choose the third option (gpg + curl). Copy and paste the long command.
- Open the Terminal app, paste in the command and hit return.
- You should see "Success!" and now it's back to the browser.
- Now, prove your Twitter identity.
- Type in your Twitter username, and again, I'll select the third option (gpg+curl).
- Copy and paste the command, then it's back to the browser. The page tells us a certain piece of text to tweet, so copy and paste that into your Twitter client.
- If you don't want it to go out to your whole timeline, you can pre-pend @keybaseio, like I always do.
- Don't delete the tweet, it has to stay public for as long as you want this connection to be provable.
And it's not just Twitter, you can prove a whole number of account connections this way.
And that means you can also use Keybase to get some confidence in others' public keys, even when you haven't confirmed them face-to-face.
- Type in someone else's username in the search box.
- Do you recognize their Twitter account username?
- If so, click Track.