GPG setup - part 2
- Pen-drive initialization
- GPG backup
- HUSH backup
- GRAVEYARD backup
- Test
- Protection from accidental overwriting
- Umounting pendrive
At this stage the GPG configuration is fully functional because all the keys have been created.
Loosing the GPG configuration at this moment wouldn’t be too much of a problem because the public is key is not yet published on any key-server on the internet and because the key has never been used so far.
I could destroy the coffin-file and start over again without any issue.
In the moment I start using Joe’s GPG for instance to create a tomb-file I add extra-value and extra-responsibility to it so I need to take in consideration some form of disaster recovery before it’s too late. Gambling on this things is not smart.
Unfortunately there isn’t a single definitive solution for protecting files from all the possible threats so I start with backing up the keys on a dedicated external USB pen-drive which hosts.
Pen-drive initialization
I’m going to use one pen-drive for all my identities
This step is not very different from the one used for the sdcard.
I open a terminal in vault and I keep an eye on syslog:
sudo multitail /var/log/syslog
#hit enter to place the red line marker
I plug the pen-drive in the USB socket and I connect it to vault using Qubes devices widget
From syslog I can understand what’s the device name that vault gives to the pen-drive which, usually, is /dev/xvdi
but in my case is /dev/xvdj
.
blkfront: xvdj: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled;
I erase all the content on the pen-drive:
IDENTITY="joe"
PENDRIVE="/dev/xvdj"
MAPPER="pendev"
MOUNT_POINT="/tmp/pendrive"
sudo dd if=/dev/urandom of=${PENDRIVE} bs=1M
sync
It’s a long operation which ends when the pen-drive is completely filled up.
When finished, without creating any partition, I encrypt with LUKS the entire pen-drive and I protect it with the same passphrase I use for Qubes OS. I choose this way because Qubes OS passphrase is used only at boot time and it’s hard to believe that a key-logger can spot it. Most likely the only way to have this passphrase compromised is to be monitored meanwhile typing it and this makes it rather safe for me.
sudo cryptsetup -v -q -y --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat ${PENDRIVE}
Then I open, format and mount the LUKS filesystem:
mkdir ${MOUNT_POINT} &> /dev/null
sudo cryptsetup open --type luks ${PENDRIVE} ${MAPPER}
sudo mkfs.ext4 -m 0 -L "gpg-backup" /dev/mapper/${MAPPER}
sudo mount /dev/mapper/${MAPPER} ${MOUNT_POINT}
sudo chown ${USER} ${MOUNT_POINT}
BCKDIR="${MOUNT_POINT}/gpg/${IDENTITY}"
mkdir -p ${BCKDIR}
GPG backup
I open ${IDENTITY}
gpg-tomb-file and I obtain its `${FINGERPRINT}
risks gpgpass ${IDENTITY}
risks open gpg ${IDENTITY}
FINGERPRINT=$(gpg -K | grep fingerprint | head -n 1 | cut -d= -f2 | sed 's/ //g')
For future memory, I backup the output of gpg -k
. It can come in handy in case things go south at some point.
gpg -k | tee ${BCKDIR}/gpg-k_output.txt
Primary key-pair backup
I backup the private key of the primary key-pair in an armored backup.
armored backup means that the content of the backup key will be in plain text (ASCII) so that I can think, later on, to print it as QRCODE, transfer it on paper and physically store it somewhere I consider safe.
gpg --export-secret-keys --armor ${FINGERPRINT} > ${BCKDIR}/private-primary-keypair.arm.key
Note: if you want to add an additional layer of encryption for the GPG keys you can consider to use
openSSL
like this:
gpg --export-secret-keys --armor ${FINGERPRINT} | openssl enc -aes-256-cbc -a > ${BCKDIR}/private-primary-keypair.arm.key
I backup the public key of the primary key-pair:
gpg --export --armor ${FINGERPRINT} > ${BCKDIR}/public-primary-keypair.arm.key
Subkey-pairs backup
Then the subkeys but this time in a single binary file:
gpg --export-secret-subkeys ${FINGERPRINT} > ${BCKDIR}/private-subkeys.bin.key
This is what I have now in my pen-drive:
ls -l
-rw-r--r-- 1 user user 906 Oct 8 19:23 gpg-k_output.txt
-rw-r--r-- 1 user user 14126 Oct 8 19:15 private-primary-keypair.arm.key
-rw-r--r-- 1 user user 9040 Oct 8 19:18 private-subkeys.bin.key
-rw-r--r-- 1 user user 6880 Oct 8 19:15 public-primary-keypair.arm.key
Comfortable is better
For my convenience I keep a copy of Joe’s public key and its signature somewhere accessible on my hard drive so that I can reach it out any time and send it to someone else.
echo ${FINGERPRINT} > ${HOME}/gpg-${IDENTITY}-fingerprint.txt
gpg --export --armor ${FINGERPRINT} > ${HOME}/gpg-${IDENTITY}-public-armored.key
HUSH backup
I also backup the hush partition
risks close gpg ${IDENTITY}
risks umount hush
sudo dd if=/dev/hush of=${MOUNT_POINT}/hush.img
GRAVEYARD backup
… and the graveyard.
mkdir ${MOUNT_POINT}/graveyard &> /dev/null
cp -fR ${HOME}/.graveyard/* ${MOUNT_POINT}/graveyard
Test
These are the files stored in the pen-drive:
tree
.
├── graveyard
│ ├── joe-gpg.coffin
├── hush.img
└── gpg
|── joe
├── gpg-k_output.txt
├── private-primary-keypair.arm.key
├── private-subkeys.bin.key
└── public-primary-keypair.arm.key
Protection from accidental overwriting
I make all the files immutable:
sudo chattr +i ${MOUNT_POINT}/graveyard/*
sudo chattr +i ${MOUNT_POINT}/hush.img
sudo chattr +i ${MOUNT_POINT}/gpg/${IDENTITY}/*
Umounting pendrive
The backup stage is finished
sudo umount ${MOUNT_POINT}
sudo cryptsetup close ${MAPPER}