OpenPGP Part 1: Intro
This series is the direct result of a very simple question. “How do I do secure backups on Linux?”. There are dozens, if not hundreds, of options to do backups but the part that kicked off this journey was the “secure” part of the question. How do you secure a backup? On the surface the answer is quite simple, you encrypt them. Great, how do I do that and how do I make sure I’m the only person that can decrypt them when needed? This led me down the vast rabbit hole of OpenPGP and I want to share what I’m learning on that journey with you.
I am not, and do not claim to be a security expert. I’ve just spent a lot of time researching this and trying to implement best practices. I have made my best effort to ensure this information is accurate and up to date at the time of writing with all references provided. If you find a mistake whether small or egregious please let me know so I can improve this content.
What We’ll Cover
Here are the things we’re going to cover in this series:
- Introduction: This blog post. What is OpenPGP and why do I need to learn about it?
- Create Your Primary Key: Getting started by creating your primary key and identity.
- Create Your Subkeys: Used for authentication, signing, and encryption
- Backing Up Your Secrets: Making sure things are protected but also available in case you need them.
- Using a Yubikey: As a backup or as a requirement to use the private keys.
- Signing Git Commits: Ensuring your source code is only changed by you or your team.
- Signing Files: Ensure files sent or received have not been compromised.
- Encrypting Things: Whether a backup or a file with company secrets.
- Hassle-Free SSH: Get into that EC2 box or grant others access with ease.
- Let the World Know: Sharing your public identity on the internet and what it accomplishes.
- Restoring Secrets: Your smart card was lost or your laptop caught fire. Get things working again.
- Revoking a Key: If a key becomes compromised or obsolete.
What is OpenPGP
PGP stands for “Pretty Good Privacy” but don’t let the name full you. It’s more than pretty good. It’s basically the gold standard for enabling security across the internet and if you have interacted with any secure system on the web you have benefited from it without even knowing. Originally created by Philip R. Zimmermann it was formalized as a standard in RFC48801 which is known as OpenPGP.
What will immediately get confusing is that you will also hear “GPG” a lot. I often feel dyslexic as GPG and PGP will start to blur together after hours of reading. GPG is The GNU Privacy Guard2 which is “a complete and free implementation of the OpenPGP standard.” It also happens to be the the command line program we will be using heavily. But nobody will fault you if you accidentally type pgp
on the command line instead of gpg
.
- PGP: Refers to the Pretty Good Privacy Standard
- GPG: A very popular and open implementation of the PGP standard.
gpg
: The command line tool for GPG
Public-Key Cryptography
We aren’t going to get into the very complex world of cryptography but it’s important to understand that OpenPGP depends on assymmetric cryptography, also known as public-key cryptography3.
I’m going to boil this down to it’s very simplest form. Everything from signing to encryption, to authentication is handled by key pairs. There is a public key and a private key. Both keys allow you to perform certain operations at certain times which we’ll get into later. But this is what you need to know for now.
- Public Key: Share with others. No need to keep it secret.
- Private Key: NEVER EVER EVER EVER SHARE WITH ANYONE…..EVER.
That’s all you need to know for now. We’ll cover some of the nuances later as we accomplish specific tasks.
Why Do I Care?
You may be thinking “Kevin, this is Production ESP32, why do I care about securing backups?” Security goes well beyond encrypting backups and the content we will cover is very much relevant to creating a production-ready product with the ESP32. In fact, what we will be covering around public/private keys will be a great segue into SecureBoot as it relies on the exact same principles and workflows.
Security is an often-overlooked part of creating a product but is essential to the long-term success of your product and company. Things like signing commits and SSH are an important part of your overall security plan. Instead of winging it as you go or wasting hours searching the internet I hope these posts can provide a playbook that allows you to get common, relevant tasks done quickly.
I want you to help you see the big picture that has started to come into focus for me around security and how it fits into your project.
Comments powered by Disqus.