For a much more gentle (and illustrated) introduction do public-key encryption, GnuPG and how to use it with email (Thunderbird + Enigmail), see FSF's Email Self-Defense:
But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh
Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.
It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.
I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.
There is NitroKey[0], which seemed to me like a good alternative to Yubikey, but I haven't ordered either yet so I can't say I have first-hand experience. But much luck if you decide to go with it, something I'm looking more and more into, especially since I too use password-store and it would be good having an easier to use setup that is still secure.
Timely link, as I have been reading about Gnupg that last couple of days. I will say that I feel its use is a bit complicated, but I did find a nice guide at Riseup:
The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.
Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.
first page: "You must also choose a key size. The size of a DSA key must be between 512 and 1024 bits". Definitely do not follow this guide nowadays :D
This 1999 article makes me feel old fashioned: I still use GnuPG from the command line, as detailed in this privacy manual. I also use encrypted file systems on my laptops, but when I need to communicate with customers and maintain the privacy of their materials, I still use ZIP and GnuPG.
[+] [-] lucastx|9 years ago|reply
https://emailselfdefense.fsf.org/
Tactical Tech's Security in-a-Box has more detailed, step-by-step, multiple platform guides for the same tools:
https://securityinabox.org/en/guide/thunderbird/windows
https://securityinabox.org/en/guide/thunderbird/linux
https://securityinabox.org/en/guide/thunderbird/os-x
[+] [-] Esau|9 years ago|reply
[+] [-] peatmoss|9 years ago|reply
But there were some important differences. Newer GnuPG versions have simplified how gpg-agent takes the place of ssh-agent. Nowadays, it's enough to create an SSH_AUTH_SOCK environment variable that points to ~/.gnupg/S.gpg-agent.ssh
Also, I found the air-gapped system setup described there and elsewhere to be excessively difficult. Far and away the easiest way to create an air-gapped key generating machine was to install OpenBSD to a USB key (you can boot the mini install image and overwrite the same device). Installing the gpg2 package gives you a complete gnupg environment for interacting with OpenPGP smart cards. By contrast, there were a bunch of packages to install with Ubuntu / Debian.
It was a little hairy to set up in total, but I really love my Yubikey-mediated GPG setup. I also now use password-store for passwords, complete with dmenu integration.
I'm not super happy that the Yubikey 4 isn't 100% open hardware though. If someone has a recommendation for something that is, and supports 4096 bit keys, I'd gladly hear it.
[+] [-] piplgobde|9 years ago|reply
[0] https://www.nitrokey.com/
[+] [-] carlesfe|9 years ago|reply
Interesting as a historic artefact, but please don't follow this guide, search for something more recent.
[+] [-] hkjgkjy|9 years ago|reply
[+] [-] Esau|9 years ago|reply
https://riseup.net/en/gpg-best-practices
[+] [-] tscs37|9 years ago|reply
The DSA key recommendation is terrible, either go 4096 RSA or Ed25519/Curve25519.
Secondly, use whatever keyring manager your distro has available and that supports your keys and is nice to use. GPA is okay-ish and offers most options.
[+] [-] baby|9 years ago|reply
[+] [-] hkjgkjy|9 years ago|reply
[+] [-] mark_l_watson|9 years ago|reply
[+] [-] RoxetteGirl|9 years ago|reply
[deleted]