Hardware Reference
In-Depth Information
Creating a good gpg.conf file
Before you generate your key, we need to establish some more secure defaults for GPG. As
we discussed earlier, it is still not as easy as it should be to use e-mail encryption.
Riseup.net , an e-mail provider with a strong social cause, maintains an OpenPGP best prac-
tices guide at https://help.riseup.net/en/security/message-security/openpgp/best-practices .
This guide details how to harden your GPG configuration and provides the motivation be-
hind each option. It is well worth a read to understand the intricacies of GPG key manage-
ment.
Jacob Applebaum maintains an implementation of these best practices, which you should
download from https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf
and save as your ~/.gnupg/gpg.conf file. The configuration is well commented and
you can refer to the best practices guide available at Riseup.net for more information.
There are three entries, however, that you should modify. The first is default-key ,
which is the fingerprint of your primary GPG key. Later in this chapter, we'll show you
how to retrieve that fingerprint. We can't perform this action now because we don't have a
key yet. The second is keyserver-options ca-cert-file , which is the certific-
ate authority for the keyserver pool . Keyservers host your public keys and a keyserver
pool is a redundant collection of keyservers. The instructions on Riseup.net gives the de-
tails on how to download and install that certificate. Lastly, you can use Tor to fetch up-
dates on your keys.
The act of you requesting a public key from a keyserver signals that you have a potential
interest in communicating with the owner of that key. This metadata might be more inter-
esting to a passive adversary than the contents of your message, since it reveals your social
network. As we learned in Chapter 2 , Circumventing Censorship with a Tor Bridge , Tor is
apt at protecting traffic analysis. You probably don't want to store your GPG keys on the
same BBB as your bridge, so a second BBB would help here. On your GPG BBB, you
need to only run Tor as a client, which is its default configuration. Then you can update
keyserver-options http-proxy to point to your Tor SOCKS proxy running on
localhost .
Note
The Electronic Frontier Foundation ( EFF ) provides some hypothetical examples on the
telling nature of metadata, for example, They (the government) know you called the suicide
prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret .
Previous Page
Next Page
BeagleBone for Secret Agents
Search WWH ::




Custom Search
Home