Lock

PGP/GPG Key-signing

Lock

PGP/GPG is the de-facto standard for secure e-mail between cybersecurity teams worldwide. To deal with incidents in a secure and confidential manner, it is preferable to use encrypted and authenticated messages when interacting with other teams or partners. PGP/GPG encryption used for confidential e-mails is mandatory when the incident report contains sensitive, confidential or personal information.

An overview of PGP/GPG and other communication challenges is discussed in the TRANSITS I Secure Communications module, but we also support and promote the process of key-signing via a key-signing party at each training course. This is also a good opportunity to get your fellow trainees' contact info!

Key-signing parties are events where people digitally sign each other’s digital identities, helping to create trust that the digital identity really belongs to the real person who claims to own it.

What do I need to do?

If you already have a PGP/GPG key you only need to print your keyslips and take them with you. If you still need to create your PGP/GPG key, follow the instructions below. You will need your valid passport (or equivalent photo ID) for the PGP/GPG key-signing. You should make a new key-pair (unless you already have one) and bring your public key to the training – we’ll do the key-signing party together!

If you DO have a key-pair already, skip to (2).

1. Create a Key-pair

If you don’t have a key-pair yet (or if you have an RSA legacy key or a key smaller than say 2048 bits – you can ditch those, they are not safe anymore), make a new keypair in GPG (public license, see e.g.
http://www.gnupg.org/gph/en/manual.html#AEN26 for key-generation). Your email software may also support easy key generation.

IMPORTANT: currently, RSA keys and ECDSA keys are the most common choices offered when creating keys. For RSA, opt for 4096 bits keylength - for ECC (ellpitic curve), opt for minimum 256 bits keylength. A sufficient keylength is crucial for security.

*** CHOOSE A SECURE PASSPHRASE FOR YOUR KEYPAIR ***

We repeat :

*** *** CHOOSE A SECURE PASSPHRASE FOR YOUR KEYPAIR *** ***

As in so many cases, this is the Achilles Heel of security!  Please make sure you do not forget this passphrase! And keep it safe and secure!

2. Make sure your public key is publicly available

Make sure that your existing or new public key can be found on the public keyservers.

One way of doing this:

  • Go to https://pgp.surfnet.nl (or similar public keyservers such as https://pgp.circl.lu) and click “Submit Key”.
  • On the page that follows then, paste the ascii version of your public key (.asc extension) into the window and press “Submit Public Key”.

Important Warning: only ever give your PUBLIC key to anyone, or add it to the keyservers. Your PRIVATE key must be kept secret at all times. This is the part of the key pair, which you have secured with a safe passphrase on your device. It must always remain *only* with you, and is *never* given to anyone else.

3. Make a printout

Make a printout of the relevant data about your key -- user-id, email address and fingerprint e.g. by using a text editor and copy-paste. It should look something like this (the exact format doesn't matter as long as the main info is there):

4064 bits RSA Key-ID: 0xC3E3C1A2EB1BF24A
Don Stikvoort <don@elsinore.nl> Created: 14 April 2016
Fingerprint: BDAA 9A8C 9257 F4C8 7E28 3DB7 C3E3 C1A2 EB1B F24A

And that then in 20 or 30-fold! Take a pair of scissors and cut your printout into slips, called “key-slips” – each key-slip has your essential key data, and during the key-signing party you will give them to all trainees and tutors! If your fingerprint and e-mail address are on your business-card, you can also use that. You'll need max 30 slips or business-cards, for all who participate in the key-signing party.

Bring the key-slips and your passport or valid picture-ID with you!