With my current OpenPGP key set to expire in the middle of December I’ve decided to extend its life by changing the expiry date for the primary signing key 0xFEEEFA8F and adding a new encryption subkey that can be used when the existing one expires. The new expiry date for the main signing key as well as the new encryption subkey is 2 years from today. Before getting into the actual notice allow me to capture exactly what I did:
A good synopsis of the argument against adding backdoors to encryption in messaging applications.
Using the excellent Digital Ocean tutorial as my base I decided to setup an OpenVPN server on a Linux Mint 18 computer running on my home network so that I can have an extra layer of protection when connecting to those less than reputable WiFi hotspots at airports and hotels. While this post is not meant to be an in-depth guide, you should use the original for that, it is meant to allow me to look back at this at some point in the future and easily re-create my setup.
Recently I’ve been reading a few similar books on the risks and realities posed by our ever increasing digital world and thought that they might be worth a mention here. Both are depressing, scary and excellent reads with a lot of research put into them. The first is Data and Goliath by security researcher Bruce Schneier. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
Recently there have been two very good, and opposing, articles written on the state of Pretty Good Privacy (PGP) and whether or not it is worth using in 2016/2017 and beyond. You can find the original article, I’m throwing in the towel on PGP, and I work in security, at Ars Technica here but I’ve reproduced it below in case the link stops working at some point. You can also find the follow up piece, Why I’m not giving up on PGP, also at Ars Technica here and again I’ve reproduced it below just in case.
HTTPS Everywhere Created in collaboration with the Electronic Frontier Foundation this add-on automatically attempts to increase the security of your connection to websites by switching over to HTTPS if the web site supports it (even if it uses HTTP by default). Privacy Badger Another add-on created by the Electronic Frontier Foundation, this add-on attempts to detect if you are being tracked across multiple websites by the same source (likely an advertiser) and then begins to automatically block them.
I’ve finally gotten around to enabling SSL/TLS on this website. For now I’ve simply used a StartSSL free certificate which will expire in one year. I’m still testing things out for now but the goal is to keep the site 100% secure from now on.
If you are worried about your hard drive one day crashing and you losing access to your OpenPGP key (and thus the contents of your encrypted e-mails) then you should have been using a backup! That said an extra archival method of storing your key completely offline would be to use a program called paperkey to export the contents of your OpenPGP key to an easily printed file that you can then re-type into your PC if necessary.
More than a year ago I moved from my expiring OpenPGP key (0x1CD3E3D8) to my current key (0xFEEEFA8F) and for that process, in addition to signing my new key with my old key, I created a Key Transition notice signed by both keys as a way to inform those who trusted my old key that my new key was in fact still me. However it only recently occurred to me that I never actually posted any instructions on how I did that and deciphering gpg command line can be a bit of a pain.
While I am by no means a security expert the following are the current best practices for configuring your gpg.conf file as best as I can determine. Key usage options default-key <your primary key> Use as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring. hidden-encrypt-to <your primary key> Same as –hidden-recipient but this one is intended for use in the options file and may be used with your own user-id as a hidden “encrypt-to-self”.