Skip to content

Instantly share code, notes, and snippets.

@springcomp

springcomp/README.md

Last active April 12, 2024 07:07
Show Gist options
  • Save springcomp/4e7fa8e8abac7cbab58123e6a2366ede to your computer and use it in GitHub Desktop.
Save springcomp/4e7fa8e8abac7cbab58123e6a2366ede to your computer and use it in GitHub Desktop.
Download ZIP
OpenPGP
Raw
README.md

OpenPGP

This is the procedure to migrate from the old keyring to the new toolset:

Requires software

Open the existing keyring

  1. Insert the USB thumbdrive
  2. Run the start_windows.cmd command script
  3. Enter the master passphrase and wait for Gpg4Usb to launch

Install the new toolset

Follow the procedure outlined here.

You should have the following folder structure:

  • GnuPG 4 USB/
    • GPG4Win/
    • GnuPG/
    • home/
    • Kleopatra.lnk
    • Command Prompt.lnk
  • 7Zip/
    • 7Za.exe
  • SysInternals/
    • sdelete.exe

Test successfull installation

  1. In the – initially empty – home (new keyring) folder, create a text file named gpg.conf with the following content:
keyserver hkps://keys.openpgp.org
  1. Run Kleopatra and check that you can successfully connect and retrieve public keys from the key server.
  2. Select the Search on server... option and search for the public key associated with springcomp@e.email.

When all of this is working close Kleopatra and proceed to next step.

Note: Kleopatra is an application that runs in the system tray. Right click on its icon and select Stop Kleopatra to exit.

Migrate existing keyring

Important: this procedure requires the keyring to be "open", with the Gpg4Usb app running.

  1. Copy the entire contents of the keydb folder where your keyrings used to be stored to the new home folder, overriding and replacing existing files.
  2. Update the gpg.conf and add a new line keyserver hkps://keys.openpgp.org
  3. Open Kleopatra and check that you can successfully see the keys, including one with a private key (displayed in bold)
  4. Close Kleopatra (remember to right-click the Kleopatra icon from the system tray and select Stop Kleopatra)

Update the Kleopatra.cmd script so that it has the following content:

Warning: if you are reading a translation of this page, make sure to use the original version of the script. The translator might have corrupted the script by attempting to translate instructions.

@echo off

SET "_GPG4WIN=%~d0%~p0/bin"
FOR /F "delims=" %%F IN ("%_GPG4WIN%") DO SET "_GPG4WIN=%%~fF"

SET "_GNUPG=%~d0%~p0/../GnuPG/bin"
FOR /F "delims=" %%F IN ("%_GNUPG%") DO SET "_GNUPG=%%~fF"

SET "_GNUPG_HOME=%~d0%~p0/../home"
FOR /F "delims=" %%F IN ("%_GNUPG_HOME%") DO SET "_GNUPG_HOME=%%~sF"

SET PATH=%PATH%;%_GPG4WIN%;%_GNUPG%
SET GNUPGHOME=%_GNUPG_HOME%

call "%~dp0..\..\7zip\7za.exe" e "%_GNUPG_HOME%\private-keys-v1.d.7z" -o"%_GNUPG_HOME%\private-keys-v1.d" -y
if errorlevel 2 goto finish

Kleopatra.exe

call "%~dp0..\..\Sysinternals\sdelete.exe" -s -q -p 35 "%_GNUPG_HOME%\private-keys-v1.d\"
call "%~dp0..\..\Sysinternals\sdelete.exe" -s -q -p 35 "%_GNUPG_HOME%\private-keys-v1.d\"
rmdir -s -q "%_GNUPG_HOME%\private-keys-v1.d" >NUL 2>&1
taskkill /f /im kleopatra.exe >NUL 2>&1

echo success.
echo.

:finish

Note: make sure that the path to the 7za.exe and sdelete.exe tools is correct, relative to the current folder where Kleopatra.cmd is located.

You can now close Gpg4Usb.

Cleanup

The old public key ring pubring.gpg file has been migrated to the new pubring.kbx keybox file. You can remove the old pubring.gpg (and its backup pubring.back) file safely.

You now need to secure the private key folder using the following commands. First, open a command prompt (by double-clicking the Command Prompt script created earlier) and type the commands:

..\..\7zip\7za.exe a -p"<master-passphrase>" "%_GNUPG_HOME%\private-keys-v1.d.7z" "%_GNUPG_HOME%\private-keys-v1.d\*"
..\..\Sysinternals\sdelete.exe -s -q -p 35 "%_GNUPG_HOME%\private-keys-v1.d\"
..\..\Sysinternals\sdelete.exe -s -q -p 35 "%_GNUPG_HOME%\private-keys-v1.d\"

Verification

At this point, you have successfully migrated to the new toolset.

  • Check that you can successfully plug the USB thumbdrive and double-click on the Kleopatra shortcut.
  • Check that you can successfully input the master passphrase to extract the temporary private keys.
  • Check that Kleopatra is running successfully and shows the keys, include the ones associated with a private key (displayed in bold)

Once that is confirmed working, you can proceed to delete the old private keyring. Note: please, remember to properly exit Kleopatra by right-clicking the system tray icon and selecting Stop Kleopatra.

The old secret key ring secring.gpg file have been migrated to the new private-keys-v1.d folder. You can remove the old secring.gpg, (and its now obsolete compressed archive secring.7z) using the following commands:

..\..\Sysinternals\sdelete.exe -p 35 "%_GNUPG_HOME%\secring.gpg"
..\..\Sysinternals\sdelete.exe -p 35 "%_GNUPG_HOME%\secring.7z"
..\..\Sysinternals\sdelete.exe -p 35 "%_GNUPG_HOME%\secring.7z.back"

Use the following commands (yes, run them twice) to remove the old keydb keyring folder:

..\..\Sysinternals\sdelete.exe -s -q -p 35 keydb
..\..\Sysinternals\sdelete.exe -s -q -p 35 keydb

You can remove the old GnuPG 4 USB folder.

Raw
_How-to.md

How-To

How-to export a public key

gpg --export --armor <email-address> > <filename>.pub

How-to import a private key

gpg --decrypt <private-key> | gpg --import

How-to protect a private key for transport

Open a Command Prompt.

# generate a strong random password
gpg --armor --gen-random 1 20

# encrypt key, use password above when asked
gpg --armor --export-secret-keys <YOUREMAILADDRESS> | gpg --armor --symmetric --output mykey.sec.asc

How-to udpate the private key secure archive

Open a Command Prompt.

copy /Y "%_GNUPG_HOME%\private-keys-v1.d.7z" "%_GNUPG_HOME%\private-keys-v1.d.7z.back"
..\..\SysInternals\sdelete.exe -p 35 "%_GNUPG_HOME%\private-keys-v1.d.7z"
..\..\7zip\7za.exe a -p"<master-passphrase>" "%_GNUPG_HOME%\private-keys-v1.d.7z" "%_GNUPG_HOME%\private-keys-v1.d\*"

How-to retrieve the private key stubs on any PC

Install or update OpenSSH using the following command:

winget install Microsoft.OpenSSH.Beta

Run an cmd.exe command prompt using elevated privileges:

ssh-keygen -K

Then change permissions of the stubs so that your regular user can use them:

powershell
get-childitem -filter id_* |% { . cacls.exe $($_.FullName) /e /p DOMAIN\user:f }
Raw
_Prerequisites.md

Prerequisites

Windows

  • OpenGPG install for all users, or for current user.

To create a USB thumbstick, please use the following steps:

Install OpenGPG on the local Windows machine

Before setting up the USB thumbdrive, we need to obtain the required binaries asset. We do this by installing the software on the local machine into known folders.

  1. Run the OpenGPG installer.
  2. If prompted, select Yes to install without administrative privileges.
  3. Uncheck GpgOL and GpgEx packages.

This installed:

  • OpenGPG in C:\Program Filess (x86)\Gpg4win and
  • GnuPG in C:\Program Filess (x86)\GnuPG.

If you installed without administrative privileges, it installed in:

  • OpenGPG in %LOCALAPPDATA%/Programs/Gpg4win and
  • GnuPG in %LOCALAPPDATA%/Programs/GnuPG.

It also updates a couple of environment variables.

If you launched Kleopatra, you must first stop the application.

Note: Kleopatra is an application that runs in the system tray. Right click on its icon and select Stop Kleopatra to exit.

Copy the binaries to the USB thumbdrive

In this step, you will copy the prerequisite binaries to the USB thumbdrive.

  1. At the root of the USB thumbdrive, create a new GnuPG 4 USB folder.
  2. In the GnuPG 4 USB folder, create a home folder for keys and configurations: e.g E:/GnuPG 4 USB/home.
  3. In the GnuPG 4 USB folder, create two folders: e.g. E:/GnuPG 4 USB/Gpg4win and E:/GnuPG 4 USB/GnuPG.
  4. Copy the binaries from %LOCALAPPDATA%/Programs/Gpg4win to E:/GnuPG 4 USB/Gpg4win.
  5. Copy the binaries from %LOCALAPPDATA%/Programs/GnuPG to E:/GnuPG 4 USB/GnuPG.
  6. Uninstall OpenGPG.

Setup the USB thumbdrive

  1. In the USB thumbdrive, locate the E:/Gpg4win folder and create a Kleopatra.cmd script with the following contents:

Warning: if you are reading a translation of this page, make sure to use the original version of the script. The translator might have corrupted the script by attempting to translate instructions.

@echo off

SET "_GPG4WIN=%~d0%~p0/bin"
FOR /F "delims=" %%F IN ("%_GPG4WIN%") DO SET "_GPG4WIN=%%~fF"

SET "_GNUPG=%~d0%~p0/../GnuPG/bin"
FOR /F "delims=" %%F IN ("%_GNUPG%") DO SET "_GNUPG=%%~fF"

SET "_GNUPG_HOME=%~d0%~p0/../home"
FOR /F "delims=" %%F IN ("%_GNUPG_HOME%") DO SET "_GNUPG_HOME=%%~sF"

SET PATH=%PATH%;%_GPG4WIN%;%_GNUPG%
SET GNUPGHOME=%_GNUPG_HOME%

Kleopatra.exe

This creates a script that sets the correct environment for running from a USB thumbdrive.

Create a copy of this file named Command Prompt.cmd, with the last line changed from Kleopatra.exe to cmd.exe. This is a scripts that makes it easy to open a command prompt with the correct environment.

  1. Create a shortcut at the root of the USB thumbdrive to preceding scripts.
  2. Update the icon to reflect the Kleopatra application.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment