GPG MAIL APPLE MAIL NOT WORKING OFFLINE
Right click on your key and save the revocation cert offline safely as well. If you were to lose your keys or your passphrase, a pre-generated revocation certificate allows you to announce to the world that the key is no longer valid and should no longer be trusted. It is also worth creating a key revocation certificate. If you were to lose the Yubikey, you would not be able to recover the keys. As part of moving the keys into the hardware token they will be deleted from your keyring. Right click on your key in the main window and select "Export" and check Allow secret key export. Double click on your key to bring up the Key Inspector window, select Subkeys and click + to create a new one of type RSA (sign only) and of length 2048.Īt this point you should export your key and save it somewhere safely offline. For the cards you need to create a second subkey for signing. You'll only need to type it in during these key operations and when you sign other users' keys.īy default GPG Keychain tool create the primary key that has all access and one encryption subkey.
This Passphrase FAQ has some suggestions for picking a memorable one. You will need to pick a pass-phrase for the key - make it a good one since it is the only thing that protects your key file while it is on disk. You can still decrypt old emails and documents, as well as verify signatures, with an expired key, but no one will send you new ones.
Both devices also support secure key generation in hardware, but this requires some further steps in the terminal and is beyond the scope of this tutorial.Įxpiration dates aren't required, but they are good idea since nothing lasts forever. Yubikey Nano 4 added support for 4096 bit keys in late 2015 and you can select that if you want longer keys. The older Yubikey devices support up to RSA2048, so the defaults of " RSA and RSA" with length 2048 are correct. Fill in your name and email and select the key type. Run the GPG Keychain Access tool that the suite installed in /Applications and click the New Key button. Note that there is a bug in OS X Yosemite related to GPG card tokens not working. It also bundles the commandline version of gnupg 2.0.22, which you will need for doing some specialized functions.
GPGTools provides a very nice key management GUI as well as a plug-in for Apple Mail.app. All of the public-key cryptography happens inside the tamper-proof device, so your secret key is never decrypted in the memory nor stored on disk of your machine. The hardware tokens are compatible with the OpenPGP card protocol, which recent versions of gnupg support out-of-the-box. The Yubico Yubikey-Neo and Neo-N USB tokens are a neat (and cheap) way to keep your keys locked in a hardware device rather than stored as a file on your harddrive. If you're worried that you're not paranoid enough about your communications security and want to improve your OpSec, it is actually fairly easy to go "full-Snowden" with hardware storage of your PGP secret keys. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it. Properly implemented strong crypto systems are one of the few things that you can rely on. Edward Snowden says to trust in encryption, but you still need to worry about the security of the computer systems that run it:Įncryption works.
0 kommentar(er)
