Encryption Exhibitionism (my PGP keys)

I’ve finally found a sensible way to use PGP - by using Thunderbird with Enigmail.

My email provider (Amazon AWS) recently announced support for IMAP, enabling me to use Thunderbird again. They previously only supported Microsoft Exchange, or using their terrible WebUI, which was fortunate for them considering I was on the lookout for a new provider.

Should you receive an email from me in the future, you can expect the mail to be signed, and have my public key attached to it.

I have also deprecated my old @overclocked.net email. I have been ensured a “lifetime account” by Overclock.net for the time being, but historical DNS issues as well it being a Google Apps account I just want to be done with it.

My current PGP key fingerprint is: 513B8F9662571F03E142FC02B692F29993D36D53

Why elliptic curves?

I’ve opted to go for an EC key, specifically Ed25519, because the attack vector (both implementation and design) seems significantly smaller than RSA.

BSI has a technical recommendations stating a factoring modulus minimum of 3000 bits, whereas discrete logarithm key sizes has a minimum of 250 bits.

With that significant of a key size reduction, you remove a lot of overhead, resulting in EC usually being significantly faster than RSA at similar security levels (256 bit ECC vs 3072 bit RSA)

Additionally, my specific choice of key (Ed25519) has been tuned for modern x86-64 CPU’s as well as being a solid implementation of EdDSA. You can read more about Ed25519 on their own webpage.

Anyway, integer factorization is a subset of the discrete logarithm problem. If ECC is broken, so is RSA, and we have other worries than my private key.

Importing my key

There’s a lot of PGP software, but the one I use is GnuPG. It works great on Linux, and it’s essentially what Enigmail expects. You can probably stroll along using other PGP software, since the methods used will undoubtedly be similar.

Before importing my key, make sure your PGP software is up to date and supports Ed25519 keys. In the unlikely case that your software doesn’t support Ed25519 keys, I have an RSA key linked at the bottom of the article which you can use in place of my Ed25519 key.

If you want to download the key directly, it can be acquired on this site at /sebastianjensen.asc.

Otherwise, if you have a sane keyserver configured, you can use your PGP software to receive my key:

gpg2 --recv-keys 513B8F9662571F03E142FC02B692F29993D36D53

Verifying my key

An external source that has my PGP key is my Twitter bio - see my page footer.

If the full fingerprints match, and you trust your keyserver, you now have the correct key in your keyring.

Signing keys

You can sign my key as you see fit. I suggest at least asking me if my key is recent via the social media links at the page footer, but meeting up with me and verifying that way is certainly better.

If you’ve verified my key, you can sign it as you see fit:

gpg --ask-cert-level --sign-key [email protected]

I’ll sign your key provided I can do a physical verification. To make it easy, please have your fingerprint and full UID on a piece of paper. I’ll do level 3 signs if I’m absolutely convinced that you are who your key states you are.

After signing your key, I will send you an encrypted and signed mail with the sign to the email specified in your UID using this method:

gpg --armor --export [email protected] > ~/tmp/[email protected]
gpg --sign --encrypt --recipient [email protected] ~/tmp/[email protected]

It is then your responsibility to upload the sign to a keyserver. This is done by decrypting, importing and sending the key to your keyserver:

gpg --decrypt [email protected]
gpg --import [email protected]
gpg --send-keys <YOUR ID>

If you have multiple UID’s I’ll send an email for each UID. This is to ensure that you have access to your relevant UID’s.

Non-ECC (RSA) Key

Should an Ed25519 key - against all odds - be too advanced for your PGP software, I have a “legacy” RSA2048 key with a significantly shorter expiry time: 75EDC4A4C1A35433B62A08D9708AABAA324BED96

The keys use is discouraged by me because I think RSA is clunky. But it still works, and it might be less clunky for you.

For the near future, RSA is definitely still safe to use, even at 2048 bits. I will keep refreshing my RSA key - possibly increase the size - as long as quantum computers aren’t mainstream.

Conclusion

I’m proud to finally have set up PGP. The decision to go for EC rather than RSA has been something I’ve had on my mind ever since getting into DevOps.

Writing this article has certainly taught me some new stuff, not only about PGP and GnuPG, but also some new things such as ECC potentially being signifcantly easier to break using Shor’s Algorithm than RSA, which was my original main arguments for going for Ed25519 over RSA.

Article and related homepage stuff needed to include GPG keys took me about 5 hours. I’ve made sure all references to my Ed25519 key on this page is linked to the configuration of my webserver, so if I end up changing the keyid, this page will always have the most updated key IDs. But not the RSA ID - implementing support for 2 ID’s seemed overkill.

I spent upwards of 10-15 hours the last few days getting to grips with Enigmail, Thunderbird, GnuPG as well.

Credit goes to Jeff Carouth’s “Signing PGP Keys” article for a lot of the content on this page.