Try   HackMD

Rotation of PGP key

Goal: for PGP key associated with role and shared between multiple people
(security-officer and similar roles), we would like to have a formalized
way of rotating and sharing of the PGP key.

Assumptions

This procedure assumes that all parties are trustworthy and do not deliberately act in malice.

Terms

  • Passphrase T1: a temporary passphrase to protect the new PGP key pair
  • Encryption key passphrase K1: a temporary, symmetry key, to generate the exported

Procedure

  • Person A generates the PGP key pair, which is passphrase protected by T1.
    NOTE: the key should meet latest best practices; as of this writing, we recommend using Ed25519 with an expiration time of no more than 5 years [1].
  • (Optional) Person A derives a revocation certificate, which is shared with a third party, e.g. core@, in case of the unlikely event that the private key is lost and compromised and needs to be revoked.
  • Person A extracts the PGP key along with the private key, with:
    gpg --output so.pgp --export-secret-key security-officer@FreeBSD.org
  • Person A encrypts the exported file so.pgp with another layer of encryption, with a passhprase K1, and deletes encrypted export in previous step[2]:
    openssl enc -aes256 -base64 -in so.pgp -out so.pgp.enc && rm so.pgp
  • Person A sends the encrypted file (so.pgp.enc) to the recipient, encrypted with the recipient's public PGP key[3].
  • Person A sends the passphrase T1, encrypted with recipient's public PGP key, to either a place they have access to (for so@, it's a freebsd-update build server; this can also be their email)[4].
  • Person A splits passphrase K1 into two pieces and send to the recipient in two separate channel (e.g. one via email, and the other over phone).[5]

Recipient

  • The recipient first decrypt the encrypted so.pgp.enc file with their own PGP private key.
  • The recipient then decrypts the file with:
    openssl dec -ase256 -base64 -in so.pgp.enc -out so.pgp && rm so.pgp.enc
    with the passphrase K1 received from two channels.
  • The recipient imports the key to GnuPG:
    gpg --import so.pgp
  • The recipient changes passphrase from T1 to passphrase of their choice:
    gpg --edit-key security-officer@FreeBSD.org
  • The recipient destroys so.pgp

Footnotes

[1] Ed25519 is the default for GPG; for best compatibility, a 4096-bit RSA key can be used instead, but in 2022, it's likely that this is no longer a concern. The 5 year expiration in this context is an arbitrary value.
[2] This step avoids sending the passphrase protected PGP key without an additional layer of encryption (by accident).
[3] Encrypting the encrypted file with recipient's PGP key ensures the recipient has control of both their mailbox and the private key.
[4] This should be separate; the recipient should get the passphrase and remove them from the server once they got access to it.
[5] This step is both authenticating the recipient and to separate risks of leaks; in worst case, the attacker still need to have the other part of the passphrase in order to decrypt the outside wrap.

Last changed by 
Xin Li
0
1166
Published on HackMD