This year, Outreachy featured internships from organizations such as Debian, Fedora, GNOME, the Linux Kernel, Mozilla, Python, and Wikimedia, just to name a few. Each organization features mentored projects and in order to apply, applicants must contact the mentor, introduce themselves on the appropriate channels and make a small contribution to the project. After that, applicants might be required to fulfill additional tasks to demonstrate their abilities. Successful applicants will make quality contributions, communicate effectively with mentors, ask questions, fulfill tasks, help out their peers via mailing lists, and/or blog about their experience.
One of the projects I applied to was the Clean Room for PGP and X.509 (PKI) Key Management. The project aims to create a Live Disc that enables users to create and manage their PGP keys easily and securely, using a text-based UI. I’ve been a Debian user for about a year, but before applying to the project I didn’t know much about GnuPG or public key encryption. Since then, I’ve made some contributions and attended my first keysigning event in San Francisco featuring a lecture by Neal Walfield (more on that below).
For my initial contribution, Daniel Pocock, the mentor for this project, asked that I write a script that lists the USB flash devices connected to the system and specifies which device the system booted from. Here’s the bash script that I wrote, and that was enough to submit an application for Debian.
My next task was to write a dns hook script for the dehydrated project, a shell client for signing certificates with Let’s Encrypt (for free!). The script completes a dns challenge sent by the ACME-server by provisioning a TXT record for a given domain in order to prove ownership of the domain. I chose to write it in python and used the dnspython API. I posted my solution on github and there are many more here.
At the lecture, Neal talked about good practices for key creation and management. Here are a few of those points:
Don’t store your master key locally
Store your master key offline on a smartcard such as GnuK or NitroKey and store backups on a USB stick.
Neal mentioned that the OpenPGP card is not open hardware and according to this recent post neither is the Yubikey
To manage the key, use a dedicated offline computer such as a relatively cheap x40 or x60 Thinkpad (my two cents: use a Thinkpad like X200 or T400 flashed with Libreboot, which solves the proprietary firmware problem) and remove the wireless network card.
Use Tails which wipes memory on shutdown.
Use subkeys– an encryption subkey is automatically created with
gpg2 --gen-key. Create an additional signing subkey.
- Generate a secure passphrase for your master key using 5-12 words. Example: “pipe after harm horse split seize radar bulb”
Refresh your keys regularly for new preferences and revokation certificates. An alternative to
gpg2 --refresh-keysis parcimonie, which uses tor and refreshes keys one at a time.
Don’t back up
- More OpenPGP Best Practices
See the slides for Neal’s full presentation.