Using GnuPG in the UbuntuPhone BQ E4.5 (part1: GnuPG)



  • Using GnuPG-card in the UbuntuPhone BQ E4.5:

    Create a complete Linux system into ~phablet/myRoot/ :

    phablet@ubuntu-phablet-bq:~$ mkdir myRoot 
    phablet@ubuntu-phablet-bq:~$ cd myRoot 
    phablet@ubuntu-phablet-bq:~$ sudo tar xzf ubports-touch.rootfs-xenial-armhf.tar.gz
    
    phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot/
    

    Install additional packages into the Linux system:

    root@ubuntu-phablet:/# apt-get install pinentry-curses
    root@ubuntu-phablet:/# apt-get install pass
    root@ubuntu-phablet:/# apt-get install libudev-dev
    root@ubuntu-phablet:/# apt-get install gcc
    root@ubuntu-phablet:/# apt-get install libc-dev
    root@ubuntu-phablet:/# apt-get install make
    

    compile in myRoot the following pieces (in the given order):

    libgpg-error-1.33
    libassuan-2.5.1
    libksba-1.3.5
    npth-1.6
    libgcrypt-1.8.4
    gnupg-2.2.12
    

    always with ./configure && make && sudo make install; the software ends
    up below /usr/local (which is /home/phablet/myRoot/usr/local when one looks from outside the chroot'ed phone system);

    note: gpg2 is /usr/local/bin/gpg

    Now from the phone system configure:

    $ mkdir ~/.gnupg
    $ chmod 0700 ~/.gnupg
    
    $ cat .gnupg/gpg.conf
    #
    agent-program  /home/phablet/myRoot/usr/local/bin/gpg-agent
    
    $ cat .gnupg/gpg-agent.conf 
    pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
    scdaemon-program /home/phablet/myRoot/usr/local/libexec/scdaemon
    log-file /home/phablet/gpg-agent.log
    log-file /dev/null
    debug-level guru
    max-cache-ttl 10
    

    Due to the nature of the installation in the chrooted system we
    need small wrapper scripts to set PATH, LD_LIBRARY_PATH, ... and
    other stuff;

    $ cat ~/gpg.sh
    #!/bin/sh
    LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH
    PATH=/home/phablet/myRoot/usr/local/bin:$PATH      export PATH
    GNUPGHOME=/home/phablet/.gnupg    export GNUPGHOME
    GPG_TTY=$(tty)                    export GPG_TTY
    /home/phablet/myRoot/usr/local/bin/gpg-agent    \
                --homedir /home/phablet/.gnupg      \
                --daemon                            \
                --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
    /home/phablet/myRoot/usr/local/bin/gpg-connect-agent /bye
    /home/phablet/myRoot/usr/local/bin/gpg $*
    

    run and create for test a keypair (later we want to use the GnuPG-card
    for this)

    $ ~/gpg.sh --full-generate-key
    gpg-agent[2973]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
    gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection? 
    ...
    

    This starts the gpg-agent as:

    $ ps ax | grep gpg-a
     2974 ?        Ss     0:00 /home/phablet/myRoot/usr/local/bin/gpg-agent --homedir /home/phablet/.gnupg --daemon --pinentry-program /home/phablet/myRoot/usr/bin/pinentry-curses
    

    Now we can use the the pass command we installed in the chroot'es system with

    $ cat pass.sh
    #!/bin/sh
    LD_LIBRARY_PATH=/home/phablet/myRoot/usr/local/lib export LD_LIBRARY_PATH
    PATH=/home/phablet/myRoot/usr/local/bin:$PATH      export PATH
    GNUPGHOME=/home/phablet/.gnupg    export GNUPGHOME
    GPG_TTY=$(tty)                    export GPG_TTY
    unset GPG_AGENT_INFO
    /home/phablet/myRoot/usr/bin/pass $*
    

    Init the pass storage as:

    $ ./pass.sh init Matthias
    Password store initialized for Matthias
    web/bla: reencrypting to A62DCD2809AC14F6
    
    
    $ find .password-store/
    .password-store/
    .password-store/.gpg-id
    

    Insert some password for test:

    $ ./pass.sh insert -m web/bla
    Enter contents of web/bla and press Ctrl+D when finished:
    
    password-bla
    Username: guru
    
    $ ./pass.sh web/bla
    
                     ┌────────────────────────────────────────────────────────────────┐
                     │ Please enter the passphrase to unlock the OpenPGP secret key:  │
                     │ "Matthias Apitz (test) <guru@sisis.de>"                        │
                     │ 2048-bit RSA key, ID 93A6FBF52FA76DB0,                         │
                     │ created 2017-09-22 (main key ID 3FECB79DDDA409E4).             │
                     │                                                                │
                     │                                                                │
                     │ Passphrase: ***_______________________________________________ │
                     │                                                                │
                     │         <OK>                                    <Cancel>       │
                     └────────────────────────────────────────────────────────────────┘
    password-bla
    Username: guru
    

    We now can use gpg2 and pass directly in the phone to have always our secrets, PIN's etc. with us.

    I have here two screen-shots, taken of the terminal-app: In the 1st I have typed in the command ./pass.sh web/foo asking for the (cleartext) values of web/foo (which could be your bank account, login credentials or whatever you can think of). The result visible in this screen (xxx yyy) is only shown after entering the passphrase to unlock your GnuPG secret key, see screen 2. The key is 4096 bits RSA. The key store remains 10 seconds (configurable) unlocked, after which you're asked again for the passphrase.

    1st screen

    2nd screen

    Matthias



  • The problem is: The GnuPG needs a good passphrase, esp. in our case where the device could be lost or teft. Mine is ~8 words long and typing it with the OSK is rather a PITA. Better is using for this an OpenGPG Card, a CCID security USB token. This requires only a 6 digit PIN to unlock the GnuPG keys. It's installation and configuration will be described in part2.


Log in to reply
 

Looks like your connection to UBports Forum was lost, please wait while we try to reconnect.