Add guides to signing keys and signing and encrypting messages.

Author: boite

README.md

@@ -15,6 +15,8 @@ Then there are guides for the individual operations, notably:-
 
 - [Generate a set of OpenPGP keys][genkey-with-detached-identity], including a
   detached Master Identity key.
+- [Certify the identity][sign_key] of a correspondent.
+- [Sign and encrypt a message][sign_encrypt] to a correspondent
 - Refresh the public keys of correspondents over Tor using
   [Parcimonie on Windows][parcimonie-vbguest]
 - ...
@@ -23,11 +25,6 @@ There is also a [sample configuration file for GnuPG][gpg-conf] which you may
 wish to use in place of the default configuration.
 
 
-[background]: docs/background.md
-[genkey-with-detached-identity]: docs/genkey-with-detached-identity.md
-[gpg-conf]: conf/gpg.conf
-[parcimonie-vbguest]: vm/parcimonie/
-
 ## Bibliography
 
 This guide builds on the work of many other people:-
@@ -61,3 +58,11 @@ This guide builds on the work of many other people:-
 - https://wiki.openstack.org/wiki/OpenPGP_Web_of_Trust OpenPGP Web of Trust
 - http://www.phillylinux.org/keys/terminal.html Keysigning with the GNU/Linux
   Terminal
+
+
+[background]:         docs/background.md
+[genkey-with-detached-identity]: docs/genkey-with-detached-identity.md
+[sign_key]:           docs/sign_key.md
+[sign_encrypt]:       docs/sign_encrypt.md
+[parcimonie-vbguest]: vm/parcimonie/
+[gpg-conf]:           conf/gpg.conf

docs/sign_encrypt.md

@@ -0,0 +1,53 @@
+# Sign and Encrypt a message for your correspondent
+
+This guide assumes that you're familiar with the [background][background] and
+have [generated some keys][genkey-with-detached-identity].
+
+
+## Ingredients
+
+- Insecure workstation
+- Secure workstation
+- Daily-use keyrings on the `keys` USB memory stick
+- The `unsafe` USB memory stick
+- The [signed public key of your correspondent][sign_key]
+
+
+## Method
+
+- Mount the USB memory sticks
+- Sign and encrypt your message
+
+
+### Mount the USB memory sticks
+
+On the secure workstation, [mount][mount_usb] the `keys` and `unsafe` USB
+memory sticks.
+
+
+### Sign and encrypt your message
+
+    me@box:~$ export GNUPGHOME=/media/keys
+    me@box:~$ gpg --armor --output /media/unsafe/msg_for_C097AC75C097AC75.asc --recipient 0xC097AC75C097AC75 --sign --encrypt
+
+    You need a passphrase to unlock the secret key for
+    user: "My Full Name <[email protected]>"
+    4096-bit RSA key, ID 0xFDB32668D55D0A12, created 2013-12-14
+             (subkey on main key ID 0xF1829BDBB6B64480)
+
+    Dear John,
+    By the time you read these lines I'll be gone.
+    Life goes on, right or wrong
+    Now the sun is dead and gone. Dear John.
+
+Hit `Ctrl+D` when you've finished typing your message, et voilà!
+
+Alternatively you can encrypt a file:-
+
+    me@box:~$ gpg --armor --output /media/unsafe/msg_for_C097AC75C097AC75.asc --recipient 0xC097AC75C097AC75 --sign --encrypt some_file.txt
+
+
+[background]: background.md
+[genkey-with-detached-identity]: genkey-with-detached-identity.md
+[sign_key]: sign_key.md
+[mount_usb]: mount_usb.md

docs/sign_key.md

@@ -0,0 +1,134 @@
+# Sign the key of your correspondent
+
+This guide assumes that you're familiar with the [background][background] and
+have [generated some keys][genkey-with-detached-identity].
+
+
+## Ingredients
+
+- Insecure workstation
+- Secure workstation
+- Master keyrings on the `master` USB memory stick
+- Daily-use keyrings on the `keys` USB memory stick
+- The `unsafe` USB memory stick
+
+
+## Method
+
+- Copy your correspondents public key to the `unsafe` USB memory stick
+- Mount the USB memory sticks
+- Import your correspondents key into the Master keyring
+- Verify the fingerprint with your correspondent
+- Sign your correspondents key
+- Export the signed public key certificate of your correspondent
+- Import the signed public key certificate into your daily-use keyring
+
+
+### Copy your correspondents public key to the `unsafe` USB memory stick
+
+There are numerous ways to obtain the public key (properly, the public key
+certificate).  Once you have it, copy it to the `unsafe` USB memory stick on
+your insecure workstation.  In the following example the file is named
+`C097AC75C097AC75.asc`.
+
+
+### Mount the USB memory sticks
+
+On the secure workstation, [mount][mount_usb] the `master`, `keys` and `unsafe`
+USB memory sticks.
+
+
+### Import your correspondents key into the Master keyring
+
+    me@box:~$ export GNUPGHOME=/media/master
+    me@box:~$ gpg --import /media/unsafe/C097AC75C097AC75.asc
+    gpg: key 0xC097AC75C097AC75: public key "Your Contact <[email protected]>" imported
+    gpg: Total number processed: 1
+    gpg:               imported: 1
+
+
+### Verify the fingerprint with your correspondent
+
+    me@box:~$ gpg --fingerprint -k 0xC097AC75C097AC75
+    pub   1024D/0xC097AC75C097AC75 2008-09-27 [expires: 2015-09-27]
+          Key fingerprint = B452 6436 7BCD E26B F9D3  81CB C097 AC75 C097 AC75
+    uid                 [ unknown] Your Contact <[email protected]>
+    uid                 [ unknown] Your Contact <[email protected]>
+    sub   2048g/0x0COO1A5C001CA9BE 2008-09-27 [expires: 2015-12-09]
+
+
+### Sign your correspondents key
+
+In this operation you are certifying that one or more User IDs bound to the
+public key of your correspondent truly represent their identity. You do this by
+adding a signature, made by your Master secret key, to their public key
+certificate.
+
+    me@box:~$ gpg -K
+    /media/keys/secring.gpg
+    --------------------------------
+    sec   4096R/0xF1829BDBB6B64480 2013-12-14 [expires: 2013-12-13]
+    uid                            My Full Name <[email protected]>
+    ssb   4096R/0xFDB32668D55D0A12 2013-12-14
+    ssb   4096R/0xC3897294DD857167 2013-12-14
+
+    me@box:~$ gpg --local-user 0xF1829BDBB6B64480! --sign-key 0xC097AC75C097AC75
+
+    pub   1024D/0xC097AC75C097AC75  created:2008-09-27  expires: 2015-09-27 usage: SC
+                                    trust: unknown      validity: unknown
+    sub   2048g/0x0COO1A5C001CA9BE  created:2008-09-27  expires: 2015-12-09 usage: E
+    [ unknown] (1). Your Contact <[email protected]>
+    [ unknown] (2)  Your Contact <[email protected]>
+
+    Really sign all user IDs? (y/N) y
+
+    pub   1024D/0xC097AC75C097AC75  created:2008-09-27  expires: 2015-09-27  usage: SC
+                                    trust: unknown      validity: unknown
+     Primary key fingerprint: B452 6436 7BCD E26B F9D3  81CB C097 AC75 C097 AC75
+
+         Your Contact <[email protected]>
+         Your Contact <[email protected]>
+
+    This key is due to expire on 2015-09-27.
+    Are your sure that you want to sign this key with your
+    key "My Full Name <[email protected]>" (0xF1829BDBB6B64480)
+
+    Really sign? (y/N) y
+
+    You need a passphrase to unlock the secret key for
+    user: "My Full Name <[email protected]>"
+    4096-bit RSA key, ID 0xF1829BDBB6B64480, created 2013-12-14
+
+    me@box:~$
+
+
+### Export the signed public key certificate of your correspondent
+
+You will want to make the signed key available to your daily-use keyring so
+that it can be used to encrypt messages to your correspondent.  You will also
+want to make it available on the insecure workstation so that you are able to
+publish the updated certificate.
+
+    me@box:~$ gpg --armor --output /media/unsafe/C097AC75C097AC75_signed_by_F1829BDBB6B64480.asc --export 0xC097AC75C097AC75
+    me@box:~$ sudo umount /media/master
+
+
+### Import the signed public key certificate into your daily-use keyring
+
+    me@box:~$ export GNUPGHOME=/media/keys
+    me@box:~$ gpg --import /media/unsafe/C097AC75C097AC75_signed_by_F1829BDBB6B64480.asc
+    gpg: key 0xC097AC75C097AC75: public key "Your Contact <[email protected]>" imported
+    gpg: Total number processed: 1
+    gpg:               imported: 1
+    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+    gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
+    gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
+    gpg: next trustdb check due at 2015-09-27
+
+You're now ready to [encrypt messages for your correspondent][sign_encrypt].
+
+
+[background]: background.md
+[genkey-with-detached-identity]: genkey-with-detached-identity.md
+[mount_usb]: mount_usb.md
+[sign_encrypt]: sign_encrypt.md