User Tools

Site Tools


GPG modern (2.1) with Elliptic curves

Being an elliptic curves fan for whatever reason (NSA-aware, early adopter, bored geek,…) you are forced to compile GnuPG for yourself or use Debian experimental.

Before doing anything be sure to read carefully and fully understand this article You've been warned!

Oficial variant

Recommended way described in GnuPG wiki is much simpler than the following guide which uses debian experimental in schroot.
sudo make -f build-aux/ native INSTALL_PREFIX="/usr/local"

actually works well.

Debian experimental schroot variant

Use if oficial variant is not functional.

Create chroot environment (Debian Jessie)

start sudo from your regular user (this is important step to have SUDO_USER environment variable set)

First we create an directory and prepare environment:
export MY_CHROOT=/data/virtuals/schroot-deb-experimental
sudo -E su 
echo -e "My Chroot:\t$MY_CHROOT\nWhoAmI:\t\t$(whoami)\nSUDO_USER:\t$SUDO_USER"
mkdir -p $MY_CHROOT
Install software needed to create an schroot environment:
aptitude install schroot debootstrap
Configure chroot:
cat <<EOF >>/etc/schroot/schroot.conf
description=Debian experimental
Now we will create and modify the content of the chroot:
debootstrap jessie $MY_CHROOT
echo "proc $MY_CHROOT/proc proc defaults 0 0" >> /etc/fstab
mount proc $MY_CHROOT/proc -t proc
echo "sysfs $MY_CHROOT/sys sysfs defaults 0 0" >> /etc/fstab
mount sysfs $MY_CHROOT/sys -t sysfs
echo "/home/$SUDO_USER/.gnupg/ $MY_CHROOT/home/$SUDO_USER/.gnupg/ none bind 0 0" >> /etc/fstab
mount "$MY_CHROOT/home/$SUDO_USER/.gnupg/"
cp /etc/hosts $MY_CHROOT/etc/hosts
cp /proc/mounts $MY_CHROOT/etc/mtab
grep $SUDO_USER /etc/passwd >> $MY_CHROOT/etc/passwd
egrep ^$SUDO_USER /etc/group >> $MY_CHROOT/etc/group
mkdir -p $MY_CHROOT/home/$SUDO_USER

add experimental repository

Debian experimental is not an distro variant, its just a bunch of packages in the repo.

we are entering newly created chroot environment
chroot $MY_CHROOT /bin/bash
now we will upgrade jessie to experimental branch\\ as a ROOT INSIDE chroot apt-get update echo 'deb experimental main'
apt-get update
apt-cache policy gnupg2
apt-get -t experimental install gnupg2
apt-get install bash-completion

Make keyring backup

BACKUP="/home/$SUDO_USER/.gnupg-$(date +%F).backup.tbz"
tar cjvf $BACKUP /home/$SUDO_USER/.gnupg/
chmod 400 $BACKUP
### TRIPLECHECK YOUR HAVE AN BACKUP !!! (there are big changes in gpg 2.1 and might need to reimport some keys or downgrade)
verify chrooted env works
schroot -p -c chroot:experimental -- gpg2 --version
gpg (GnuPG) 2.1.1
libgcrypt 1.6.2

sChroot shell access

schroot -p -c chroot:experimental  ... gives you an full shell access

Make chrooted binaries executable from non-schroot environment

sudo -E su
now we symlink to universal script /usr/local/bin/ that runs symlink basename in chroot:
root@DebExp@azur:/usr/bin$ for file in $(dpkg -L gnupg2 gnupg-agent dirmngr|grep bin); do [ -f $file ] && echo "mv $file $file.ORIG ;ln -s /usr/local/bin/ $file";done
mv /usr/sbin/applygnupgdefaults /usr/sbin/applygnupgdefaults.ORIG ;ln -s /usr/local/bin/ /usr/sbin/applygnupgdefaults
mv /usr/sbin/addgnupghome /usr/sbin/addgnupghome.ORIG ;ln -s /usr/local/bin/ /usr/sbin/addgnupghome
mv /usr/bin/gpg2 /usr/bin/gpg2.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpg2
mv /usr/bin/gpgconf /usr/bin/gpgconf.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpgconf
mv /usr/bin/gpgparsemail /usr/bin/gpgparsemail.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpgparsemail
mv /usr/bin/kbxutil /usr/bin/kbxutil.ORIG ;ln -s /usr/local/bin/ /usr/bin/kbxutil
mv /usr/bin/watchgnupg /usr/bin/watchgnupg.ORIG ;ln -s /usr/local/bin/ /usr/bin/watchgnupg
mv /usr/bin/gpg-agent /usr/bin/gpg-agent.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpg-agent
mv /usr/bin/gpg-connect-agent /usr/bin/gpg-connect-agent.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpg-connect-agent
mv /usr/bin/gpgkey2ssh /usr/bin/gpgkey2ssh.ORIG ;ln -s /usr/local/bin/ /usr/bin/gpgkey2ssh
mv /usr/bin/symcryptrun /usr/bin/symcryptrun.ORIG ;ln -s /usr/local/bin/ /usr/bin/symcryptrun
mv /usr/bin/dirmngr /usr/bin/dirmngr.ORIG ;ln -s /usr/local/bin/ /usr/bin/dirmngr
mv /usr/bin/dirmngr-client /usr/bin/dirmngr-client.ORIG ;ln -s /usr/local/bin/ /usr/bin/dirmngr-client
cat /usr/local/bin/ 
# schroot -p -c chroot:experimental -- gpg2 "$@"
export LD_LIBRARY_PATH="${CHROOT_PREFIX}/lib/x86_64-linux-gnu:${CHROOT_PREFIX}/usr/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}"
${CHROOT_PREFIX}/usr/bin/$(basename $0) "$@"

in case you went into trouble with your keydb (like “invalid packet”/“key not found” errors) fix it by reimporting your keys from backup: ! notice that export is using gpg1 with homedir where backup is, while import is made by gpg2.1

gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export-secret-key 0xF7EEAF5998FFFC1D 
gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export 0xF7EEAF5998FFFC1D
gpg-chrooted --import F7EEAF5998FFFC1D_pub.gpg 
gpg-chrooted --allow-secret-key-import --import  F7EEAF5998FFFC1D_priv.gpg 

Other software integrationn

finally configure all your software to use /usr/bin/gpg2 (/usr/bin/gpg is default). no longer need to start gpg-agent. it is started automagically (… did you've read that “What's new in 2.1” article?)


path to gpg is configurable in enigmail .. verify in enigmail Console


path to gpg in gajim seems to be hardcoded .. do cd /usr/bin/ && mv gpg gpg.ORIG && ln -s /usr/bin/gpg2 gpg

Using ECC in GPG2.1+

  • ECC are available in expert mode only. Beware, parameter order is important.
gpg2 --expert --edit-key 0xKEYID
  • it is not possible at this time create Curve 25519 key for encryption purposes (“unknown eliptic curve” error)
    gpg> addkey 
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 12
Please select which elliptic curve you want:
   (1) Curve 25519
   (2) NIST P-256
   (3) NIST P-384
   (4) NIST P-521
   (5) Brainpool P-256
   (6) Brainpool P-384
   (7) Brainpool P-512
Your selection? 1
gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
Use this curve anyway? (y/N) y
Key is valid for? (0) 3y
Key expires at Tue 09 Jan 2018 08:31:25 AM CET
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Unknown elliptic curve
gpg: Key generation failed: Unknown elliptic curve
user/ruza/gpg2-modern.txt · Last modified: 2015/01/10 09:36 by ruza