19.02.2010 05:21

Notes on Alpine and Topal

Almost 9 months ago I wrote an article about Alpine and GnuPG. That article covers basics of integrating Topal and Alpine, I'd like to add more notes and talk about some usage scenarios. But first I should mention that if you are an Arch Linux user the topal package is now available in the AUR. I'm the maintainer and I would appreciate any feedback, so far it got only one vote and I expect more.

I remember trying to switch to GPG2 back when I was still using the PinePG filter and it was not as easy as I hoped for. Official support was not there, and I'm sorry I failed to mention in my last article that Topal works fine with gpg2. You can set "gpg-binary=gpg2" in your ~/.topal/config file to switch. Note that the old gpg option "--no-use-agent/--use-agent" makes no difference, gpg2 always requires the agent. What this means for you is that gpg2 will try to start the PIN entry dialog every time it needs the passphrase (even when you don't use the agent normally), so if you don't run X11 set "pinentry-program" to /usr/bin/pinentry-curses in your ~/.gnupg/gpg-agent.conf file. If you would like to start using the GnuPG Agent instruct Topal to always connect to it with "use-agent=3", and read my article on the GnuPG Passphrase Agent.

Do you remember the big SHA1 scare last year? Many people generated new keys, and many more dumped SHA1 for good. My article on GnuPG basics also covered personal cipher options, and forcing stronger digests. However Topal "gpg-options" setting by default uses --no-options which instructs gpg2 not to read your ~/.gnupg/gpg.conf file, which then fall-backs to SHA1 for signing. You should remove it in order to use personal digest and cipher algorithms, and it's also useful because of other options (like auto-key-retrieve if you want to fetch missing keys). You will find my own GnuPG configuration files in my dotfiles repository.

In the past year I wrote several articles on GnuPG and they bring a lot of visitors here. Some recurring Google searches are (more or less) "sharing private keys" and "splitting gpg keys". There's already a very popular (although outdated) article on the subject so head on there. But if you are an Alpine user read on. General scenario is this: you read your mail on a remote server, which you can't trust as much as your workstation (or removable storage). Reading mail on one host, verifying it and sending from another, maintaining multiple key-rings, or even placing the primary key on both machines... is tedious and risky. Using subkeys as explained in that article is one way of solving the problem, but with Topal you don't need to because of its remote and server mode of operation.

Each time Topal is invoked you can select the remote mode of operation. In remote mode Topal with connect to your trusted machine with SSH, transfer any files necessary with SCP and then perform the wanted GnuPG action. To make use of the remote mode on the secure machine you need the SSH daemon running and Topal started in the server mode ($ topal -server). To make the whole procedure as transparent as possible you can employ SSH public key authentication.

Written by anrxc | Permalink | Filed under crypto, desktop, work