Almost 9 months ago I wrote an article
about Alpine
and GnuPG. That article covers basics of
integrating Topal
and Alpine, I'd like to add more notes and talk about some
usage scenarios. But first I should mention that if you are
an Arch Linux user
the topal
package is now available in the AUR. I'm the
maintainer and I would appreciate any feedback, so far it got only one
vote and I expect more.
I remember trying to switch to GPG2 back when I was still using
the PinePG filter and it was not as easy as I hoped
for. Official support was not there, and I'm sorry I failed to mention
in my last article that Topal works fine with gpg2. You can set
"gpg-binary=gpg2" in your ~/.topal/config file to
switch. Note that the old gpg option
"--no-use-agent/--use-agent" makes no difference, gpg2 always
requires the agent. What this means for you is that gpg2 will try to
start the PIN entry dialog every time it needs the passphrase (even
when you don't use the agent normally), so if you don't
run X11 set "pinentry-program"
to /usr/bin/pinentry-curses in
your ~/.gnupg/gpg-agent.conf file. If you would like to start
using the GnuPG Agent instruct Topal to always connect to it with
"use-agent=3", and read my article on
the GnuPG
Passphrase Agent.
Do you remember the big SHA1 scare last year? Many people
generated new keys, and many more dumped SHA1 for good. My article on
GnuPG
basics also covered personal cipher options, and forcing stronger
digests. However Topal "gpg-options" setting by default
uses --no-options which instructs gpg2 not to read
your ~/.gnupg/gpg.conf file, which then fall-backs to SHA1
for signing. You should remove it in order to use personal digest and
cipher algorithms, and it's also useful because of other options
(like auto-key-retrieve if you want to fetch missing
keys). You will find my own GnuPG configuration files in
my dotfiles
repository.
In the past year I wrote
several articles
on GnuPG and they bring a lot of visitors here. Some recurring
Google searches are (more or less) "sharing private keys" and
"splitting gpg keys". There's already a very popular
(although outdated) article
on the subject so head on there. But if you are an Alpine
user read on. General scenario is this: you read your mail on a remote
server, which you can't trust as much as your workstation (or
removable storage). Reading mail on one host, verifying it and sending
from another, maintaining multiple key-rings, or even placing the
primary key on both machines... is tedious and risky. Using subkeys as
explained in that article is one way of solving the problem, but with
Topal you don't need to because of its remote and server mode of
operation.
Each time Topal is invoked you can select the remote
mode of operation. In remote mode Topal with connect to your trusted
machine with SSH, transfer any files necessary
with SCP and then perform the wanted GnuPG action. To
make use of the remote mode on the secure machine you need the SSH
daemon running and Topal started in the server mode ($ topal
-server). To make the whole procedure as transparent as possible
you can
employ SSH
public key authentication.