Frith is an EXPERIMENTAL offline utility to simplify PGP public key creation and management. It is an attempt to implement the best possible practice as cribbed from various resources:
- OpenPGP Best Practices (riseup.net)
- Debian OpenPGP smartcard guide
- FSFE OpenPGP smartcard guide
- Creating the perfect GPG keypair (Alex Cabal)
- Generating More Secure GPG Keys: A Step-by-Step Guide (Mike English)
Frith is designed so that your master PGP key is never stored on your everyday computer(s), but kept on a (mostly) offline bootable flash drive that only needs to be brought online to certify other users' keys. To this end, frith strongly recommends the use of Tails, a bootable flash drive OS with an (optional) encrypted storage partition. While the anonymisation features of Tails are not strictly required, the Tor layer acts as a firewall for those occasions when frith must be brought online.
- A computer that can boot from USB and has two usable USB ports
- A fresh downloaded image of Tails OR a friend who has a copy of frith/Tails that you can borrow
- Two 8GB flash drives, such as Kingston Data Traveler SE9 (buy in bulk, they're cheap as chips)
- At least one of:
- A PGP Smartcard v2 (optionally with an external card reader if your computer(s) lack a built-in reader)
- A third removable drive (for transferring subkeys to devices that don't support smartcards)
Beware that some bulkier USB drives can obstruct adjacent USB ports, preventing a second drive from being connected. It is recommended to use slimline models (such as the one mentioned above) to minimize frustration.
Alternatives to PGP Smartcards exist, such as the YubiKey NEO (see the Debian smartcard support page for a partial list). It is possible to use these with frith, but they may not be as thoroughly tested. If you want to use such a device, check first that it supports 4096-bit RSA keys. Many only support 2048-bit — these may work with frith, but not with its default settings. YMMV, caveat emptor, etc.
Note that frith will never generate a key on the card itself, but will always generate on the computer and then copy to the card. This is so that you can keep a backup of your key material, but it also protects against poorly-implemented hardware random number generators.
Some devices (smartphones, tablets...) may not be compatible with PGP smartcards — in such cases you will need to save your subkeys to a third removable drive for transfer to the device by other means. This is not as secure as using a smartcard, and should only be done when absolutely necessary.
Installing frith if you (or someone you trust) already have a copy
- Run frith and go to "Backup and Restore" > "Install frith software on another Tails disk".
- It will prompt you for a disk encryption passphrase - use a very strong one.
- Boot into the new disk and jump straight to "First time running frith" below.
Installing frith from scratch
WARNING: This will overwrite any persistent configuration you have already set up, so should only be done on a fresh Tails install. We strongly recommended that a Tails drive with frith installed is NOT used for any other purpose, as frith is not supported by the Tails team and may have unexpected side effects.
- Install Tails on the first 8GB flash drive by following their instructions
- Boot into the first drive
- Configure an encrypted persistent volume as described in the Tails instructions
- When the greeter appears, enter the passphrase for the persistent drive, then click the "+" for more options
- Set a temporary administration password and continue to boot into Tails
- Open a terminal and cut and paste the following into it. You will be prompted for the temporary administration password
wget -q https://github.com/andrewgdotcom/frith/raw/master/frith-install.sh sha256sum frith-install.sh
This should produce the following output:
- Only if the above checks out, run the installer:
sudo bash frith-install.sh
- Reboot and continue to "First time running frith" below
First time running frith
- When prompted, select "Yes" for persistence and enter the passphrase
- Open a terminal and run 'frith'
- Follow the getting started procedure. This will prompt you for your personal details, create a new set of keys and perform a backup to the second Tails drive
- When prompted, plug in the smartcard and/or the subkey flash drive
- Frith will then publish your new public key (unless you started it with the --nopublish option)
- You're done!
Remember to store the second Tails disk in a secure remote location.
Once you have your smartcard populated with your subkeys, you can use it on your everyday computer. You will need to download the matching public key first, as the smartcard only contains your private keys. With GnuPG, this is done by incanting the following the first time the smartcard is inserted:
gpg --card-edit fetch
You can then use gpg normally.
If you saved your subkeys to a flash disk, you can install them on your everyday computer and continue from there. This does not protect your subkeys from theft, but your primary key is safe, and you can revoke and replace the subkeys more easily than replacing your entire key. With GnuPG, this is done using:
gpg --import FILENAME
Where FILENAME is the name of the file that you saved. If you want to use iPGMail on iOS, you should connect your phone/tablet to iTunes to transfer the file. Do not use the Dropbox option, as this is insecure! (note: iPGMail does not yet support laptop subkeys without the primary, but with luck this will change soon)
Frith is then only required when you want to do one of the following:
- Create, revoke, or change the expiry date of a primary key or subkey
- Add or revoke an email address or photo ID (anything requiring a fresh self-signature)
- Certify someone else's identity
In such cases you need to boot from one of the Tails drives, perform the operation, and republish any changed keys. You only need to make a fresh backup if you have created a new primary key or subkey.
Note that in order to use frith, you must enable persistence each time you boot Tails. This is a security feature! (You only need to set the temporary administration password when you are installing frith for the first time)
Recommended client software
To use smartcard auth with putty, you must download GnuPG modern for Windows from the official GnuPG site. No other version currently has putty support.
- ACS ACR38T — SIM format, portable (drivers)
- Athena ASEDrive IIIe V3CR — full-size, external (not recommended for SIM breakout cards as they can jam)
- CSL - USB smart card reader - full size, external
- Broadcom BCM5880 — full-size, internal (used in DELL laptops, amongst others)