[HowTo] use gpg2.1 with an onion service

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 17 05:25:11 CEST 2015


On Fri 2015-09-11 09:25:09 -0400, Malte wrote:

> With the upgrade to GnuPG 2.1 my GPG+Tor setup broke. This was due to the fact 
> that GnuPG now relies on dirmngr to handle all its networking. Which is good, 
> because it separates different parts of functionality, but it also cost me 
> some time to figure out.
>
> In the end, it’s very easy:
>
> 1. You create a 2 line script, which calls dirmngr with torify:
>
> user at computer:~$ cat /home/user/bin/tordirmngr.sh 
> #! /bin/sh
> torify dirmngr --daemon --homedir /home/user/.gnupg
>
> 2. You write the keyserver, which preferably is an Onion Service, because as 
> such you can be sure that you connect to it via Tor, with the just created 
> script into your ~/.gnupg/gpg.conf:
>
> dirmngr-program /home/user/bin/tordirmngr.sh
> keyserver hkp://euggdcsexz2dqbwb.onion
> keyserver-options no-honor-keyserver-url
>
> 2.b. For good measure I would also add:
>
> use-agent
> keyid-format 0xlong
> with-fingerprint

These are reasonable recommendations.  thanks for documenting how to use
dirmngr with tor.  (use-agent isn't necessary for gpg 2.1, but it
doesn't hurt)

We may at some point get a --use-tor flag for dirmngr, which should
simplify things further.

> Please be aware that, while this adds a lot of anonymity and confidentiality 
> to you GPG usage, if you were to refresh your whole keyring at once, the 
> operator of the keyserver might very well figure out who you are.

and if you don't use a .onion address, the exit node operator and anyone
on the network path between the exit node and the keyserver could be
able to figure it out as well.

> And please be further aware that most Linux distribution still ship GnuPG 1 
> and 2 in parallel, so make sure you invoke it with gpg2 (e.g. gpg2 --search 
> glutenfree at vemail.nerd).

Right, though the plan within debian at least is to change that and ship
2.1 as /usr/bin/gpg, hopefully before we release stretch.

All the best,

    --dkg



More information about the Gnupg-users mailing list