[HowTo] use gpg2.1 with an onion service
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Sep 17 05:25:11 CEST 2015
On Fri 2015-09-11 09:25:09 -0400, Malte wrote:
> With the upgrade to GnuPG 2.1 my GPG+Tor setup broke. This was due to the fact
> that GnuPG now relies on dirmngr to handle all its networking. Which is good,
> because it separates different parts of functionality, but it also cost me
> some time to figure out.
>
> In the end, it’s very easy:
>
> 1. You create a 2 line script, which calls dirmngr with torify:
>
> user at computer:~$ cat /home/user/bin/tordirmngr.sh
> #! /bin/sh
> torify dirmngr --daemon --homedir /home/user/.gnupg
>
> 2. You write the keyserver, which preferably is an Onion Service, because as
> such you can be sure that you connect to it via Tor, with the just created
> script into your ~/.gnupg/gpg.conf:
>
> dirmngr-program /home/user/bin/tordirmngr.sh
> keyserver hkp://euggdcsexz2dqbwb.onion
> keyserver-options no-honor-keyserver-url
>
> 2.b. For good measure I would also add:
>
> use-agent
> keyid-format 0xlong
> with-fingerprint
These are reasonable recommendations. thanks for documenting how to use
dirmngr with tor. (use-agent isn't necessary for gpg 2.1, but it
doesn't hurt)
We may at some point get a --use-tor flag for dirmngr, which should
simplify things further.
> Please be aware that, while this adds a lot of anonymity and confidentiality
> to you GPG usage, if you were to refresh your whole keyring at once, the
> operator of the keyserver might very well figure out who you are.
and if you don't use a .onion address, the exit node operator and anyone
on the network path between the exit node and the keyserver could be
able to figure it out as well.
> And please be further aware that most Linux distribution still ship GnuPG 1
> and 2 in parallel, so make sure you invoke it with gpg2 (e.g. gpg2 --search
> glutenfree at vemail.nerd).
Right, though the plan within debian at least is to change that and ship
2.1 as /usr/bin/gpg, hopefully before we release stretch.
All the best,
--dkg
More information about the Gnupg-users
mailing list