[gardenbreak] 1: Put a face on

March 7, 2016

Hash: SHA256

Sitting here with my carefully written triplicate hardcopies, 
I feel more than a bit better. I back-of-envelope calculated 
the bits of entropy in my old shallows-of-imagination 
passphrase, and it came out to somewhere between 23 and 44 
bits. Ouch.

Then I try to actually make the relevant move... And find I 
can't bring myself to click the 'change passphrase' button. 
All of human psychology rebels. This is my most intimate 
connection to my computer, the secret only it and I know. The 
thing I've told to it and to no human ever. And I mean to 
wipe that away with an utterly impersonal text string? A 
machine generated nonsense? Blasphemy! I won't even remember 
it fully until I've used it for a week. I'll be tied to a 
piece of paper, constantly afraid of losing that and all my 
access with it.


**Plot 1: You are you.**
Not whoever you say you are, but... A crypto key. Just that. 
Not an email address, not a face, not a URL, or a username. 
Welcome to the wide wonderful world of PGP. (Not that it's 
the only horse in this race, but out of the gate it's the 
simplest way to get things working.) What you signed, you 
wrote. Everything else is questionable. Normally this alone 
is a rabbit hole of almost unbearable proportion for the 
average user. But normally people attempt software 
'integration' at a level that is frankly infeasible right 
now. I'm taking a different tack, at least temporarily.

This seems like overkill, doesn't it? We're used taking a 
combination of acts-like-them and centralized authority to mean 
identity online. But that means doing a big old "I here am me 
there" dance for every occasion of platform drift and risking 
impersonation at most turns. AND that the only verification 
on what you post is the site authentication. Faked emails, 
faked FB posts, apps we didn't remember authorizing, ... it's 
not a small problem. Also I'm philosophically opposed to 
'acts like them' as an identity measure, since it inhibits 

**Step 1: Rabbit, meet hole.**
Build a GPG key attached to a good passphrase. If you already 
have a GPG key, any decent client should let you change the 
passphrase. If you don't... I'm sorry, this will be an 
annoying part.

Go here: https://www.gnupg.org/ 
Linux: apt-get or yum install or whatever you do 'gpg'.
Windows: install gpg4win

And I'm sorry, but it's probably going to be really annoying. I 
don't have a nice answer to that. Take a deep breath and follow 
tutorials; thankfully you only need to get as far as generate
a key.

Once you have a key, upload it to keybase.io. (And at least one 
old-fashioned keyserver, but still, keybase is a good place 
to start for this.) But do everyone a MUCH bigger favor and 
**DO NOT put a private key on keybase.io**. Ever. Which also 
means not using keybase to generate the key. Yes it's a neat 
tool, and so very convenient, ... and takes your private key 
out of your hands. Your private key is your most personal 
data-possession. Don't let it out. It should only touch 
computers that are trusted to act as you, to speak as you.

So far so normal... This is the point at which most people talk 
about installing enigmail, which leads down a thunderbird 
rabbit hole, and suddenly your entire infrastructure is one 
giant headache of new problems, because you touched /mail/ 
and that always goes wrong. Besides, we want to deal easily 
with crypto on /everything/, not just mail, and preferably 
without hitting the command-line all the time. Or trusting 
keybase.io with privkeys. I use enigmail, I like it fine, but:

I was looking for a seahorse-to-gedit plugin. And apparently 
there used to be one, but... bitrot. So. Looks like for a 
text editor that handles gpg operations relatively cleanly, 
the choice atm is http://www.geany.org/ with geany-plugin-pg. 
I like it better than fighting with a command-line or trying 
to find plugins that work in Firefox for more than ten 
minutes between website updates before someone gets tired of 
trying to 'support' gmail. The plain old text input box never 
changes. I can cut-paste just fine. So an editor that can 
handle encrypt/decrypt/sign/verify is enough. Install, enable 
plugin, click Tools->GeanyPG->Sign. Yay! (Turning on 
Document->Linewrapping helps too.)

As much as I would love everything scripted and integrated and 
pretty... This works. The requirement that every (large) 
thing I write be signed as written by me can thus be covered. 
(Although it temporarily won't be, realistically, because 
iPad and Android need covering.) Making the results of that 
non-ugly and taking care of signatures for smaller items 
(like tweets) is another problem for another day.

Version: GnuPG v2


[gardenbreak] 1: Put a face on - March 7, 2016 - Kim Reece