Lord Frith

FRIÞ fryþ, es; m. n. Peace, freedom from molestation, security guaranteed by law to those under special protection
(Bosworth-Toller Anglo-Saxon dictionary)

'All the world will be your enemy, prince with a thousand enemies. And whenever they catch you, they will kill you. But first, they must catch you, digger, listener, runner, Prince with a swift warning. Be cunning, and full of tricks, and your people will never be destroyed.'
(Lord Frith)

Frith

Frith is an EXPERIMENTAL offline utility to simplify OpenPGP public key creation and management.

Frith is designed so that your master OpenPGP key is never stored on your everyday computer(s), but kept on a (mostly) offline bootable flash drive that only needs to be brought online to certify other users’ keys. To this end, frith strongly recommends the use of Tails, a bootable flash drive OS with an (optional) encrypted storage partition. While the anonymisation features of Tails are not strictly required, the Tor layer acts as a firewall for those occasions when frith must be brought online.

Requirements

Beware that some bulkier USB drives can obstruct adjacent USB ports, preventing a second drive from being connected. It is recommended to use slimline models (such as the one mentioned above) to minimize frustration.

Alternatives to OpenPGP smartcards and Yubikeys exist (see the Debian smartcard support page for a partial list). It is possible to use these with frith, but they may not be as thoroughly tested. If you want to use such a device, check first that it supports 4096-bit RSA keys. Many only support 2048-bit — these may work with frith, but not with its default settings.

Note that frith will never generate a key on the card itself, but will always generate on the computer and then copy to the card. This is so that you can keep a backup of your key material, but it also protects against poorly-implemented hardware random number generators.

Some devices (smartphones, tablets…) may not be compatible with OpenPGP smartcards — in such cases you will need to save your subkeys to a third removable drive for transfer to the device by other means. This is not as secure as using a smartcard, and should only be done when absolutely necessary.

Getting started

Installing frith

WARNING: This will overwrite any persistent configuration you have already set up, so should only be done on a fresh Tails install. We strongly recommended that a Tails drive with frith installed is NOT used for any other purpose, as frith is not supported by the Tails team and may have unexpected side effects.

  1. Install Tails on the first 8GB flash drive by following their instructions
  2. Boot into the first drive
  3. When the greeter appears, click the “+” for more options
  4. Set a temporary administration password and continue to boot into Tails
  5. Run Applications ▸ Tails ▸ Configure persistent volume. Choose the defaults at each stage, but do not restart yet.
  6. Open a terminal and cut and paste the following into it.
wget -q https://github.com/andrewgdotcom/frith/raw/master/frith-install.sh
sha256sum frith-install.sh

This should produce the following output:

8cb88ebefcbf4cefb5ed06a072122cc68fb233b19a0db3aedb36de4090a1afcf  frith-install.sh
  1. Only if the above checks out, run the installer. You will be prompted for the temporary administration password (“sudo password”):
bash frith-install.sh
  1. Tails will automatically reboot. Continue to “First time running frith” below

First time running frith

  1. When prompted, select “Yes” for persistence and enter the passphrase
  2. Open Applications -> Favorites -> Terminal and run ‘frith’
  3. Follow the getting started procedure. This will prompt you for your personal details, create a new set of keys and perform a backup to the second Tails drive
  4. When prompted, plug in the smartcard and/or the subkey flash drive
  5. Frith will then publish your new public key
  6. You’re done!

Remember to store the second Tails disk in a secure remote location.

Usage

Once you have your smartcard populated with your subkeys, you can use it on your everyday computer. You will need to download the matching public key first, as the smartcard only contains your private keys.

On your everyday computer, insert the smartcard and run the following in a terminal:

gpg --card-edit fetch

You can then use gpg normally.

If you saved your subkeys to a flash disk, you can install them on your everyday computer and continue from there. This does not protect your subkeys from theft, but your primary key is safe, and you can revoke and replace the subkeys more easily than replacing your entire key. With GnuPG, this is done using:

gpg --import FILENAME

Where FILENAME is the name of the file that you saved. If you want to use iPGMail on iOS, you should connect your phone/tablet to iTunes to transfer the file. Do not use the Dropbox option, as this is insecure! (note: iPGMail does not yet support laptop subkeys without the primary, but with luck this will change soon)

Frith is then only required when you want to do one of the following:

In such cases you need to boot from one of the Tails drives, perform the operation, and republish any changed keys. You only need to make a fresh backup if you have created a new primary key or subkey.

Note that in order to use frith, you must enable persistence each time you boot Tails. This is a security feature! (You only need to set the temporary administration password when you are installing frith for the first time)

To use smartcard auth with putty, you must download GnuPG modern for Windows from the official GnuPG site. No other version currently has putty support.

Tested hardware

Smartcards and fobs:

Smartcard readers:

Flash drives: