Lord Frith

FRIÞ fryþ, es; m. n. Peace, freedom from molestation, security guaranteed by law to those under special protection
(Bosworth-Toller Anglo-Saxon dictionary)

'All the world will be your enemy, prince with a thousand enemies. And whenever they catch you, they will kill you. But first, they must catch you, digger, listener, runner, Prince with a swift warning. Be cunning, and full of tricks, and your people will never be destroyed.'
(Lord Frith)


Frith is an EXPERIMENTAL offline utility to simplify PGP public key creation and management. It is an attempt to implement the best possible practice as cribbed from various resources:

Frith is designed so that your master PGP key is never stored on your everyday computer(s), but kept on a (mostly) offline bootable flash drive that only needs to be brought online to certify other users' keys. To this end, frith strongly recommends the use of Tails, a bootable flash drive OS with an (optional) encrypted storage partition. While the anonymisation features of Tails are not strictly required, the Tor layer acts as a firewall for those occasions when frith must be brought online.


Beware that some bulkier USB drives can obstruct adjacent USB ports, preventing a second drive from being connected. It is recommended to use slimline models (such as the one mentioned above) to minimize frustration.

Alternatives to PGP Smartcards exist, such as the YubiKey NEO (see the Debian smartcard support page for a partial list). It is possible to use these with frith, but they may not be as thoroughly tested. If you want to use such a device, check first that it supports 4096-bit RSA keys. Many only support 2048-bit — these may work with frith, but not with its default settings. YMMV, caveat emptor, etc.

Note that frith will never generate a key on the card itself, but will always generate on the computer and then copy to the card. This is so that you can keep a backup of your key material, but it also protects against poorly-implemented hardware random number generators.

Some devices (smartphones, tablets...) may not be compatible with PGP smartcards — in such cases you will need to save your subkeys to a third removable drive for transfer to the device by other means. This is not as secure as using a smartcard, and should only be done when absolutely necessary.

Getting started

Installing frith if you (or someone you trust) already have a copy

  1. Run frith and go to "Backup and Restore" > "Install frith software on another Tails disk".
  2. It will prompt you for a disk encryption passphrase - use a very strong one.
  3. Boot into the new disk and jump straight to "First time running frith" below.

Installing frith from scratch

WARNING: This will overwrite any persistent configuration you have already set up, so should only be done on a fresh Tails install. We strongly recommended that a Tails drive with frith installed is NOT used for any other purpose, as frith is not supported by the Tails team and may have unexpected side effects.

  1. Install Tails on the first 8GB flash drive by following their instructions
  2. Boot into the first drive
  3. Configure an encrypted persistent volume as described in the Tails instructions
  4. Reboot
  5. When the greeter appears, enter the passphrase for the persistent drive, then click the "+" for more options
  6. Set a temporary administration password and continue to boot into Tails
  7. Open a terminal and cut and paste the following into it. You will be prompted for the temporary administration password

    wget -q https://github.com/andrewgdotcom/frith/raw/master/frith-install.sh
    sha256sum frith-install.sh

    This should produce the following output:

    3516fbb227b5f8f02fdf2c9a8458e56a19ca289fe7eeb3025ca66b829f0c5230  frith-install.sh
  8. Only if the above checks out, run the installer:

    sudo bash frith-install.sh
  9. Reboot and continue to "First time running frith" below

First time running frith

  1. When prompted, select "Yes" for persistence and enter the passphrase
  2. Open a terminal and run 'frith'
  3. Follow the getting started procedure. This will prompt you for your personal details, create a new set of keys and perform a backup to the second Tails drive
  4. When prompted, plug in the smartcard and/or the subkey flash drive
  5. Frith will then publish your new public key (unless you started it with the --nopublish option)
  6. You're done!

Remember to store the second Tails disk in a secure remote location.


Once you have your smartcard populated with your subkeys, you can use it on your everyday computer. You will need to download the matching public key first, as the smartcard only contains your private keys. With GnuPG, this is done by incanting the following the first time the smartcard is inserted:

gpg --card-edit fetch

You can then use gpg normally.

If you saved your subkeys to a flash disk, you can install them on your everyday computer and continue from there. This does not protect your subkeys from theft, but your primary key is safe, and you can revoke and replace the subkeys more easily than replacing your entire key. With GnuPG, this is done using:

gpg --import FILENAME

Where FILENAME is the name of the file that you saved. If you want to use iPGMail on iOS, you should connect your phone/tablet to iTunes to transfer the file. Do not use the Dropbox option, as this is insecure! (note: iPGMail does not yet support laptop subkeys without the primary, but with luck this will change soon)

Frith is then only required when you want to do one of the following:

In such cases you need to boot from one of the Tails drives, perform the operation, and republish any changed keys. You only need to make a fresh backup if you have created a new primary key or subkey.

Note that in order to use frith, you must enable persistence each time you boot Tails. This is a security feature! (You only need to set the temporary administration password when you are installing frith for the first time)

To use smartcard auth with putty, you must download GnuPG modern for Windows from the official GnuPG site. No other version currently has putty support.


Smartcard readers:

Flash drives: