Frith is an EXPERIMENTAL offline utility to simplify OpenPGP public key creation and management.
Frith is designed so that your master OpenPGP key is never stored on your everyday computer(s), but kept on a (mostly) offline bootable flash drive that only needs to be brought online to certify other users’ keys. To this end, frith strongly recommends the use of Tails, a bootable flash drive OS with an (optional) encrypted storage partition. While the anonymisation features of Tails are not strictly required, the Tor layer acts as a firewall for those occasions when frith must be brought online.
Beware that some bulkier USB drives can obstruct adjacent USB ports, preventing a second drive from being connected. It is recommended to use slimline models (such as the one mentioned above) to minimize frustration.
Alternatives to OpenPGP smartcards and Yubikeys exist (see the Debian smartcard support page for a partial list). It is possible to use these with frith, but they may not be as thoroughly tested. If you want to use such a device, check first that it supports 4096-bit RSA keys. Many only support 2048-bit — these may work with frith, but not with its default settings.
Note that frith will never generate a key on the card itself, but will always generate on the computer and then copy to the card. This is so that you can keep a backup of your key material, but it also protects against poorly-implemented hardware random number generators.
Some devices (smartphones, tablets…) may not be compatible with OpenPGP smartcards — in such cases you will need to save your subkeys to a third removable drive for transfer to the device by other means. This is not as secure as using a smartcard, and should only be done when absolutely necessary.
WARNING: This will overwrite any persistent configuration you have already set up, so should only be done on a fresh Tails install. We strongly recommended that a Tails drive with frith installed is NOT used for any other purpose, as frith is not supported by the Tails team and may have unexpected side effects.
wget -q https://github.com/andrewgdotcom/frith/raw/master/frith-install.sh
sha256sum frith-install.sh
This should produce the following output:
8cb88ebefcbf4cefb5ed06a072122cc68fb233b19a0db3aedb36de4090a1afcf frith-install.sh
bash frith-install.sh
Remember to store the second Tails disk in a secure remote location.
Once you have your smartcard populated with your subkeys, you can use it on your everyday computer. You will need to download the matching public key first, as the smartcard only contains your private keys.
On your everyday computer, insert the smartcard and run the following in a terminal:
gpg --card-edit fetch
You can then use gpg normally.
If you saved your subkeys to a flash disk, you can install them on your everyday computer and continue from there. This does not protect your subkeys from theft, but your primary key is safe, and you can revoke and replace the subkeys more easily than replacing your entire key. With GnuPG, this is done using:
gpg --import FILENAME
Where FILENAME is the name of the file that you saved. If you want to use iPGMail on iOS, you should connect your phone/tablet to iTunes to transfer the file. Do not use the Dropbox option, as this is insecure! (note: iPGMail does not yet support laptop subkeys without the primary, but with luck this will change soon)
Frith is then only required when you want to do one of the following:
In such cases you need to boot from one of the Tails drives, perform the operation, and republish any changed keys. You only need to make a fresh backup if you have created a new primary key or subkey.
Note that in order to use frith, you must enable persistence each time you boot Tails. This is a security feature! (You only need to set the temporary administration password when you are installing frith for the first time)
To use smartcard auth with putty, you must download GnuPG modern for Windows from the official GnuPG site. No other version currently has putty support.
Smartcards and fobs:
Smartcard readers:
Flash drives: