Add Passphrase2pgp as additional software
Tails is amnesia based distribution and works best in a non persistent state but to use GPG requests either using an external storage or installing Tails as persistent. The issue is in lots of countries just having possession of a GPG key can cause issues and in UK require you to divulge the password. Passphrase2pgp allows a user to never have to keep a copy of their GPG keys and can create them on as needed easily with a passphrase. This can minimize the chance of being caught with them while still allowing secure communications or signatures. This open source software can be easily audited and is in a memory safe language.
This is a simple and easy to use tool to prevent the users from ever having to worry about losing their GPG keys all while never having to use storage device. Please consider adding this additional software to Tails OS.
Here is a sample to show how it can be used:
First generate the key. I’ve used an empty passphrase so you can do the same to see exactly the same output.
$ passphrase2pgp —subkey —uid firstname.lastname@example.org | gpg —import
gpg: /home/foo/.gnupg/trustdb.gpg: trustdb created
gpg: key BFB69BB42424AA60: public key “email@example.com” imported
gpg: key BFB69BB42424AA60: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
Note, this doesn’t protect the key with a passphrase, so it will be stored unencrypted on the GnuPG keyring. Whether or not that matters depends on your computer’s configuration and how you use your computer. Use passphrase2pgp’s —protect (-e) option to add protection if needed. (I really wish GnuPG had an option to add protection to secret keys as they’re being imported. Sadly, it does not.)
So far everything looks good. We’ve got an a sign/certify/authenticate Ed25519 primary key and an encryption Curve25519 subkey:
$ gpg —list-keys
pub ed25519 1970-01-01 [SCA]
uid [ unknown] firstname.lastname@example.org
sub cv25519 1970-01-01 [E]
If you have a notion of what your fingerprint should be, listing the keys like this will let you triple check that you’ve entered your passphrase correctly.
Now to encrypt a message, hello.txt. It will prompt me about trust since imported keys aren’t trusted by default. To disable this, use GnuPG’s —trusted-key, select a different —trust-model, or use —edit-key to change the trust on your key. (There’s nothing passphrase2pgp can do to force a key to be trusted.)
$ echo hello > hello.txt
$ gpg —encrypt —recipient email@example.com hello.txt
gpg: 971FB333228465B2: There is no assurance this key belongs to the named user
sub cv25519/971FB333228465B2 1970-01-01 firstname.lastname@example.org
Primary key fingerprint: 32FE 19AE 744B 5F66 8F29 9CBA BFB6 9BB4 2424 AA60
Subkey fingerprint: 526A C547 E142 64D6 7448 F9B1 971F B333 2284 65B2
It is NOT certain that the key belongs to the person named
in the user ID. If you really know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
That produces hello.txt.gpg. In another session, you can regenerate the key per the above instructions, and then decrypt like so:
$ gpg —decrypt hello.txt.gpg
gpg: encrypted with 256-bit ECDH key, ID 971FB333228465B2, created 1970-01-01