Using Gpg with Merit Radb

Using GPG with the RADB


Notes and Limitations

In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures.
It is limited because ElGamel encryption cannot currently be affirmed as supported due to interoperability
issues with PGP.

Some previous GPG versions (v1.*) offer ElGamal (sign and encrypt) as an option. Using this encryption
option is not recommended due to these compatibility concerns.


Creating the Key-Cert Object

This document takes you step-by-step through the process of creating a key-cert object, including generation
of a GPG key and GPG-signing your DB submissions.

User input is shown in green. Other important information in red.

1. Create a GPG key

The example below uses GPG version 2.2.4 but the process is applicable to other versions. The key generation
takes some time to complete as it manages entropy for key generation.

% gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/etbru/.gnupg' created
gpg: keybox '/home/etbru/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Etienne Brule
Email address: etbru@noreply.net
Comment:
You selected this USER-ID:
    "Etienne Brule <etbru@noreply.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

A dailog box should now appear asking you to create a passphrase. Enter something unique and secure that phrase.

Please enter the passphrase to
protect your new key

Passphrase: ThisIsAnExampleOnly

Press the Tab key to "OK" and then press ENTER

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: /home/etbru/.gnupg/trustdb.gpg: trustdb created
gpg: key 748C195F7F507482 marked as ultimately trusted
gpg: directory '/home/etbru/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as
'/home/etbru/.gnupg/openpgp-revocs.d/F5AF118927CCEE9BA0AF2EBE748C195F7F507482.rev'
public and secret key created and signed.

pub   rsa3072 2020-01-06 [SC]
      F5AF118927CCEE9BA0AF2EBE748C195F7F507482
uid                      Etienne Brule <etbru@noreply.net>
sub   rsa3072 2020-01-06 [E]

2. Get your hex ID
% gpg --list-keys --keyid-format short
/home/etbru/.gnupg/pubring.kbx
----------------------------------
pub   rsa3072/7F507482 2020-01-06 [SC]
      F5AF118927CCEE9BA0AF2EBE748C195F7F507482
uid         [ultimate] Etienne Brule <etbru@noreply.net>
sub   rsa3072/D3091FD2 2020-01-06 [E]

Now note your hex ID. The hex ID here is '7F507482'. This is required to create the key-cert object.

3. Extract your public key block in ascii format to a file mykeys.txt

[ Key block shortened for demonstration ]

% gpg --export -a -o /tmp/mykeys.txt --export 7F507482

% cat /tmp/mykeys.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
dMysOe1K0Bw5vdKKLw==
=TSDH
-----END PGP PUBLIC KEY BLOCK-----

4. Create the key-cert

Now use your favorite editor to create your key-cert object. Be sure to note the '+' signs that begin each
line of the certif attribute you are required to add them in the object. Note that the 'method:', 'owner:'
and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the IRRd software
and so they are intentionally omitted.

% vi /tmp/mykeys.txt
key-cert:  PGPKEY-7F507482
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
+1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
+Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
+d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
+JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
+xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
+tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
+vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
+YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
+w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
+zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
+pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
+t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
+EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
+EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
+1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
+voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
+3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
+CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
+3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
+osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
+k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
+dMysOe1K0Bw5vdKKLw==
+=TSDH
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by:    MAINT-ETBRU
changed:   etbru@noreply.net
source:    RADB

5. Mail the key-cert object to auto-dbm for processing.

Depending on your mail executable version, one of these mail agent calls should serve you.

% mail auto-dbm@radb.net < /tmp/mykeys.txt
% # or
% mail -t auto-dbm@radb.net < /tmp/mykeys.txt

If everything is ok you will recieve mail acknowledgement form auto-dbm@radb.net with the following:

ADD OK: [key-cert] PGPKEY-7F507482

Else you will get a response with syntax errors. The errors are denoted in the response messsage with '?' characters.

6. Update your maintainer to use the GPG athentication.

Make sure your key has been added succesfully before updating your maintainer to use the key. At this
point lets add in the new 'auth:' attribute. To make full use of the security GPG provides be sure to
delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was
before since these mechanisms can still be used.

BEFORE GPG

mntner:             MAINT-ETBRU
descr:              Maintainer without GPG
admin-c:            ETBRU
tech-c:             ETBRU
upd-to:             etbru@noreply.net
auth:               MAIL-FROM etbru@noreply.net
auth:               CRYPT-PW pfRRVg599QpLw
mnt-by:             MAINT-ETBRU
changed:            etbru@noreply.net 20190130
source:             RADB

WITH GPG

mntner:             MAINT-ETBRU
descr:              New maintainer with GPG authentication
admin-c:            ETBRU
tech-c:             ETBRU
upd-to:             etbru@noreply.net
auth:               PGPKEY-7F507482
mnt-by:             MAINT-ETBRU
changed:            etbru@noreply.net 20200106
source:             RADB

How to use GPG for RADB authentication

1) Following instructions for creating, modifying, or deleting an object.
But omit the step to mail auto-dbm@radb.net.

2) Assume the object is in a filed named 'db-submission.txt'. Since GPG defaults its output to a file named *.asc,
in our example the GPG-signed submission will be in a file called db-submission.txt.asc.The 'passphrase' is the
value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."

% gpg --clearsign db-submission.txt

You need a passphrase to unlock the secret key for
user: "Etienne Brule <etbru@noreply.net>"
3072-bit RSA key, ID 7F507482, created 2020-01-06

3) Send your GPG signed submission to auto-dbm@radb.net.

Depending on your mail executable version, one of these mail agent calls should serve you.

% mail auto-dbm@radb.net < /tmp/db-submission.txt.asc
% # or
% mail -t auto-dbm@radb.net < /tmp/db-submission.txt.asc

4) DONE! You have successfully used a GPG-signed message to update an entry in the RADB.

Comments and questions are welcome; please send email to radb-support@merit.edu.

Back to Tutorials