Hangout & Hack - v0005 Notes

Notes for https://www.oldcity-bitcoiners.info/hangout-hack-v0005/

Table of contents

The primary goal of this meetup is to learn PGP and SSH operations. If a user has a Trezor-T device, then we get them running with that preferably. Otherwise plain GPG and SSH software should work. These instructions assume Ubuntu 22.04 LTS.

Some notes about using a Trezor-T

Did you know the Trezor-T supports PGP operations, SSH login, and FIDO U2F authentication?

  • Consider loading your Trezor with BIP085 export from your cold storage setup. Actually, these exports should be used ANY warm/hot wallets (including Lightning on-chain). That way ALL all your Bitcoin is recoverable from the same seed plate backups.
  • When loading a Trezor, DO NOT write any BIP085 seed export onto an intermediate piece of paper. Simply perform the recovery on the Trezor from the screen of your offline signing device.

Check out this post our to discover how one of our members uses his Trezor to perform code-signing operations for git commits and git tags.

Pretty Good Privacy (PGP)

PGP is a common tool in the Bitcoiner toolkit. We typically use PGP to VERIFY that source code or binaries have been produced by trusted individuals. We'll review how to create PGP keys and perform signing, encryption, decryption, and signature verification. Knowing how to use PGP will help you avoid common exploits and use Bitcoin in a more trusted way.

Installing GNUPG

These instructions follow an Ubuntu-like distribution only. You'll have to figure it out if you're on MacOS or Windows.

sudo apt update && sudo apt install -y gpg

Installation when using a Trezor

Then follow the https://wiki.trezor.io/GPG instructions to get the necessary software installed for your Trezor device to work. Don't forget to do the UDEV rules and update your GNUPGHOME (see below)! (replace any gpg2 with just gpg.) Note, you should probably store your PGP timestamp in your Password Manager.

Generating PGP Keys

Before generating your keys, run env | grep GNUPGHOME to see which path is your PGP home directory (typically ~/.gnupg). This is the path that is consulted when you run gpg commands such as gpg --list-keys.  If your env does not contain a GNUPGHOME, then you should add it to your ~/.bashrc by appending: (don't forget to source it afterwards!)

export GNUGPHOME="/home/username/.gnupg"

or set the environment variable in the current shell withexport GNUPGHOME="$HOME/temp_dir". Setting the GNUPHOME environment variable allows you have have multiple identities or keystores. Typically you'll have one or two that you manage.

If you DO NOT have a Trezor-T, you can generate your PGP keys, use the following command. All keys will be exported to your current GNUPGHOME.

gpg --gen-key

Trezor instructions

To generate PGP keys using your Trezor-T, issue the following command: 

Using your PGP keys

  • List keys: gpg --list-keys
  • Sign a document:gpg --armor --sign document.txt
  • Encrypt document to a key. gpg --encrypt -r derek@farscapian.com document.txt
  • Verify the document gpg --verify document.txt.gpg
  • Decrypt an encrypted payload. gpg --decrypt -r farscapian document.txt

Secure Shell (SSH)

SSH is right up there with PGP in terms of importance. SSH allows you to login to a remote machine (shell) over the network and issue commands against it. SSH provides several security features including encryption, authentication, and integrity – essential for administering a secure network. You'll definitely need it for logging into your remote Bitcoin node!

Use these instructions if you have a Trezor-T

Install SSH Client

sudo apt update & sudo apt install openssh-client

Install SSH Server

sudo apt update & sudo apt install openssh-server

Generate your SSH private/public keys

Remotely log into hhv0005.oldcity-bitcoiners.info

Host hhv0005 under oldcity-bitcioners.info is a CNAME that points to a VPS hosted on AWS ec2-54-172-38-90.compute-1.amazonaws.com. It will be deleted after this event.

derek@pegasus:~/bin$ ssh ubuntu@hhv0005.oldcity-bitcoiners.info
The authenticity of host 'hhv0005.oldcity-bitcoiners.info (54.172.38.90)' can't be established.
ED25519 key fingerprint is SHA256:Qm8Q1vyAViYr4rOwDuN7XM9Gl6JjY0QxTdv1t6J1l8M.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'hhv0005.oldcity-bitcoiners.info' (ED25519) to the list of known hosts.
Connection closed by 54.172.38.90 port 22

Spread the word

Keep reading