====== GPG modern (2.1) with Elliptic curves ======

Being an elliptic curves fan for whatever reason (NSA-aware, early adopter, bored geek,...) you are forced to compile GnuPG for yourself or use Debian experimental. 

<note important>Before doing anything be sure to read carefully and fully understand this article https://www.gnupg.org/faq/whats-new-in-2.1.html You've been warned!</note>

===== Oficial variant =====
<note>Recommended way described in [[https://wiki.gnupg.org/Build2.1_Unix|GnuPG wiki]] is much simpler than the following guide which uses debian experimental in schroot.
<code bash>sudo make -f build-aux/speedo.mk native INSTALL_PREFIX="/usr/local"</code>
actually works well.
</note>

===== Debian experimental schroot variant =====

Use if oficial variant is not functional.

==== Create chroot environment (Debian Jessie) ====

start sudo from your regular user (this is important step to have SUDO_USER environment variable set)
<code bash First we create an directory and prepare environment:>
export MY_CHROOT=/data/virtuals/schroot-deb-experimental
sudo -E su 
echo -e "My Chroot:\t$MY_CHROOT\nWhoAmI:\t\t$(whoami)\nSUDO_USER:\t$SUDO_USER"
mkdir -p $MY_CHROOT
chown $SUDO_USER $MY_CHROOT
</code>

<code bash Install software needed to create an schroot environment:>aptitude install schroot debootstrap</code>

<code bash Configure chroot:>
cat <<EOF >>/etc/schroot/schroot.conf
[experimental]
description=Debian experimental
directory=$MY_CHROOT
groups=sbuild,root,$SUDO_USER
users=$SUDO_USER
root-groups=root,sbuild
EOF
</code>

<code bash Now we will create and modify the content of the chroot:>
debootstrap jessie $MY_CHROOT
echo "proc $MY_CHROOT/proc proc defaults 0 0" >> /etc/fstab
mount proc $MY_CHROOT/proc -t proc
echo "sysfs $MY_CHROOT/sys sysfs defaults 0 0" >> /etc/fstab
mount sysfs $MY_CHROOT/sys -t sysfs
echo "/home/$SUDO_USER/.gnupg/ $MY_CHROOT/home/$SUDO_USER/.gnupg/ none bind 0 0" >> /etc/fstab
mount "$MY_CHROOT/home/$SUDO_USER/.gnupg/"
cp /etc/hosts $MY_CHROOT/etc/hosts
cp /proc/mounts $MY_CHROOT/etc/mtab
grep $SUDO_USER /etc/passwd >> $MY_CHROOT/etc/passwd
egrep ^$SUDO_USER /etc/group >> $MY_CHROOT/etc/group
mkdir -p $MY_CHROOT/home/$SUDO_USER
chown $SUDO_USER $MY_CHROOT/home/$SUDO_USER
</code>

==== add experimental repository ====
Debian experimental is not an distro variant, its just a bunch of packages in the repo.

<code bash we are entering newly created chroot environment>chroot $MY_CHROOT /bin/bash</code>

<code bash now we will upgrade jessie to experimental branch\\ as a ROOT INSIDE chroot
apt-get update
echo 'deb http://ftp.debian.org/debian experimental main' > /etc/apt/sources.list.d/experimental.list
apt-get update
apt-cache policy gnupg2
apt-get -t experimental install gnupg2
apt-get install bash-completion
</code>


==== Make keyring backup ====
<code bash AS a NORMAL USER>
BACKUP="/home/$SUDO_USER/.gnupg-$(date +%F).backup.tbz"
tar cjvf $BACKUP /home/$SUDO_USER/.gnupg/
chmod 400 $BACKUP
### TRIPLECHECK YOUR HAVE AN BACKUP !!! (there are big changes in gpg 2.1 and might need to reimport some keys or downgrade)
</code>

<code bash verify chrooted env works>
schroot -p -c chroot:experimental -- gpg2 --version
gpg (GnuPG) 2.1.1
libgcrypt 1.6.2
...
</code>

==== sChroot shell access ====
<code bash btw>schroot -p -c chroot:experimental  ... gives you an full shell access</code>

==== Make chrooted binaries executable from non-schroot environment ====
<code>sudo -E su</code>

<code bash now we symlink to universal script /usr/local/bin/run-deb-exp.sh that runs symlink basename in chroot:>
root@DebExp@azur:/usr/bin$ for file in $(dpkg -L gnupg2 gnupg-agent dirmngr|grep bin); do [ -f $file ] && echo "mv $file $file.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh $file";done
mv /usr/sbin/applygnupgdefaults /usr/sbin/applygnupgdefaults.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/sbin/applygnupgdefaults
mv /usr/sbin/addgnupghome /usr/sbin/addgnupghome.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/sbin/addgnupghome
mv /usr/bin/gpg2 /usr/bin/gpg2.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg2
mv /usr/bin/gpgconf /usr/bin/gpgconf.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgconf
mv /usr/bin/gpgparsemail /usr/bin/gpgparsemail.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgparsemail
mv /usr/bin/kbxutil /usr/bin/kbxutil.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/kbxutil
mv /usr/bin/watchgnupg /usr/bin/watchgnupg.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/watchgnupg
mv /usr/bin/gpg-agent /usr/bin/gpg-agent.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg-agent
mv /usr/bin/gpg-connect-agent /usr/bin/gpg-connect-agent.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpg-connect-agent
mv /usr/bin/gpgkey2ssh /usr/bin/gpgkey2ssh.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/gpgkey2ssh
mv /usr/bin/symcryptrun /usr/bin/symcryptrun.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/symcryptrun
mv /usr/bin/dirmngr /usr/bin/dirmngr.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/dirmngr
mv /usr/bin/dirmngr-client /usr/bin/dirmngr-client.ORIG ;ln -s /usr/local/bin/run-deb-exp.sh /usr/bin/dirmngr-client
</code>

<code bash /usr/local/bin/run-deb-exp.sh>
cat /usr/local/bin/run-deb-exp.sh 
#!/bin/bash
# schroot -p -c chroot:experimental -- gpg2 "$@"

CHROOT_PREFIX="/data/virtuals/schroot-deb-experimental"
export LD_LIBRARY_PATH="${CHROOT_PREFIX}/lib/x86_64-linux-gnu:${CHROOT_PREFIX}/usr/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}"

${CHROOT_PREFIX}/usr/bin/$(basename $0) "$@"
</code>

in case you went into trouble with your keydb (like "invalid packet"/"key not found" errors) fix it by reimporting your keys from backup:
! notice that export is using gpg1 with homedir where backup is, while import is made by gpg2.1
<code>
gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export-secret-key 0xF7EEAF5998FFFC1D 
gpg --homedir /home/ruza/.gnupg-BACKUP/ --output F7EEAF5998070C1D_pub.gpg --armor --export 0xF7EEAF5998FFFC1D
gpg-chrooted --import F7EEAF5998FFFC1D_pub.gpg 
gpg-chrooted --allow-secret-key-import --import  F7EEAF5998FFFC1D_priv.gpg 
</code>

==== Other software integrationn ====
finally configure all your software to use /usr/bin/gpg2 (/usr/bin/gpg is default).
no longer need to start gpg-agent. it is started automagically (... did you've read that "What's new in 2.1" article?)

=== Enigmail ===
path to gpg is configurable in enigmail .. verify in enigmail Console
=== Gajim ===
path to gpg in gajim seems to be hardcoded .. do  cd /usr/bin/ && mv gpg gpg.ORIG && ln -s /usr/bin/gpg2 gpg

==== Using ECC in GPG2.1+ ====
  * ECC are available in expert mode only. Beware, parameter order is important.
<code bash>gpg2 --expert --edit-key 0xKEYID</code>
  * it is not possible at this time create Curve 25519 key for encryption purposes ("unknown eliptic curve" error)
    <code bash>
    gpg> addkey 
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 12
Please select which elliptic curve you want:
   (1) Curve 25519
   (2) NIST P-256
   (3) NIST P-384
   (4) NIST P-521
   (5) Brainpool P-256
   (6) Brainpool P-384
   (7) Brainpool P-512
Your selection? 1
gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
Use this curve anyway? (y/N) y
Key is valid for? (0) 3y
Key expires at Tue 09 Jan 2018 08:31:25 AM CET
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Unknown elliptic curve
gpg: Key generation failed: Unknown elliptic curve
</code>