LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Blogs > jere21
User Name
Password

Notices


Rate this Entry

Adding a new GPG key

Posted 09-20-2015 at 08:21 PM by jere21
Updated 09-20-2015 at 08:45 PM by jere21

Code:
ii  gnupg          1.4.19-3   amd64 GNU privacy guard - a free PGP replacement
ii  gnupg-curl     1.4.19-3   amd64 GNU privacy guard - a free PGP replacement (cURL)
ii  hopenpgp-tools 0.14.1-1   amd64 hOpenPGP-based command-line tools
ii  parcimonie     0.8.4-2    all   privacy-friendly helper to refresh a GnuPG keyring
ii  enigmail       2:1.8.2-3  amd64 GPG support for Thunderbird and Debian Icedove
ii  signing-party  2.1-1      amd64 Various OpenPGP related tools
  1. General/Configuration (Best practices)
  2. Create a GPG key
  3. Add another subkey for signing, so that the master can be kept offline
  4. Add another UID
  5. Set primary UID
  6. Set a calendar event to remind you about your expiration date.
  7. Verify the quality of your new key
  8. Generate a revocation certificate
  9. Keep your keyrings updated
  10. Backup
    1. Variant 1: Your complete .gnupg (just unpack it and you are ready to go)
    2. Variant 2: Make Exports
    3. Variant 3: Print to paper your ASCII armored secret key
  11. Move master key offline and use it only for certification and administration
  12. Encrypt Communication with the keyserver pool (hkps)
  13. Upload your key
  14. Signing manually
  15. Keysigning with caff
  16. Receiving signatures and uploading them


This post should cover everything I did to create a good GPG key (4096-bits RSA, SHA-512, master key stored away offline). Before or while using this guide please have a look at the "Riseup OpenPGP Best Practices", they are the most important source for everything you'll find here and explains the reasoning.



General/Configuration (Best practices)
  • Read the "Riseup OpenPGP Best Practices".
  • Use the gpg.conf from Jacob Appelbaum's (ioerror) duraconf "collection of hardened configuration files". It is linked by e.g. the "Riseup OpenPGP Best Practices" and Anibal Monsalve Salazar's "Keysigning @ DebConf15" document. You will need to uncomment and/or adjust the following settings to your local preferences:
    • default-key
    • keyserver-options ca-cert-file
    • keyserver-options http-proxy
  • Some noteworthy stuff:
    • Do not use a comment in your UID, just name and email address.
    • Use an expiration date less than two years. You can always (and should regularly) extend your expiration date, even after it has expired, NO need for a new key to replace an expired one, as long as it's still fulfilling the best practices).
    • Do not use "gpg --refresh-keys" directly, let "parcimonie" do this instead. It starts automatically and does its job, once the Debian package is installed. You should see the parcimonie daemon process running and the parcimonie applet (showing the log) in some bar (works here in the top bar with Gnome 3.16 + extension TopIcons).
    • Use the fingerprint instead of the key id. We configure GPG to use keyid-format "long". The last 8 letters of a long key ID are the most often seen short variant (this relates to the GPG v4 keys we are using here):
      Code:
      Key ID short format:                            0x<8 letters A>
      Key ID long format:               0x<8 letters B> <8 letters A>
      Key fingerprint:     <24 letters C> <8 letters B> <8 letters A>
    • Use your master key for certification of other keys and let it be certified (signed). I don't fully understand how/why this works, but I found this in the manual: "no extra signatures are necessary since the new subkey will have been signed with your master signing key, which presumably has already been validated by your correspondents."
    • Have a separate subkey for signing, and keep your primary key entirely offline.


Create a GPG key

Make a 4096bit RSA key, with the sha512 hashing algo. At the same time create a subkey for encrypting.

Quick Howto: http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ (not totally up to date regarding gpg version, not exactly following the Best Practices, so remember to use the mentioned gpg.conf and choose 4096 bit).

Code:
$ gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Tue 01 Aug 2017 02:37:10 PM CEST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Jens Reyer
Email address: jens.reyer@example.com
Comment: 
You selected this USER-ID:
    "Jens Reyer <jens.reyer@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 188 more bytes)
.......+++++

[...]
gpg: key 0x79C43E620B039B35 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-08-01
pub   4096R/0x79C43E620B039B35 2015-08-02 [expires: 2017-08-01]
      Key fingerprint = 8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35
uid                 [ultimate] Jens Reyer <jens.reyer@example.com>
sub   4096R/0x76F907F546510626 2015-08-02 [expires: 2017-08-01]


Add another subkey for signing, so that the master can be kept offline

Code:
$ gpg --edit-key 8826EBE8FCF726EE182E23D779C43E620B039B35
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
[ultimate] (1). Jens Reyer <jens.reyer@example.com>

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Jens Reyer <jens.reyer@example.com>"
4096-bit RSA key, ID 0x79C43E620B039B35, created 2015-08-02

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 02 Aug 2017 03:28:40 AM CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 187 more bytes)
......+++++
[...]

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jens.reyer@example.com>

gpg> save
Glossary:

Code:
PUBKEY_USAGE_SIG      S
PUBKEY_USAGE_CERT     C
PUBKEY_USAGE_ENC      E
PUBKEY_USAGE_AUTH     A

SEC Secret key
PUB Public key
SUB Subkey
SSB Secret subkey


Add another UID

Note: This works for the whole set of keys, even if you specify just the subkey for signing.

Code:
$ gpg --edit-key 76F907F546510626
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jens.reyer@example.com>

gpg> adduid
Real name: Jens Reyer
Email address: jre.winesim@example.com
Comment: 
You selected this USER-ID:
    "Jens Reyer <jre.winesim@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a passphrase to unlock the secret key for
user: "Jens Reyer <jens.reyer@example.com>"
4096-bit RSA key, ID 0x79C43E620B039B35, created 2015-08-02


pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1)  Jens Reyer <jens.reyer@example.com>
[ unknown] (2). Jens Reyer <jre.winesim@example.com>

gpg> save


Set primary UID

Code:
$ gpg --edit-key 79C43E620B039B35
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jreyer-guest@alioth.example.org>
[ultimate] (2)  Jens Reyer <jre.winesim@example.com>
[ultimate] (3)  Jens Reyer <jens.reyer@example.com>

gpg> uid 3

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jreyer-guest@alioth.example.org>
[ultimate] (2)  Jens Reyer <jre.winesim@example.com>
[ultimate] (3)* Jens Reyer <jens.reyer@example.com>

gpg> primary 

You need a passphrase to unlock the secret key for
user: "Jens Reyer <jreyer-guest@alioth.example.org>"
4096-bit RSA key, ID 0x79C43E620B039B35, created 2015-08-02


pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1)  Jens Reyer <jreyer-guest@alioth.example.org>
[ultimate] (2)  Jens Reyer <jre.winesim@example.com>
[ultimate] (3)* Jens Reyer <jens.reyer@example.com>

gpg> save


Set a calendar event to remind you about your expiration date

I'll do it every year for a 2-year expiration.



Verify the quality of your new key

Code:
hkt export-pubkeys '8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35' | hokey lint


Generate a revocation certificate

Code:
gpg --output revoke.0B039B35.asc --gen-revoke '8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35'
... and store it offline, probably also printed to paper.



Keep your keyrings updated

Just install parcimonie. Notice the applet that shows the log of its permanent updates.



Backup


Variant 1: Your complete .gnupg (just unpack it and you are ready to go)

Note: this includes your master secretkey, so keep it at a very safe offline place.

Once you removed your secret master key from your computer (next chapter), your ~/.gnupg still contains your secret subkeys for signing and encryption. So you should be still quite careful with backuping it then.

Code:
umask 077; tar -cf $HOME/gnupg-backup.tar -C $HOME .gnupg

Variant 2: Make Exports

In this step especially the keyring with your master secretkey (secretkeys.gpg) is created. You need it once you've removed the master secret from your regular ~/.gnupg.

Note: this includes your master secretkey, so keep it at a very safe offline place.

Code:
# All public keys (you can always retrieve them from a keyserver,
# but that requires new care when inspecting them and the knowledge
# that you used exactly this key for e.g. years of verifying publicly
# sent messages. With other words: keep it!):
gpg --export > publickeys.gpg

# All secret keys (if you have several master keys).
# Subkeys are included automatically:
gpg --export-secret-keys > secretkeys.gpg

# All your trust settings:
gpg --export-ownertrust > ownertrust.export

Variant 3: Print to paper your ASCII armored secret key

Code:
# Only your new key (master and subkeys)
FINGERPRINT="8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35"
gpg --export-secret-key --armor "$FINGERPRINT" > secretkey.0B039B35.asc


Move master key offline and use it only for certification and administration

See https://wiki.debian.org/Subkeys. Parts from http://www.macfreek.nl/memory/Conver...eys_to_subkeys

Made a backup?

All of them?

Distributed them to safe places?

Ok ...


This is the copy you will later use for keysigning and other administrative tasks like changing the password or expiry date.

So you have a copy of your whole */.gnupg and an export of your master secretkey stored away safely. Let's rip the master secretkey from ~/.gnupg (the copy for everyday tasks):

Code:
FINGERPRINT="8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35"

# Export your secret subkeys (we will continue to use them)
gpg --export-secret-subkeys "$FINGERPRINT" > secretsubkeys.gpg

# Delete your master secretkey, including the secret subkeys
gpg --delete-secret-key "$FINGERPRINT"

# Import your secret subkeys and a dummy for your master key 
gpg --import secretsubkeys.gpg
If you try to use your master key now, you'll get an error:

Code:
gpg: secret key parts are not available
gpg: signing failed: Unusable secret key
Verify it worked. Note the "#" in "sec#" which implies that the master secretkey is missing:
Code:
$ gpg --list-secret-key "0B039B35"
sec#  4096R/0x79C43E620B039B35 2015-08-02 [expires: 2017-08-02]
      Key fingerprint = 8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35
uid                            Jens Reyer <jens.reyer@example.com>
uid                            Jens Reyer <jreyer-guest@alioth.example.org>
uid                            Jens Reyer <jre.winesim@example.com>
ssb   4096R/0x76F907F546510626 2015-08-02 [expires: 2017-08-01]
ssb   4096R/0x608412032B573076 2015-08-03 [expires: 2017-08-02]
To use my master key I just plug in my offline usb flashdrive with the master secretkey in secretkeys.gpg, that we created above.
Code:
sudo chown -R jens:jens /media/jens/JR_Important
export GNUPGHOME=/media/jens/JR_Important/.gnupg/
gpg --secret-keyring="/media/jens/JR_Important/secretkeys.gpg" ...
# Do certification/admin tasks
You may want to change the passwords of your secret subkeys.



Encrypt Communication with the keyserver pool (hkps)

Install "gnupg-curl".
Download the SKS Keyserver cerificate.
Save it e.g. to ~/.gnupg.
To verify e.g. go to file:///home/jens/.gnupg/ in Iceweasel (Firefox) and click on it. You'll be asked if you want to trust it, don't add it. Just examine/view it and compare it with this information.

Note: This certificate is valid until 2022-10-07.
Set a timer to remind you of getting a new certificate in time.

Adjust gpg.conf:
Code:
keyserver-options ca-cert-file=/home/jens/.gnupg/sks-keyservers.netCA.pem


Upload your key

Code:
gpg \
  --send-key '8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35'


Signing manually

Signing means that you certify that key X belongs to person Y who has control over the email address Z. So you sign a combination of X,Y,Z.
Signing a subkey signs the master key and all its subkeys. A UID consists of Y,Z. Instead of an email address this also might be a photo.

Signing manually works well to cross sign your new GPG key with your old key. For signing other people's keys use "caff" (see below).

Code:
$ gpg \
  --secret-keyring="/media/jens/JR_Important/secretkeys.gpg" \
  --default-key EAF9B4E3C0145138 \
  --sign-key 608412032B573076
pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jre.winesim@example.com>
[ultimate] (2)  Jens Reyer <jens.reyer@example.com>

Really sign all user IDs? (y/N) y

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
 Primary key fingerprint: 8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35

     Jens Reyer <jre.winesim@example.com>
     Jens Reyer <jens.reyer@example.com>

This key is due to expire on 2017-08-01.
Are you sure that you want to sign this key with your
key "jre-phoenix (moblock-deb maintainer) <jre-phoenix@users.example.net>" (0xEAF9B4E3C0145138)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "jre-phoenix (moblock-deb maintainer) <jre-phoenix@users.example.net>"
2048-bit RSA key, ID 0xEAF9B4E3C0145138, created 2011-08-09
Verify the key signing:

Code:
$ sudo chown -R jens:jens /media/jens/JR_Important
$ gpg \
--secret-keyring="/media/jens/JR_Important/secretkeys.gpg" \
--edit-key 0x79C43E620B039B35
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/0x79C43E620B039B35  created: 2015-08-02  expires: 2017-08-01  usage: SC  
                               trust: ultimate      validity: ultimate
sub  4096R/0x76F907F546510626  created: 2015-08-02  expires: 2017-08-01  usage: E   
sub  4096R/0x608412032B573076  created: 2015-08-03  expires: 2017-08-02  usage: S   
[ultimate] (1). Jens Reyer <jre.winesim@example.com>
[ultimate] (2)  Jens Reyer <jens.reyer@example.com>

gpg> check
uid  Jens Reyer <jre.winesim@example.com>
sig!3        0x79C43E620B039B35 2015-08-03  [self-signature]
sig!         0xEAF9B4E3C0145138 2015-08-03  jre-phoenix (moblock-deb maintainer)
uid  Jens Reyer <jens.reyer@example.com>
sig!3        0x79C43E620B039B35 2015-08-02  [self-signature]
sig!         0xEAF9B4E3C0145138 2015-08-03  jre-phoenix (moblock-deb maintainer)


Keysigning with caff

Use caff to sign other people's keys. Caff sends your signature for each UID (without the signatures for the other UIDs) separately to the mail address that is part of the UID. The mails are encrypted with the recipients public key. This ensures that only the person in control of the mail address (for which you gave your signature) can read the signature, but only if he is in control of the signed key. Caff doesn't upload your signatures to keyservers. So only the person in control of both the mail address and the key can make use of your signatures and publish them.

Photo signatures are attached to every signature of a mail-uid.


Setup:

https://wiki.debian.org/caff
Run "caff" once and then edit your ~/.caffrc

Check that these lines are set correctly/Add:
Code:
$CONFIG{'owner'} = 'Jens Reyer';
$CONFIG{'email'} = 'jens.reyer@example.com';
$CONFIG{'keyid'} = [ qw{79C43E620B039B35} ];
# Correct setting important if you use several keys:
$CONFIG{'local-user'} = [ qw{79C43E620B039B35} ];
# Use the offline secret-keyring:
$CONFIG{'secret-keyring'} = '/media/jens/JR_Important/secretkeys.gpg';
Use your hardened gpg.conf in caff:
Code:
ln -s ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf
If you haven't done so already, you have to set up your system to send mails for you:
Code:
dpkg-reconfigure exim4-config
You may create a test key with a working email address and check if you receive the mail there.


Start signing

Code:
# Your secretkeys.gpg must be available and its basedir writable
sudo chown -R jens:jens /media/jens/JR_Important
gpg --recv-keys  '<fingerprint>'
# Use only keys already in your gpg keyring. Download missing keys separately,
# so that you have them in your regular gpg keyring.
caff --keys-from-gnupg -R '<fingerprint>'
Think twice about every single UID if you want to sign it.
Code:
Really sign all user IDs? (y/N)
Answering with NO leaves you on gpg's command prompt. Just enter the number of the UIDs that you want to sign, one by one. An "*" indicates which UIDs are marked. When you're done with your selection type "sign".

Later on "quit" and then confirm every single mail to be sent.
Watch them being sent:
Code:
tail -f /var/log/exim4/mainlog

Receiving signatures and uploading them

When you receive a signature, decrypt it and save it. Then run it through gpg --import. E.g.
Code:
cat *.asc | gpg --import
Then send the signatures to a keyserver, if you are ok with them being public. An upload is not revocable.
Code:
gpg   --send-key '8826 EBE8 FCF7 26EE 182E  23D7 79C4 3E62 0B03 9B35'
You can see the results, like everyone else from now on will be able to:
My key and uploaded signatures.
Stats for my key (updated about once a week).
Posted in Uncategorized
Views 2060 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    this is awesome
    Posted 09-24-2015 at 06:02 PM by vmccord vmccord is offline
 

  



All times are GMT -5. The time now is 05:05 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration