Saptak's Blog

Do not fear, Tumpa is here


Posted: 2021-01-03T18:18:08+05:30 | Source | Tags: desktop app OpenPGP tumpa yubikey

Anyone who has ever created an OpenPGP key knows that it is a terrifying day in their life. Be it someone skilled in computers, or someone who just cares about their privacy, creating OpenPGP key is a fearsome incident. Add moving all subkeys properly to yubikey along with managing all passphrases, and the terror just increases manifold.

Well, do not fear, Tumpa is here.

Tumpa loves GUI

For most journalists, lawyers, activists, or anyone who wants to have secure communication, OpenPGP key is a great way to send and receive encrypted messages. But most people dread a black terminal (or command line) with some text menu. That's the only way to probably create OpenPGP keys and transfer them to a smartcard (e.g, Yubikey) till now. So, when Kushal showed me johnnycanencrypt, his python library for various OpenPGP key based operations, we had this idea that it would be simply amazing if we can provide a Graphical User Interface (GUI) for people to create keys and transfer their keys to yubikey.

Being a digital security trainer, I can vouch that most journalists, lawyers, activists and anyone who doesn't sit in front of a terminal all day would rather have a desktop application to click a few buttons, fill up a few forms, and get their result, rather than typing command after command in a black screen.

And that's exactly what Tumpa does!

Tumpa provides a simple form where you need to add your name, all emails that you want to associate with your OpenPGP key, a passphrase for your OpenPGP key, click on the big "Generate" button, and boom!

That's it!

You have your OpenPGP key with proper subkeys and everything!

Demo of generating a key and transferring to yubikey

Well, what about transferring the key to the smart card? Just plug your Yubikey, click on the big "Upload to SmartCard" button, add the necessary passphrases, and done!

You have your key transferred to a physical key!

Tumpa helps you stay sane

Usually, a training session to teach someone to create OpenPGP key properly and transferring everything properly to a smartcard like yubikey takes about 3-4 hours. And after such a session, usually, everyone loses a bit of their sanity in the process.

The first time I and Kushal got the first draft working and went through the entire flow, we were both positively surprised and probably laughing hysterically (thanks Anwesha for tolerating us for the last few days).

Tumpa optimistically reduces work which you would take hours, into a few minutes. And also lets everyone keep their sanity. Most of the operations that would need you to type a lot of commands and understand some command-line options, can be achieved by a few clicks.

You can download the .deb package from the release page.

Then, install using dpkg -i ./tumpa_0.1.0+buster+nmu1_all.deb, preferrably on an airgapped computer inside of Tails.

Tumpa is still a work in progress

Tumpa is at a very early stage of development. We have tried to make Tumpa feature complete to the most necessary ones and make the initial release. But there's still a lot of work left to be done.

We want to make Tumpa even easier to use for people who don't want to get into all the intricacies of OpenPGP key while giving more advanced options to the more experimental and curious users.

Right now, Tumpa uses Curve25519 to create keys and subkeys with an expiration date of 3 years. We want to give options to possibly select these based on a user's need in case they really care and want to change things are. There are many such customizations and also simplifications that we will slowly add in the next releases trying to improve the entire user experience even more.

Tumpa needs feedback

We have started conducting user interviews. We would really love more people to do usability studies with a varied group of technologists, lawyers, journalists, activists, or anyone interested, to improve the UX manifold.

The UI, for now, is very simple and probably not the best. So we can definitely use any feedback or suggestions.

We are available on #tumpa channel on Freenode. Feel free to drop by with all your comments.

Also, read Kushal's release blog on Tumpa to know more about installation and packaging.