... | @@ -407,342 +407,14 @@ keys. See also [drduh's guide](https://github.com/drduh/YubiKey-Guide#change-pin |
... | @@ -407,342 +407,14 @@ keys. See also [drduh's guide](https://github.com/drduh/YubiKey-Guide#change-pin |
|
|
|
|
|
### key generation
|
|
### key generation
|
|
|
|
|
|
TODO: move this to howto/openpgp.md?
|
|
At this point, if you don't already have a key pair to put on the
|
|
|
|
YubiKey, you should generate a new OpenPGP key. Follow the procedure
|
|
Here we're generating a new OpenPGP key as we're transitioning from an
|
|
to [Generate a Curve25519 key](howto/openpgp#generate-a-curve25519-key).
|
|
old RSA4096 key. DO NOT follow those steps if you wish to keep your
|
|
|
|
old key, of course.
|
|
|
|
|
|
|
|
TODO: consider batch mode, see
|
|
|
|
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
|
|
|
|
and https://github.com/drduh/YubiKey-Guide/blob/master/contrib/gen-params-rsa4096
|
|
|
|
|
|
|
|
TODO: talk about airgapped systems and tmpfs
|
|
|
|
|
|
|
|
TODO: talk about why not generating on the key
|
|
TODO: talk about why not generating on the key
|
|
|
|
|
|
Here we're going to generate an Elliptic Curve (ECC) key using the
|
|
If you are rotating keys, do not publish the revocation certificate
|
|
[Curve25519](https://en.wikipedia.org/wiki/Curve25519). That curve has been supported by OpenSSH [since 2014
|
|
for the old key just yet, in case the procedure below fails.
|
|
(6.5)](https://www.openssh.com/txt/release-6.5) and GnuPG [since 2021 (2.1)](https://gnupg.org/faq/whats-new-in-2.1.html) and is the de-facto standard
|
|
|
|
since the revelations surrounding possibly the [back-doored NIST
|
|
|
|
curves](https://en.wikipedia.org/wiki/Dual_EC_DRBG).
|
|
|
|
|
|
|
|
TODO: debunk EC concerns in [this gist](https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a) as we're not ecdsa, we're
|
|
|
|
ed25519. make this a separate rant?
|
|
|
|
|
|
|
|
This unfortunately (still) requires `--expert` mode unfortunately.
|
|
|
|
|
|
|
|
```
|
|
|
|
export GNUPGHOME=${XDG_RUNTIME_DIR:-/nonexistent}/.gnupg/
|
|
|
|
anarcat@angela:~[SIGINT]$ gpg --full-gen-key --expert
|
|
|
|
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
|
|
|
|
This is free software: you are free to change and redistribute it.
|
|
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
|
|
|
|
Please select what kind of key you want:
|
|
|
|
(1) RSA and RSA (default)
|
|
|
|
(2) DSA and Elgamal
|
|
|
|
(3) DSA (sign only)
|
|
|
|
(4) RSA (sign only)
|
|
|
|
(7) DSA (set your own capabilities)
|
|
|
|
(8) RSA (set your own capabilities)
|
|
|
|
(9) ECC and ECC
|
|
|
|
(10) ECC (sign only)
|
|
|
|
(11) ECC (set your own capabilities)
|
|
|
|
(13) Existing key
|
|
|
|
(14) Existing key from card
|
|
|
|
Your selection? 11
|
|
|
|
|
|
|
|
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
|
|
|
|
Current allowed actions: Sign Certify
|
|
|
|
|
|
|
|
(S) Toggle the sign capability
|
|
|
|
(A) Toggle the authenticate capability
|
|
|
|
(Q) Finished
|
|
|
|
|
|
|
|
Your selection? q
|
|
|
|
Please select which elliptic curve you want:
|
|
|
|
(1) Curve 25519
|
|
|
|
(3) NIST P-256
|
|
|
|
(4) NIST P-384
|
|
|
|
(5) NIST P-521
|
|
|
|
(6) Brainpool P-256
|
|
|
|
(7) Brainpool P-384
|
|
|
|
(8) Brainpool P-512
|
|
|
|
(9) secp256k1
|
|
|
|
Your selection? 1
|
|
|
|
Please specify how long the key should be valid.
|
|
|
|
0 = key does not expire
|
|
|
|
<n> = key expires in n days
|
|
|
|
<n>w = key expires in n weeks
|
|
|
|
<n>m = key expires in n months
|
|
|
|
<n>y = key expires in n years
|
|
|
|
Key is valid for? (0) 1y
|
|
|
|
Key expires at mer 29 mai 2024 15:27:14 EDT
|
|
|
|
Is this correct? (y/N) y
|
|
|
|
|
|
|
|
GnuPG needs to construct a user ID to identify your key.
|
|
|
|
|
|
|
|
Real name: Antoine Beaupré
|
|
|
|
Email address: anarcat@anarc.at
|
|
|
|
Comment:
|
|
|
|
You are using the 'utf-8' character set.
|
|
|
|
You selected this USER-ID:
|
|
|
|
"Antoine Beaupré <anarcat@anarc.at>"
|
|
|
|
|
|
|
|
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
|
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
|
|
disks) during the prime generation; this gives the random number
|
|
|
|
generator a better chance to gain enough entropy.
|
|
|
|
gpg: directory '/home/anarcat/.gnupg/openpgp-revocs.d' created
|
|
|
|
gpg: revocation certificate stored as '/home/anarcat/.gnupg/openpgp-revocs.d/D0D396D08E761095E2910413DDE8A0D1D4CFEE10.rev'
|
|
|
|
public and secret key created and signed.
|
|
|
|
|
|
|
|
pub ed25519/DDE8A0D1D4CFEE10 2023-05-30 [SC] [expires: 2024-05-29]
|
|
|
|
D0D396D08E761095E2910413DDE8A0D1D4CFEE10
|
|
|
|
uid Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
|
|
|
|
anarcat@angela:~$
|
|
|
|
```
|
|
|
|
|
|
|
|
Let's put this fingerprint aside, as we'll be using it over and over again:
|
|
|
|
|
|
|
|
FINGERPRINT=D0D396D08E761095E2910413DDE8A0D1D4CFEE10
|
|
|
|
|
|
|
|
Let's look at this key:
|
|
|
|
|
|
|
|
anarcat@angela:~$ gpg --edit-key $FINGERPRINT
|
|
|
|
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
|
|
|
|
This is free software: you are free to change and redistribute it.
|
|
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
|
|
|
|
Secret key is available.
|
|
|
|
|
|
|
|
gpg: checking the trustdb
|
|
|
|
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
|
|
|
|
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|
|
|
|
gpg: next trustdb check due at 2024-05-29
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb cv25519/0E1C0B264FC7ADEA
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: E
|
|
|
|
[ultimate] (1). Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
|
|
|
|
gpg>
|
|
|
|
|
|
|
|
As we can see, this created two key pairs:
|
|
|
|
|
|
|
|
1. "primary key" which is a public/private key with the `S` (Signing)
|
|
|
|
and `C` (Certification) purposes. that key can be used to sign
|
|
|
|
messages, certify other keys, new identities, and subkeys
|
|
|
|
|
|
|
|
2. an `E` (encryption) "sub-key" pair which is used to encrypt and decrypt
|
|
|
|
messages
|
|
|
|
|
|
|
|
Note that the encryption key expires here, which is an annoying
|
|
|
|
feature. You can delete the key and recreate it this way:
|
|
|
|
|
|
|
|
```
|
|
|
|
anarcat@angela:~[SIGINT]$ gpg --expert --edit-key $FINGERPRINT
|
|
|
|
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
|
|
|
|
This is free software: you are free to change and redistribute it.
|
|
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
|
|
|
|
Secret key is available.
|
|
|
|
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb cv25519/0E1C0B264FC7ADEA
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: E
|
|
|
|
[ultimate] (1). Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
|
|
|
|
gpg> addkey
|
|
|
|
Please select what kind of key you want:
|
|
|
|
(3) DSA (sign only)
|
|
|
|
(4) RSA (sign only)
|
|
|
|
(5) Elgamal (encrypt only)
|
|
|
|
(6) RSA (encrypt only)
|
|
|
|
(7) DSA (set your own capabilities)
|
|
|
|
(8) RSA (set your own capabilities)
|
|
|
|
(10) ECC (sign only)
|
|
|
|
(11) ECC (set your own capabilities)
|
|
|
|
(12) ECC (encrypt only)
|
|
|
|
(13) Existing key
|
|
|
|
(14) Existing key from card
|
|
|
|
Your selection? 12
|
|
|
|
Please select which elliptic curve you want:
|
|
|
|
(1) Curve 25519
|
|
|
|
(3) NIST P-256
|
|
|
|
(4) NIST P-384
|
|
|
|
(5) NIST P-521
|
|
|
|
(6) Brainpool P-256
|
|
|
|
(7) Brainpool P-384
|
|
|
|
(8) Brainpool P-512
|
|
|
|
(9) secp256k1
|
|
|
|
Your selection? 1
|
|
|
|
Please specify how long the key should be valid.
|
|
|
|
0 = key does not expire
|
|
|
|
<n> = key expires in n days
|
|
|
|
<n>w = key expires in n weeks
|
|
|
|
<n>m = key expires in n months
|
|
|
|
<n>y = key expires in n years
|
|
|
|
Key is valid for? (0)
|
|
|
|
Key does not expire at all
|
|
|
|
Is this correct? (y/N) y
|
|
|
|
Really create? (y/N) y
|
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
|
|
disks) during the prime generation; this gives the random number
|
|
|
|
generator a better chance to gain enough entropy.
|
|
|
|
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb cv25519/0E1C0B264FC7ADEA
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: E
|
|
|
|
ssb cv25519/9456BA69685EAFFB
|
|
|
|
created: 2023-05-30 expires: never usage: E
|
|
|
|
[ultimate] (1). Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
|
|
|
|
gpg> key 1
|
|
|
|
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb* cv25519/0E1C0B264FC7ADEA
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: E
|
|
|
|
ssb cv25519/9456BA69685EAFFB
|
|
|
|
created: 2023-05-30 expires: never usage: E
|
|
|
|
[ultimate] (1). Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
|
|
|
|
gpg> delkey
|
|
|
|
Do you really want to delete this key? (y/N) y
|
|
|
|
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb cv25519/9456BA69685EAFFB
|
|
|
|
created: 2023-05-30 expires: never usage: E
|
|
|
|
[ultimate] (1). Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
```
|
|
|
|
|
|
|
|
We'll also add a third key here, which is an `A` (Authentication) key,
|
|
|
|
which will be used for SSH authentication:
|
|
|
|
|
|
|
|
```
|
|
|
|
gpg> addkey
|
|
|
|
Please select what kind of key you want:
|
|
|
|
(3) DSA (sign only)
|
|
|
|
(4) RSA (sign only)
|
|
|
|
(5) Elgamal (encrypt only)
|
|
|
|
(6) RSA (encrypt only)
|
|
|
|
(7) DSA (set your own capabilities)
|
|
|
|
(8) RSA (set your own capabilities)
|
|
|
|
(10) ECC (sign only)
|
|
|
|
(11) ECC (set your own capabilities)
|
|
|
|
(12) ECC (encrypt only)
|
|
|
|
(13) Existing key
|
|
|
|
(14) Existing key from card
|
|
|
|
Your selection? 11
|
|
|
|
|
|
|
|
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
|
|
|
|
Current allowed actions: Sign
|
|
|
|
|
|
|
|
(S) Toggle the sign capability
|
|
|
|
(A) Toggle the authenticate capability
|
|
|
|
(Q) Finished
|
|
|
|
|
|
|
|
Your selection? a
|
|
|
|
|
|
|
|
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
|
|
|
|
Current allowed actions: Sign Authenticate
|
|
|
|
|
|
|
|
(S) Toggle the sign capability
|
|
|
|
(A) Toggle the authenticate capability
|
|
|
|
(Q) Finished
|
|
|
|
|
|
|
|
Your selection? s
|
|
|
|
|
|
|
|
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
|
|
|
|
Current allowed actions: Authenticate
|
|
|
|
|
|
|
|
(S) Toggle the sign capability
|
|
|
|
(A) Toggle the authenticate capability
|
|
|
|
(Q) Finished
|
|
|
|
|
|
|
|
Your selection? q
|
|
|
|
Please select which elliptic curve you want:
|
|
|
|
(1) Curve 25519
|
|
|
|
(3) NIST P-256
|
|
|
|
(4) NIST P-384
|
|
|
|
(5) NIST P-521
|
|
|
|
(6) Brainpool P-256
|
|
|
|
(7) Brainpool P-384
|
|
|
|
(8) Brainpool P-512
|
|
|
|
(9) secp256k1
|
|
|
|
Your selection? 1
|
|
|
|
Please specify how long the key should be valid.
|
|
|
|
0 = key does not expire
|
|
|
|
<n> = key expires in n days
|
|
|
|
<n>w = key expires in n weeks
|
|
|
|
<n>m = key expires in n months
|
|
|
|
<n>y = key expires in n years
|
|
|
|
Key is valid for? (0)
|
|
|
|
Key does not expire at all
|
|
|
|
Is this correct? (y/N) y
|
|
|
|
Really create? (y/N) y
|
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
|
|
disks) during the prime generation; this gives the random number
|
|
|
|
generator a better chance to gain enough entropy.
|
|
|
|
|
|
|
|
sec ed25519/02293A6FA4E53473
|
|
|
|
created: 2023-05-30 expires: 2024-05-29 usage: SC
|
|
|
|
trust: ultimate validity: ultimate
|
|
|
|
ssb cv25519/9456BA69685EAFFB
|
|
|
|
created: 2023-05-30 expires: never usage: E
|
|
|
|
ssb ed25519/9FF21704D101630D
|
|
|
|
created: 2023-05-30 expires: never usage: A
|
|
|
|
[ultimate] (1)* Antoine Beaupré <anarcat@anarc.at>
|
|
|
|
```
|
|
|
|
|
|
|
|
TODO: talk about expiration dates, see also [drduh's note #3 on this](https://github.com/drduh/YubiKey-Guide#notes)
|
|
|
|
|
|
|
|
TODO: talk about using a SC key and why
|
|
|
|
|
|
|
|
At this point, you should have a functional and valid set of OpenPGP
|
|
|
|
certificates! It's a good idea to check the key with with `hokey
|
|
|
|
lint`, from [hopenpgp-tools](https://salsa.debian.org/clint/hopenpgp-tools):
|
|
|
|
|
|
|
|
gpg --export $FINGERPRINT | hokey lint
|
|
|
|
|
|
|
|
Following the above guide, I ended up with a key that is all green
|
|
|
|
except for the authentication key having `False` in `embedded
|
|
|
|
cross-cert`. According to [drduh's guide](https://github.com/drduh/YubiKey-Guide#verify), that doesn't matter:
|
|
|
|
|
|
|
|
> hokey may warn (orange text) about cross certification for the
|
|
|
|
> authentication key. GPG's [Signing Subkey Cross-Certification](https://gnupg.org/faq/subkey-cross-certify.html)
|
|
|
|
> documentation has more detail on cross certification, and gpg v2.2.1
|
|
|
|
> notes "subkey does not sign and so does not need to be
|
|
|
|
> cross-certified".
|
|
|
|
|
|
|
|
When you are confident the new key can be put in use, sign the the new
|
|
|
|
key with old key:
|
|
|
|
|
|
|
|
gpg --default-key $OLDKEY --sign-key $FINGERPRINT
|
|
|
|
|
|
|
|
And revoke the old key:
|
|
|
|
|
|
|
|
gpg --generate-revocation $OLDKEY
|
|
|
|
|
|
|
|
Do not publish the revocation certificate just yet, in case the
|
|
|
|
procedure fails.
|
|
|
|
|
|
|
|
TODO: Generate a revocation cert for the new key as well, talk about
|
|
|
|
printing and OCR?
|
|
|
|
|
|
|
|
### export to backup
|
|
### export to backup
|
|
|
|
|
... | @@ -977,6 +649,11 @@ example: |
... | @@ -977,6 +649,11 @@ example: |
|
|
|
|
|
The default is to not require touch confirmations.
|
|
The default is to not require touch confirmations.
|
|
|
|
|
|
|
|
Do note that touch confirmation is a little counter-intuitive: the
|
|
|
|
operation (sign, authenticate, decrypt) will hang without warning
|
|
|
|
until the button is touched. The only indication is the blinking LED,
|
|
|
|
there's no other warning from the user interface.
|
|
|
|
|
|
#### troubleshooting
|
|
#### troubleshooting
|
|
|
|
|
|
if this fails, check if GnuPG can see the card with:
|
|
if this fails, check if GnuPG can see the card with:
|
... | | ... | |