Difference between revisions of "GnuPG"
Jump to navigation
Jump to search
m (Replaced content with " === Paper backup of the secret keys === apt-get install paperkey gpg --export-secret-key key_id | paperkey ==GnuPG signing parties== ==[[Short GnuPG reference car...") |
m |
||
| Line 1: | Line 1: | ||
| + | Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!). |
||
| + | <br>Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline. |
||
| + | ==Resources== |
||
| − | === Paper backup of the secret keys === |
||
| + | The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources: |
||
| − | apt-get install paperkey |
||
| + | * https://help.riseup.net/en/security/message-security/openpgp/best-practices |
||
| − | gpg --export-secret-key key_id | paperkey |
||
| + | * http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ |
||
| + | * https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ |
||
| + | ==gpg.conf== |
||
| − | ==[[GnuPG signing parties]]== |
||
| + | First step was to refresh a little bit my gpg.conf. |
||
| + | <br>See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind. |
||
| + | <pre> |
||
| + | no-emit-version |
||
| + | no-comments |
||
| + | keyid-format 0xlong |
||
| + | with-fingerprint |
||
| + | list-options show-uid-validity |
||
| + | verify-options show-uid-validity |
||
| + | use-agent |
||
| + | keyserver hkps://hkps.pool.sks-keyservers.net |
||
| + | keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem |
||
| + | keyserver-options no-try-dns-srv |
||
| + | keyserver-options no-honor-keyserver-url |
||
| + | keyserver-options include-revoked |
||
| + | personal-cipher-preferences AES256 AES192 AES CAST5 |
||
| + | personal-digest-preferences SHA512 SHA384 SHA256 SHA224 |
||
| + | cert-digest-algo SHA512 |
||
| + | default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed |
||
| + | </pre> |
||
| + | Some more of my own: |
||
| + | <pre> |
||
| + | no-greeting |
||
| + | keyserver-options auto-key-retrieve honor-http-proxy |
||
| + | list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire |
||
| + | verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids |
||
| + | utf8-strings |
||
| + | ask-cert-level |
||
| + | </pre> |
||
| + | ==Offline storage== |
||
| + | Digressing a little bit... |
||
| + | I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically: |
||
| − | ==[[Short GnuPG reference card]]== |
||
| + | Making sude partition table was ok: |
||
| − | ==[[GnuPG old notes]]== |
||
| + | $ sudo fdisk /dev/mmcblk0 |
||
| + | Checking FS signatures: |
||
| + | $ sudo wipefs /dev/mmcblk0p1 |
||
| + | There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset: |
||
| + | $ sudo wipefs -o 0x438 /dev/mmcblk0p1 |
||
| + | Formatting |
||
| + | $ sudo mkfs.vfat /dev/mmcblk0p1 |
||
| + | $ sudo fatlabel /dev/mmcblk0p1 GNUPG |
||
| + | Reinserting it to get it mounted automatically, then |
||
| + | $ cp ~/.gnupg/gpg.conf /media/phil/GNUPG |
||
| + | $ sudo mount --bind /media/phil/GNUPG ~/.gnupg |
||
| + | ==Entropy== |
||
| + | Creating large keys require large entropy. |
||
| + | <br>I like haveged for that: |
||
| + | $ sudo apt-get install haveged |
||
| + | ==Creating main key== |
||
| + | Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope. |
||
| + | $ gpg --expert --gen-key |
||
| + | Please select what kind of key you want: |
||
| + | (8) RSA (set your own capabilities) |
||
| + | Your selection? 8 |
||
| + | Current allowed actions: Sign Certify Encrypt |
||
| + | Your selection? s |
||
| + | Your selection? e |
||
| + | Current allowed actions: Certify |
||
| + | Your selection? q |
||
| + | What keysize do you want? (2048) 4096 |
||
| + | Requested keysize is 4096 bits |
||
| + | Key is valid for? (0) 2y |
||
| + | Is this correct? (y/N) y |
||
| + | Real name: Philippe Teuwen |
||
| + | Email address: phil@teuwen.org |
||
| + | Comment: |
||
| + | You selected this USER-ID: |
||
| + | "Philippe Teuwen <phil@teuwen.org>" |
||
| + | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
||
| + | gpg: key 0x9B554C36544C89BC marked as ultimately trusted |
||
| + | public and secret key created and signed. |
||
| + | ==Creating revokation certificate== |
||
| + | $ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016 |
||
| + | sec 4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org> |
||
| + | Create a revocation certificate for this key? (y/N) y |
||
| + | Please select the reason for the revocation: |
||
| + | 3 = Key is no longer used |
||
| + | Your decision? 3 |
||
| + | Enter an optional description; end it with an empty line: |
||
| + | >Using revocation certificate that was generated when key was created. |
||
| + | >It is very likely that I have lost access to the private key. |
||
| + | > |
||
| + | Reason for revocation: Key is no longer used |
||
| + | Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key. |
||
| + | Is this okay? (y/N) y |
||
| + | Then printing it on paper |
||
| + | ==Creating Encryption subkey== |
||
| + | Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's. |
||
| + | |||
| + | $ gpg --edit-key 9B554C36544C89BC |
||
| + | gpg> addkey |
||
| + | Please select what kind of key you want: |
||
| + | (6) RSA (encrypt only) |
||
| + | Your selection? 6 |
||
| + | What keysize do you want? (2048) 2048 |
||
| + | Please specify how long the key should be valid. |
||
| + | Key is valid for? (0) 2y |
||
| + | Is this correct? (y/N) y |
||
| + | Really create? (y/N) y |
||
| + | pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
||
| + | trust: ultimate validity: ultimate |
||
| + | sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
||
| + | [ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
||
| + | gpg> save |
||
| + | ==Just to be sure== |
||
| + | $ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp |
||
| + | $ gpg --delete-secret-key 9B554C36544C89BC |
||
| + | $ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp |
||
| + | ==Yubikey== |
||
| + | $ sudo apt-get install yubikey-personalization ykneomgr |
||
| + | $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules |
||
| + | $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules |
||
| + | $ sudo mv *rules /etc/udev/rules.d/ |
||
| + | $ sudo chown root.root /etc/udev/rules.d/*yubikey.rules |
||
| + | Insert yubikey NEO-n |
||
| + | $ ykinfo -a |
||
| + | To keep possibility to use all modes simultaneously: |
||
| + | $ ykpersonalize -m86 |
||
| + | Firmware version 3.3.0 Touch level 1285 Program sequence 1 |
||
| + | The USB mode will be set to: 0x86 |
||
| + | Commit? (y/n) [n]: y |
||
| + | ==Creating Signature and Authentication subkeys== |
||
| + | Yes default admin PIN is 12345678 and default user PIN is 123456. |
||
| + | <br>We'll change them later. |
||
| + | $ gpg --edit-key 9B554C36544C89BC |
||
| + | gpg> addcardkey |
||
| + | Please select the type of key to generate: |
||
| + | (1) Signature key |
||
| + | Your selection? 1 |
||
| + | Enter Admin PIN: 12345678 |
||
| + | Enter PIN: 123456 |
||
| + | Please specify how long the key should be valid. |
||
| + | Key is valid for? (0) 2y |
||
| + | Is this correct? (y/N) y |
||
| + | Really create? (y/N) y |
||
| + | pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
||
| + | trust: ultimate validity: ultimate |
||
| + | sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
||
| + | sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
||
| + | [ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
||
| + | |||
| + | gpg> addcardkey |
||
| + | Please select the type of key to generate: |
||
| + | (3) Authentication key |
||
| + | Your selection? 3 |
||
| + | Please specify how long the key should be valid. |
||
| + | Key is valid for? (0) 2y |
||
| + | Is this correct? (y/N) y |
||
| + | Really create? (y/N) y |
||
| + | pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
||
| + | trust: ultimate validity: ultimate |
||
| + | sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
||
| + | sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
||
| + | sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A |
||
| + | [ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
||
| + | ==Ready to import Encryption subkey?== |
||
| + | At this point we should import the encryption key to the yubikey but I got some error: |
||
| + | gpg: error writing key to card: not supported |
||
| + | Some say to use [https://github.com/Yubico/ykneo-openpgp/tree/master/util keyParser.py] but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that: |
||
| + | $ sudo apt-get install gnupg2 scdaemon |
||
| + | Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card: |
||
| + | # allow linux to write to FAT disks |
||
| + | lock-never |
||
| + | ==Encryption key to Yubikey== |
||
| + | $ gpg2 --edit-key 9B554C36544C89BC |
||
| + | gpg> toggle |
||
| + | gpg> key 1 |
||
| + | sec 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 |
||
| + | ssb* 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: never |
||
| + | ssb 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: never |
||
| + | card-no: 0006 03037217 |
||
| + | ssb 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: never |
||
| + | card-no: 0006 03037217 |
||
| + | (1) Philippe Teuwen <phil@teuwen.org> |
||
| + | gpg> keytocard |
||
| + | Please select where to store the key: |
||
| + | (2) Encryption key |
||
| + | Your selection? 2 |
||
| + | gpg> save |
||
| + | ==Adding UID and photo== |
||
| + | Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb. |
||
| + | $ gpg2 --edit-key 9B554C36544C89BC |
||
| + | gpg> adduid |
||
| + | Real name: Philippe Teuwen |
||
| + | Email address: pteuwen@quarkslab.com |
||
| + | Comment: |
||
| + | You selected this USER-ID: |
||
| + | "Philippe Teuwen <pteuwen@quarkslab.com>" |
||
| + | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
||
| + | |||
| + | gpg> addphoto |
||
| + | Enter JPEG filename for photo ID: ~/phil20.jpg |
||
| + | pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
||
| + | trust: ultimate validity: ultimate |
||
| + | sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
||
| + | sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
||
| + | sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A |
||
| + | [ultimate] (1) Philippe Teuwen <phil@teuwen.org> |
||
| + | [ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com> |
||
| + | [ unknown] (3) [jpeg image of size 4266] |
||
| + | |||
| + | gpg> uid 1 |
||
| + | gpg> primary |
||
| + | gpg> save |
||
| + | ==Almost there== |
||
| + | Exporting key |
||
| + | $ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc |
||
| + | And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc |
||
| + | |||
| + | Back to the daily .gnupg |
||
| + | $ sudo umount ~/.gnupg |
||
| + | Changing default PINs |
||
| + | $ gpg --card-edit |
||
| + | gpg/card> admin |
||
| + | Admin commands are allowed |
||
| + | gpg/card> passwd |
||
| + | gpg: OpenPGP card no. D2760001240102000006030372170000 detected |
||
| + | 1 - change PIN |
||
| + | Your selection? 1 |
||
| + | Please enter the PIN |
||
| + | 123456 |
||
| + | New PIN |
||
| + | ... |
||
| + | New PIN |
||
| + | ... |
||
| + | PIN changed. |
||
| + | |||
| + | 3 - change Admin PIN |
||
| + | Your selection? 3 |
||
| + | gpg: 3 Admin PIN attempts remaining before card is permanently locked |
||
| + | Please enter the Admin PIN |
||
| + | 12345678 |
||
| + | New Admin PIN |
||
| + | ... |
||
| + | New Admin PIN |
||
| + | ... |
||
| + | PIN changed. |
||
| + | |||
| + | Q - quit |
||
| + | Your selection? q |
||
| + | |||
| + | gpg/card> forcesig |
||
| + | gpg/card> url |
||
| + | URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc |
||
| + | |||
| + | gpg/card> fetch |
||
| + | gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be |
||
| + | |||
| + | gpg/card> quit |
||
| + | |||
| + | $ gpg --card-status |
||
| + | Application ID ...: D2760001240102000006030372170000 |
||
| + | Version ..........: 2.0 |
||
| + | Manufacturer .....: unknown |
||
| + | Serial number ....: xxxxxxxxx |
||
| + | Name of cardholder: [not set] |
||
| + | Language prefs ...: [not set] |
||
| + | Sex ..............: unspecified |
||
| + | URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc |
||
| + | Login data .......: [not set] |
||
| + | Signature PIN ....: not forced |
||
| + | Key attributes ...: 2048R 2048R 2048R |
||
| + | Max. PIN lengths .: 127 127 127 |
||
| + | PIN retry counter : 3 3 3 |
||
| + | Signature counter : 2 |
||
| + | Signature key ....: 67E1 AAA2 46D7 9037 7671 BAD5 AEBA ADBE E208 E2DD |
||
| + | created ....: 2016-02-04 10:56:03 |
||
| + | Encryption key....: 55A5 1FF1 F45A A846 EC12 A5D4 47B6 8B62 B62C 8F88 |
||
| + | created ....: 2016-02-04 10:26:52 |
||
| + | Authentication key: 93FE E3BA 0F4D 4461 19E8 1CBE E515 1B7F DCA9 5A14 |
||
| + | created ....: 2016-02-04 10:57:35 |
||
| + | General key info..: |
||
| + | pub 2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org> |
||
| + | sec# 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 |
||
| + | ssb> 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 |
||
| + | card-no: 0006 03037217 |
||
| + | ssb> 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 |
||
| + | card-no: 0006 03037217 |
||
| + | ssb> 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 |
||
| + | card-no: 0006 03037217 |
||
Revision as of 23:45, 4 February 2016
Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!).
Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline.
Resources
The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources:
- https://help.riseup.net/en/security/message-security/openpgp/best-practices
- http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
gpg.conf
First step was to refresh a little bit my gpg.conf.
See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind.
no-emit-version no-comments keyid-format 0xlong with-fingerprint list-options show-uid-validity verify-options show-uid-validity use-agent keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem keyserver-options no-try-dns-srv keyserver-options no-honor-keyserver-url keyserver-options include-revoked personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Some more of my own:
no-greeting keyserver-options auto-key-retrieve honor-http-proxy list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids utf8-strings ask-cert-level
Offline storage
Digressing a little bit...
I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically:
Making sude partition table was ok:
$ sudo fdisk /dev/mmcblk0
Checking FS signatures:
$ sudo wipefs /dev/mmcblk0p1
There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset:
$ sudo wipefs -o 0x438 /dev/mmcblk0p1
Formatting
$ sudo mkfs.vfat /dev/mmcblk0p1 $ sudo fatlabel /dev/mmcblk0p1 GNUPG
Reinserting it to get it mounted automatically, then
$ cp ~/.gnupg/gpg.conf /media/phil/GNUPG $ sudo mount --bind /media/phil/GNUPG ~/.gnupg
Entropy
Creating large keys require large entropy.
I like haveged for that:
$ sudo apt-get install haveged
Creating main key
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope.
$ gpg --expert --gen-key Please select what kind of key you want: (8) RSA (set your own capabilities) Your selection? 8 Current allowed actions: Sign Certify Encrypt Your selection? s Your selection? e Current allowed actions: Certify Your selection? q What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Key is valid for? (0) 2y Is this correct? (y/N) y Real name: Philippe Teuwen Email address: phil@teuwen.org Comment: You selected this USER-ID: "Philippe Teuwen <phil@teuwen.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: key 0x9B554C36544C89BC marked as ultimately trusted public and secret key created and signed.
Creating revokation certificate
$ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016 sec 4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 3 = Key is no longer used Your decision? 3 Enter an optional description; end it with an empty line: >Using revocation certificate that was generated when key was created. >It is very likely that I have lost access to the private key. > Reason for revocation: Key is no longer used Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key. Is this okay? (y/N) y
Then printing it on paper
Creating Encryption subkey
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's.
$ gpg --edit-key 9B554C36544C89BC
gpg> addkey
Please select what kind of key you want:
(6) RSA (encrypt only)
Your selection? 6
What keysize do you want? (2048) 2048
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> save
Just to be sure
$ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp $ gpg --delete-secret-key 9B554C36544C89BC $ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp
Yubikey
$ sudo apt-get install yubikey-personalization ykneomgr $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules $ sudo mv *rules /etc/udev/rules.d/ $ sudo chown root.root /etc/udev/rules.d/*yubikey.rules
Insert yubikey NEO-n
$ ykinfo -a
To keep possibility to use all modes simultaneously:
$ ykpersonalize -m86 Firmware version 3.3.0 Touch level 1285 Program sequence 1 The USB mode will be set to: 0x86 Commit? (y/n) [n]: y
Creating Signature and Authentication subkeys
Yes default admin PIN is 12345678 and default user PIN is 123456.
We'll change them later.
$ gpg --edit-key 9B554C36544C89BC
gpg> addcardkey
Please select the type of key to generate:
(1) Signature key
Your selection? 1
Enter Admin PIN: 12345678
Enter PIN: 123456
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> addcardkey
Please select the type of key to generate:
(3) Authentication key
Your selection? 3
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
Ready to import Encryption subkey?
At this point we should import the encryption key to the yubikey but I got some error:
gpg: error writing key to card: not supported
Some say to use keyParser.py but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that:
$ sudo apt-get install gnupg2 scdaemon
Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card:
# allow linux to write to FAT disks lock-never
Encryption key to Yubikey
$ gpg2 --edit-key 9B554C36544C89BC
gpg> toggle
gpg> key 1
sec 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03
ssb* 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: never
ssb 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: never
card-no: 0006 03037217
ssb 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: never
card-no: 0006 03037217
(1) Philippe Teuwen <phil@teuwen.org>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg> save
Adding UID and photo
Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb.
$ gpg2 --edit-key 9B554C36544C89BC
gpg> adduid
Real name: Philippe Teuwen
Email address: pteuwen@quarkslab.com
Comment:
You selected this USER-ID:
"Philippe Teuwen <pteuwen@quarkslab.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg> addphoto
Enter JPEG filename for photo ID: ~/phil20.jpg
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1) Philippe Teuwen <phil@teuwen.org>
[ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com>
[ unknown] (3) [jpeg image of size 4266]
gpg> uid 1
gpg> primary
gpg> save
Almost there
Exporting key
$ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc
And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc
Back to the daily .gnupg
$ sudo umount ~/.gnupg
Changing default PINs
$ gpg --card-edit gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. D2760001240102000006030372170000 detected 1 - change PIN Your selection? 1 Please enter the PIN 123456 New PIN ... New PIN ... PIN changed. 3 - change Admin PIN Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN 12345678 New Admin PIN ... New Admin PIN ... PIN changed. Q - quit Your selection? q gpg/card> forcesig gpg/card> url URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc gpg/card> fetch gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be gpg/card> quit
$ gpg --card-status Application ID ...: D2760001240102000006030372170000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: xxxxxxxxx Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 2 Signature key ....: 67E1 AAA2 46D7 9037 7671 BAD5 AEBA ADBE E208 E2DD created ....: 2016-02-04 10:56:03 Encryption key....: 55A5 1FF1 F45A A846 EC12 A5D4 47B6 8B62 B62C 8F88 created ....: 2016-02-04 10:26:52 Authentication key: 93FE E3BA 0F4D 4461 19E8 1CBE E515 1B7F DCA9 5A14 created ....: 2016-02-04 10:57:35 General key info..: pub 2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org> sec# 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 ssb> 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217