GnuPG: Difference between revisions
Jump to navigation
Jump to search
Content deleted Content added
m Replaced content with " === Paper backup of the secret keys === apt-get install paperkey gpg --export-secret-key key_id | paperkey ==GnuPG signing parties== ==[[Short GnuPG reference car..." |
mNo edit summary |
||
| Line 1: | Line 1: | ||
Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!). |
|||
<br>Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline. |
|||
==Resources== |
|||
=== Paper backup of the secret keys === |
|||
The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources: |
|||
apt-get install paperkey |
|||
* https://help.riseup.net/en/security/message-security/openpgp/best-practices |
|||
gpg --export-secret-key key_id | paperkey |
|||
* http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ |
|||
* https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ |
|||
==gpg.conf== |
|||
==[[GnuPG signing parties]]== |
|||
First step was to refresh a little bit my gpg.conf. |
|||
<br>See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind. |
|||
<pre> |
|||
no-emit-version |
|||
no-comments |
|||
keyid-format 0xlong |
|||
with-fingerprint |
|||
list-options show-uid-validity |
|||
verify-options show-uid-validity |
|||
use-agent |
|||
keyserver hkps://hkps.pool.sks-keyservers.net |
|||
keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem |
|||
keyserver-options no-try-dns-srv |
|||
keyserver-options no-honor-keyserver-url |
|||
keyserver-options include-revoked |
|||
personal-cipher-preferences AES256 AES192 AES CAST5 |
|||
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 |
|||
cert-digest-algo SHA512 |
|||
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed |
|||
</pre> |
|||
Some more of my own: |
|||
<pre> |
|||
no-greeting |
|||
keyserver-options auto-key-retrieve honor-http-proxy |
|||
list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire |
|||
verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids |
|||
utf8-strings |
|||
ask-cert-level |
|||
</pre> |
|||
==Offline storage== |
|||
Digressing a little bit... |
|||
I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically: |
|||
==[[Short GnuPG reference card]]== |
|||
Making sude partition table was ok: |
|||
==[[GnuPG old notes]]== |
|||
$ sudo fdisk /dev/mmcblk0 |
|||
Checking FS signatures: |
|||
$ sudo wipefs /dev/mmcblk0p1 |
|||
There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset: |
|||
$ sudo wipefs -o 0x438 /dev/mmcblk0p1 |
|||
Formatting |
|||
$ sudo mkfs.vfat /dev/mmcblk0p1 |
|||
$ sudo fatlabel /dev/mmcblk0p1 GNUPG |
|||
Reinserting it to get it mounted automatically, then |
|||
$ cp ~/.gnupg/gpg.conf /media/phil/GNUPG |
|||
$ sudo mount --bind /media/phil/GNUPG ~/.gnupg |
|||
==Entropy== |
|||
Creating large keys require large entropy. |
|||
<br>I like haveged for that: |
|||
$ sudo apt-get install haveged |
|||
==Creating main key== |
|||
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope. |
|||
$ gpg --expert --gen-key |
|||
Please select what kind of key you want: |
|||
(8) RSA (set your own capabilities) |
|||
Your selection? 8 |
|||
Current allowed actions: Sign Certify Encrypt |
|||
Your selection? s |
|||
Your selection? e |
|||
Current allowed actions: Certify |
|||
Your selection? q |
|||
What keysize do you want? (2048) 4096 |
|||
Requested keysize is 4096 bits |
|||
Key is valid for? (0) 2y |
|||
Is this correct? (y/N) y |
|||
Real name: Philippe Teuwen |
|||
Email address: phil@teuwen.org |
|||
Comment: |
|||
You selected this USER-ID: |
|||
"Philippe Teuwen <phil@teuwen.org>" |
|||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
|||
gpg: key 0x9B554C36544C89BC marked as ultimately trusted |
|||
public and secret key created and signed. |
|||
==Creating revokation certificate== |
|||
$ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016 |
|||
sec 4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org> |
|||
Create a revocation certificate for this key? (y/N) y |
|||
Please select the reason for the revocation: |
|||
3 = Key is no longer used |
|||
Your decision? 3 |
|||
Enter an optional description; end it with an empty line: |
|||
>Using revocation certificate that was generated when key was created. |
|||
>It is very likely that I have lost access to the private key. |
|||
> |
|||
Reason for revocation: Key is no longer used |
|||
Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key. |
|||
Is this okay? (y/N) y |
|||
Then printing it on paper |
|||
==Creating Encryption subkey== |
|||
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's. |
|||
$ gpg --edit-key 9B554C36544C89BC |
|||
gpg> addkey |
|||
Please select what kind of key you want: |
|||
(6) RSA (encrypt only) |
|||
Your selection? 6 |
|||
What keysize do you want? (2048) 2048 |
|||
Please specify how long the key should be valid. |
|||
Key is valid for? (0) 2y |
|||
Is this correct? (y/N) y |
|||
Really create? (y/N) y |
|||
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
|||
trust: ultimate validity: ultimate |
|||
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
|||
[ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
|||
gpg> save |
|||
==Just to be sure== |
|||
$ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp |
|||
$ gpg --delete-secret-key 9B554C36544C89BC |
|||
$ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp |
|||
==Yubikey== |
|||
$ sudo apt-get install yubikey-personalization ykneomgr |
|||
$ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules |
|||
$ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules |
|||
$ sudo mv *rules /etc/udev/rules.d/ |
|||
$ sudo chown root.root /etc/udev/rules.d/*yubikey.rules |
|||
Insert yubikey NEO-n |
|||
$ ykinfo -a |
|||
To keep possibility to use all modes simultaneously: |
|||
$ ykpersonalize -m86 |
|||
Firmware version 3.3.0 Touch level 1285 Program sequence 1 |
|||
The USB mode will be set to: 0x86 |
|||
Commit? (y/n) [n]: y |
|||
==Creating Signature and Authentication subkeys== |
|||
Yes default admin PIN is 12345678 and default user PIN is 123456. |
|||
<br>We'll change them later. |
|||
$ gpg --edit-key 9B554C36544C89BC |
|||
gpg> addcardkey |
|||
Please select the type of key to generate: |
|||
(1) Signature key |
|||
Your selection? 1 |
|||
Enter Admin PIN: 12345678 |
|||
Enter PIN: 123456 |
|||
Please specify how long the key should be valid. |
|||
Key is valid for? (0) 2y |
|||
Is this correct? (y/N) y |
|||
Really create? (y/N) y |
|||
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
|||
trust: ultimate validity: ultimate |
|||
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
|||
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
|||
[ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
|||
gpg> addcardkey |
|||
Please select the type of key to generate: |
|||
(3) Authentication key |
|||
Your selection? 3 |
|||
Please specify how long the key should be valid. |
|||
Key is valid for? (0) 2y |
|||
Is this correct? (y/N) y |
|||
Really create? (y/N) y |
|||
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
|||
trust: ultimate validity: ultimate |
|||
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
|||
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
|||
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A |
|||
[ultimate] (1). Philippe Teuwen <phil@teuwen.org> |
|||
==Ready to import Encryption subkey?== |
|||
At this point we should import the encryption key to the yubikey but I got some error: |
|||
gpg: error writing key to card: not supported |
|||
Some say to use [https://github.com/Yubico/ykneo-openpgp/tree/master/util keyParser.py] but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that: |
|||
$ sudo apt-get install gnupg2 scdaemon |
|||
Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card: |
|||
# allow linux to write to FAT disks |
|||
lock-never |
|||
==Encryption key to Yubikey== |
|||
$ gpg2 --edit-key 9B554C36544C89BC |
|||
gpg> toggle |
|||
gpg> key 1 |
|||
sec 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 |
|||
ssb* 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: never |
|||
ssb 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: never |
|||
card-no: 0006 03037217 |
|||
ssb 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: never |
|||
card-no: 0006 03037217 |
|||
(1) Philippe Teuwen <phil@teuwen.org> |
|||
gpg> keytocard |
|||
Please select where to store the key: |
|||
(2) Encryption key |
|||
Your selection? 2 |
|||
gpg> save |
|||
==Adding UID and photo== |
|||
Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb. |
|||
$ gpg2 --edit-key 9B554C36544C89BC |
|||
gpg> adduid |
|||
Real name: Philippe Teuwen |
|||
Email address: pteuwen@quarkslab.com |
|||
Comment: |
|||
You selected this USER-ID: |
|||
"Philippe Teuwen <pteuwen@quarkslab.com>" |
|||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
|||
gpg> addphoto |
|||
Enter JPEG filename for photo ID: ~/phil20.jpg |
|||
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C |
|||
trust: ultimate validity: ultimate |
|||
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E |
|||
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S |
|||
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A |
|||
[ultimate] (1) Philippe Teuwen <phil@teuwen.org> |
|||
[ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com> |
|||
[ unknown] (3) [jpeg image of size 4266] |
|||
gpg> uid 1 |
|||
gpg> primary |
|||
gpg> save |
|||
==Almost there== |
|||
Exporting key |
|||
$ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc |
|||
And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc |
|||
Back to the daily .gnupg |
|||
$ sudo umount ~/.gnupg |
|||
Changing default PINs |
|||
$ gpg --card-edit |
|||
gpg/card> admin |
|||
Admin commands are allowed |
|||
gpg/card> passwd |
|||
gpg: OpenPGP card no. D2760001240102000006030372170000 detected |
|||
1 - change PIN |
|||
Your selection? 1 |
|||
Please enter the PIN |
|||
123456 |
|||
New PIN |
|||
... |
|||
New PIN |
|||
... |
|||
PIN changed. |
|||
3 - change Admin PIN |
|||
Your selection? 3 |
|||
gpg: 3 Admin PIN attempts remaining before card is permanently locked |
|||
Please enter the Admin PIN |
|||
12345678 |
|||
New Admin PIN |
|||
... |
|||
New Admin PIN |
|||
... |
|||
PIN changed. |
|||
Q - quit |
|||
Your selection? q |
|||
gpg/card> forcesig |
|||
gpg/card> url |
|||
URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc |
|||
gpg/card> fetch |
|||
gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be |
|||
gpg/card> quit |
|||
$ gpg --card-status |
|||
Application ID ...: D2760001240102000006030372170000 |
|||
Version ..........: 2.0 |
|||
Manufacturer .....: unknown |
|||
Serial number ....: xxxxxxxxx |
|||
Name of cardholder: [not set] |
|||
Language prefs ...: [not set] |
|||
Sex ..............: unspecified |
|||
URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc |
|||
Login data .......: [not set] |
|||
Signature PIN ....: not forced |
|||
Key attributes ...: 2048R 2048R 2048R |
|||
Max. PIN lengths .: 127 127 127 |
|||
PIN retry counter : 3 3 3 |
|||
Signature counter : 2 |
|||
Signature key ....: 67E1 AAA2 46D7 9037 7671 BAD5 AEBA ADBE E208 E2DD |
|||
created ....: 2016-02-04 10:56:03 |
|||
Encryption key....: 55A5 1FF1 F45A A846 EC12 A5D4 47B6 8B62 B62C 8F88 |
|||
created ....: 2016-02-04 10:26:52 |
|||
Authentication key: 93FE E3BA 0F4D 4461 19E8 1CBE E515 1B7F DCA9 5A14 |
|||
created ....: 2016-02-04 10:57:35 |
|||
General key info..: |
|||
pub 2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org> |
|||
sec# 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 |
|||
ssb> 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 |
|||
card-no: 0006 03037217 |
|||
ssb> 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 |
|||
card-no: 0006 03037217 |
|||
ssb> 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 |
|||
card-no: 0006 03037217 |
|||
Revision as of 22:45, 4 February 2016
Those are personal notes when I decided in 2016 to generate a new key as transition from my previous one (from 2002!).
Daily subkeys are stored on a Yubikey NEO-n and master key is stored offline.
Resources
The steps I followed and which I describe only very briefly here, more to remind how I combined them, came from those excellent resources:
- https://help.riseup.net/en/security/message-security/openpgp/best-practices
- http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
gpg.conf
First step was to refresh a little bit my gpg.conf.
See https://github.com/ioerror/duraconf/raw/master/configs/gnupg/gpg.conf for commented gpg.conf and https://help.riseup.net/en/security/message-security/openpgp/best-practices for the reasons behind.
no-emit-version no-comments keyid-format 0xlong with-fingerprint list-options show-uid-validity verify-options show-uid-validity use-agent keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/home/phil/.gnupg/keyservers/sks-keyservers.netCA.pem keyserver-options no-try-dns-srv keyserver-options no-honor-keyserver-url keyserver-options include-revoked personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Some more of my own:
no-greeting keyserver-options auto-key-retrieve honor-http-proxy list-options show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-sig-expire verify-options show-photos show-policy-urls show-notations show-keyserver-urls show-uid-validity show-unusable-uids utf8-strings ask-cert-level
Offline storage
Digressing a little bit...
I chose an old SDCard to store the master key offline, but it required a little bit of maintenance because it wasn't mounting automatically:
Making sude partition table was ok:
$ sudo fdisk /dev/mmcblk0
Checking FS signatures:
$ sudo wipefs /dev/mmcblk0p1
There was still a mix of FAT and ext2 signatures, so deleting the ext2 signature based on the returned offset:
$ sudo wipefs -o 0x438 /dev/mmcblk0p1
Formatting
$ sudo mkfs.vfat /dev/mmcblk0p1 $ sudo fatlabel /dev/mmcblk0p1 GNUPG
Reinserting it to get it mounted automatically, then
$ cp ~/.gnupg/gpg.conf /media/phil/GNUPG $ sudo mount --bind /media/phil/GNUPG ~/.gnupg
Entropy
Creating large keys require large entropy.
I like haveged for that:
$ sudo apt-get install haveged
Creating main key
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to keep the main key completely offline so if yubikey is lost, there is still some hope.
$ gpg --expert --gen-key Please select what kind of key you want: (8) RSA (set your own capabilities) Your selection? 8 Current allowed actions: Sign Certify Encrypt Your selection? s Your selection? e Current allowed actions: Certify Your selection? q What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Key is valid for? (0) 2y Is this correct? (y/N) y Real name: Philippe Teuwen Email address: phil@teuwen.org Comment: You selected this USER-ID: "Philippe Teuwen <phil@teuwen.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: key 0x9B554C36544C89BC marked as ultimately trusted public and secret key created and signed.
Creating revokation certificate
$ gpg --gen-revoke 9B554C36544C89BC > /media/phil/GNUPG/rev-phil_teuwen.org_2016 sec 4096R/0x9B554C36544C89BC 2016-02-04 Philippe Teuwen <phil@teuwen.org> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 3 = Key is no longer used Your decision? 3 Enter an optional description; end it with an empty line: >Using revocation certificate that was generated when key was created. >It is very likely that I have lost access to the private key. > Reason for revocation: Key is no longer used Using revocation certificate that was generated when key was created. It is very likely that I have lost access to the private key. Is this okay? (y/N) y
Then printing it on paper
Creating Encryption subkey
Idea following https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ is to create the encryption key out of yubikey and importing it so it can be imported on several yubikey's.
$ gpg --edit-key 9B554C36544C89BC
gpg> addkey
Please select what kind of key you want:
(6) RSA (encrypt only)
Your selection? 6
What keysize do you want? (2048) 2048
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> save
Just to be sure
$ gpg --export-secret-key 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp $ gpg --delete-secret-key 9B554C36544C89BC $ gpg --import < /media/phil/GNUPG/9B554C36544C89BC-2016-02-04-47B68B62B62C8F88-secret.pgp
Yubikey
$ sudo apt-get install yubikey-personalization ykneomgr $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules $ wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules $ sudo mv *rules /etc/udev/rules.d/ $ sudo chown root.root /etc/udev/rules.d/*yubikey.rules
Insert yubikey NEO-n
$ ykinfo -a
To keep possibility to use all modes simultaneously:
$ ykpersonalize -m86 Firmware version 3.3.0 Touch level 1285 Program sequence 1 The USB mode will be set to: 0x86 Commit? (y/n) [n]: y
Creating Signature and Authentication subkeys
Yes default admin PIN is 12345678 and default user PIN is 123456.
We'll change them later.
$ gpg --edit-key 9B554C36544C89BC
gpg> addcardkey
Please select the type of key to generate:
(1) Signature key
Your selection? 1
Enter Admin PIN: 12345678
Enter PIN: 123456
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
gpg> addcardkey
Please select the type of key to generate:
(3) Authentication key
Your selection? 3
Please specify how long the key should be valid.
Key is valid for? (0) 2y
Is this correct? (y/N) y
Really create? (y/N) y
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1). Philippe Teuwen <phil@teuwen.org>
Ready to import Encryption subkey?
At this point we should import the encryption key to the yubikey but I got some error:
gpg: error writing key to card: not supported
Some say to use keyParser.py but I found out gpg2 works. Gpg could work directly with the card (except for the keytocard obviously) but Gpg2 needs sdaemon for that:
$ sudo apt-get install gnupg2 scdaemon
Yet another quirk: gnupg gave some warnings about locking from FAT but gnupg2 just refuses using FAT, so I add to the gpg.conf of the SD-Card:
# allow linux to write to FAT disks lock-never
Encryption key to Yubikey
$ gpg2 --edit-key 9B554C36544C89BC
gpg> toggle
gpg> key 1
sec 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03
ssb* 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: never
ssb 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: never
card-no: 0006 03037217
ssb 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: never
card-no: 0006 03037217
(1) Philippe Teuwen <phil@teuwen.org>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg> save
Adding UID and photo
Choose a 240x288 picture strongly compressed (I chose jpeg quality 20) to obtain a size < 5kb.
$ gpg2 --edit-key 9B554C36544C89BC
gpg> adduid
Real name: Philippe Teuwen
Email address: pteuwen@quarkslab.com
Comment:
You selected this USER-ID:
"Philippe Teuwen <pteuwen@quarkslab.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg> addphoto
Enter JPEG filename for photo ID: ~/phil20.jpg
pub 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 usage: C
trust: ultimate validity: ultimate
sub 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 usage: E
sub 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 usage: S
sub 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 usage: A
[ultimate] (1) Philippe Teuwen <phil@teuwen.org>
[ unknown] (2). Philippe Teuwen <pteuwen@quarkslab.com>
[ unknown] (3) [jpeg image of size 4266]
gpg> uid 1
gpg> primary
gpg> save
Almost there
Exporting key
$ gpg --armor --export 9B554C36544C89BC > /media/phil/GNUPG/9B554C36544C89BC.asc
And pushing it to http://www.yobi.be/files/9B554C36544C89BC.asc
Back to the daily .gnupg
$ sudo umount ~/.gnupg
Changing default PINs
$ gpg --card-edit gpg/card> admin Admin commands are allowed gpg/card> passwd gpg: OpenPGP card no. D2760001240102000006030372170000 detected 1 - change PIN Your selection? 1 Please enter the PIN 123456 New PIN ... New PIN ... PIN changed. 3 - change Admin PIN Your selection? 3 gpg: 3 Admin PIN attempts remaining before card is permanently locked Please enter the Admin PIN 12345678 New Admin PIN ... New Admin PIN ... PIN changed. Q - quit Your selection? q gpg/card> forcesig gpg/card> url URL to retrieve public key: http://www.yobi.be/files/9B554C36544C89BC.asc gpg/card> fetch gpg: requesting key 0xAEBAADBEE208E2DD from http server www.yobi.be gpg/card> quit
$ gpg --card-status Application ID ...: D2760001240102000006030372170000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: xxxxxxxxx Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : http://www.yobi.be/files/9B554C36544C89BC.asc Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 2 Signature key ....: 67E1 AAA2 46D7 9037 7671 BAD5 AEBA ADBE E208 E2DD created ....: 2016-02-04 10:56:03 Encryption key....: 55A5 1FF1 F45A A846 EC12 A5D4 47B6 8B62 B62C 8F88 created ....: 2016-02-04 10:26:52 Authentication key: 93FE E3BA 0F4D 4461 19E8 1CBE E515 1B7F DCA9 5A14 created ....: 2016-02-04 10:57:35 General key info..: pub 2048R/0xAEBAADBEE208E2DD 2016-02-04 Philippe Teuwen <phil@teuwen.org> sec# 4096R/0x9B554C36544C89BC created: 2016-02-04 expires: 2018-02-03 ssb> 2048R/0x47B68B62B62C8F88 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xAEBAADBEE208E2DD created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217 ssb> 2048R/0xE5151B7FDCA95A14 created: 2016-02-04 expires: 2018-02-03 card-no: 0006 03037217