mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-12-22 13:48:06 +00:00
Rewrite keys generation tutorial
The master key is now created with `--batch` and a configuration script. The subkeys are created with the quick key manipulation interface (`--quick-add-key`). Also provided two configuration scripts as templates for a RSA4096 or a ED25519 master key. Signed-off-by: apiraino <apiraino@users.noreply.github.com>
This commit is contained in:
parent
31074ac13d
commit
5182d5e3d8
327
README.md
327
README.md
@ -469,98 +469,38 @@ BSSYMUGGTJQVWZZWOPJG
|
|||||||
|
|
||||||
**Tip** On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
|
**Tip** On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
|
||||||
|
|
||||||
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
|
Note: when creating the keys, we need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
|
||||||
|
|
||||||
Do not set the master key to expire - see [Note #3](#notes).
|
To remove some complexity from the process we will create the keys using a template and the `--batch` parameter. For futher details, full GNUPG documentation can be found at: https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
|
||||||
|
|
||||||
|
For your convenience you can start from this RSA4096 key template: [gen-params-rsa4096](contrib/gen-params-rsa4096). If you're using GnuPG v2.1.7 or newer we strongly recommend generating ED25519 keys ([gen-params-ed25519](contrib/gen-params-ed25519), the procedure is the same). These templates will not set the master key to expire - see [Note #3](#notes).
|
||||||
|
|
||||||
|
Generate a RSA4096 master key:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ gpg --expert --full-generate-key
|
$ gpg --batch --generate-key gen-params-rsa4096
|
||||||
|
gpg: Generating a basic OpenPGP key
|
||||||
Please select what kind of key you want:
|
gpg: key 0xEA5DE91459B80592 marked as ultimately trusted
|
||||||
(1) RSA and RSA (default)
|
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/D6F924841F78D62C65ABB9588B461860159FFB7B.rev'
|
||||||
(2) DSA and Elgamal
|
gpg: done
|
||||||
(3) DSA (sign only)
|
|
||||||
(4) RSA (sign only)
|
|
||||||
(7) DSA (set your own capabilities)
|
|
||||||
(8) RSA (set your own capabilities)
|
|
||||||
(9) ECC and ECC
|
|
||||||
(10) ECC (sign only)
|
|
||||||
(11) ECC (set your own capabilities)
|
|
||||||
(13) Existing key
|
|
||||||
Your selection? 8
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
|
||||||
Current allowed actions: Sign Certify Encrypt
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? E
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
|
||||||
Current allowed actions: Sign Certify
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? S
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
|
||||||
Current allowed actions: Certify
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? Q
|
|
||||||
RSA keys may be between 1024 and 4096 bits long.
|
|
||||||
What keysize do you want? (2048) 4096
|
|
||||||
Requested keysize is 4096 bits
|
|
||||||
Please specify how long the key should be valid.
|
|
||||||
0 = key does not expire
|
|
||||||
<n> = key expires in n days
|
|
||||||
<n>w = key expires in n weeks
|
|
||||||
<n>m = key expires in n months
|
|
||||||
<n>y = key expires in n years
|
|
||||||
Key is valid for? (0) 0
|
|
||||||
Key does not expire at all
|
|
||||||
Is this correct? (y/N) y
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Input any name and email address:
|
Let's check the result:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
GnuPG needs to construct a user ID to identify your key.
|
$ gpg --list-key
|
||||||
|
gpg: checking the trustdb
|
||||||
Real name: Dr Duh
|
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
|
||||||
Email address: doc@duh.to
|
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|
||||||
Comment: [Optional - leave blank]
|
/tmp.FLZC0xcM/pubring.kbx
|
||||||
You selected this USER-ID:
|
-------------------------------
|
||||||
"Dr Duh <doc@duh.to>"
|
pub rsa4096/0xFF3E7D88647EBCDB 2021-08-22 [C]
|
||||||
|
|
||||||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
|
|
||||||
|
|
||||||
We need to generate a lot of random bytes. It is a good idea to perform
|
|
||||||
some other action (type on the keyboard, move the mouse, utilize the
|
|
||||||
disks) during the prime generation; this gives the random number
|
|
||||||
generator a better chance to gain enough entropy.
|
|
||||||
|
|
||||||
gpg: /tmp.FLZC0xcM/trustdb.gpg: trustdb created
|
|
||||||
gpg: key 0xFF3E7D88647EBCDB marked as ultimately trusted
|
|
||||||
gpg: directory '/tmp.FLZC0xcM/openpgp-revocs.d' created
|
|
||||||
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/011CE16BD45B27A55BA8776DFF3E7D88647EBCDB.rev'
|
|
||||||
public and secret key created and signed.
|
|
||||||
|
|
||||||
pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
|
|
||||||
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||||
uid Dr Duh <doc@duh.to>
|
uid [ultimate] Dr Duh <doc@duh.to>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The key fingerprint (`011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB`) will be used to create the three subkeys for signing, authentication and encryption.
|
||||||
|
|
||||||
Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) (`KEYID`) for use later:
|
Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) (`KEYID`) for use later:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
@ -585,214 +525,57 @@ $ gpg --default-key $OLDKEY --sign-key $KEYID
|
|||||||
|
|
||||||
# Sub-keys
|
# Sub-keys
|
||||||
|
|
||||||
Edit the master key to add sub-keys:
|
Now create the three subkeys for signing, authentication and encryption. Use a 1 year expiration for sub-keys - they can be renewed using the offline master key. See [rotating keys](#rotating-keys).
|
||||||
|
|
||||||
|
We will use the the quick key manipulation interface of GNUPG (with `--quick-add-key`). See [the documentation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html#Unattended-GPG-key-generation).
|
||||||
|
|
||||||
|
Create a [signing subkey](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623):
|
||||||
```console
|
```console
|
||||||
$ gpg --expert --edit-key $KEYID
|
$ gpg --quick-add-key "011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB" \
|
||||||
|
rsa4096 sign 1y
|
||||||
Secret key is available.
|
|
||||||
|
|
||||||
sec rsa4096/0xEA5DE91459B80592
|
|
||||||
created: 2017-10-09 expires: never usage: C
|
|
||||||
trust: ultimate validity: ultimate
|
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Use 4096-bit RSA keys.
|
Now create an [encryption subkey](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php):
|
||||||
|
|
||||||
Use a 1 year expiration for sub-keys - they can be renewed using the offline master key. See [rotating keys](#rotating-keys).
|
|
||||||
|
|
||||||
## Signing
|
|
||||||
|
|
||||||
Create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623) by selecting `addkey` then `(4) RSA (sign only)`:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> addkey
|
$ gpg --quick-add-key "011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB" \
|
||||||
Key is protected.
|
rsa4096 encrypt 1y
|
||||||
|
|
||||||
You need a passphrase to unlock the secret key for
|
|
||||||
user: "Dr Duh <doc@duh.to>"
|
|
||||||
4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
|
|
||||||
|
|
||||||
Please select what kind of key you want:
|
|
||||||
(3) DSA (sign only)
|
|
||||||
(4) RSA (sign only)
|
|
||||||
(5) Elgamal (encrypt only)
|
|
||||||
(6) RSA (encrypt only)
|
|
||||||
(7) DSA (set your own capabilities)
|
|
||||||
(8) RSA (set your own capabilities)
|
|
||||||
Your selection? 4
|
|
||||||
RSA keys may be between 1024 and 4096 bits long.
|
|
||||||
What keysize do you want? (2048) 4096
|
|
||||||
Requested keysize is 4096 bits
|
|
||||||
Please specify how long the key should be valid.
|
|
||||||
0 = key does not expire
|
|
||||||
<n> = key expires in n days
|
|
||||||
<n>w = key expires in n weeks
|
|
||||||
<n>m = key expires in n months
|
|
||||||
<n>y = key expires in n years
|
|
||||||
Key is valid for? (0) 1y
|
|
||||||
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
|
|
||||||
Is this correct? (y/N) y
|
|
||||||
Really create? (y/N) y
|
|
||||||
We need to generate a lot of random bytes. It is a good idea to perform
|
|
||||||
some other action (type on the keyboard, move the mouse, utilize the
|
|
||||||
disks) during the prime generation; this gives the random number
|
|
||||||
generator a better chance to gain enough entropy.
|
|
||||||
|
|
||||||
sec rsa4096/0xFF3E7D88647EBCDB
|
|
||||||
created: 2017-10-09 expires: never usage: C
|
|
||||||
trust: ultimate validity: ultimate
|
|
||||||
ssb rsa4096/0xBECFA3C1AE191D15
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Encryption
|
Finally, create an [authentication subkey](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for):
|
||||||
|
|
||||||
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php) by selecting `(6) RSA (encrypt only)`:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> addkey
|
$ gpg --quick-add-key "011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB" \
|
||||||
Please select what kind of key you want:
|
rsa4096 auth 1y
|
||||||
(3) DSA (sign only)
|
|
||||||
(4) RSA (sign only)
|
|
||||||
(5) Elgamal (encrypt only)
|
|
||||||
(6) RSA (encrypt only)
|
|
||||||
(7) DSA (set your own capabilities)
|
|
||||||
(8) RSA (set your own capabilities)
|
|
||||||
(10) ECC (sign only)
|
|
||||||
(11) ECC (set your own capabilities)
|
|
||||||
(12) ECC (encrypt only)
|
|
||||||
(13) Existing key
|
|
||||||
Your selection? 6
|
|
||||||
RSA keys may be between 1024 and 4096 bits long.
|
|
||||||
What keysize do you want? (2048) 4096
|
|
||||||
Requested keysize is 4096 bits
|
|
||||||
Please specify how long the key should be valid.
|
|
||||||
0 = key does not expire
|
|
||||||
<n> = key expires in n days
|
|
||||||
<n>w = key expires in n weeks
|
|
||||||
<n>m = key expires in n months
|
|
||||||
<n>y = key expires in n years
|
|
||||||
Key is valid for? (0) 1y
|
|
||||||
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
|
|
||||||
Is this correct? (y/N) y
|
|
||||||
Really create? (y/N) y
|
|
||||||
We need to generate a lot of random bytes. It is a good idea to perform
|
|
||||||
some other action (type on the keyboard, move the mouse, utilize the
|
|
||||||
disks) during the prime generation; this gives the random number
|
|
||||||
generator a better chance to gain enough entropy.
|
|
||||||
|
|
||||||
sec rsa4096/0xFF3E7D88647EBCDB
|
|
||||||
created: 2017-10-09 expires: never usage: C
|
|
||||||
trust: ultimate validity: ultimate
|
|
||||||
ssb rsa4096/0xBECFA3C1AE191D15
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
|
||||||
ssb rsa4096/0x5912A795E90DD2CF
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: E
|
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Authentication
|
Let's check the final result:
|
||||||
|
|
||||||
Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
|
|
||||||
|
|
||||||
GPG doesn't provide an authenticate-only key type, so select `(8) RSA (set your own capabilities)` and toggle the required capabilities until the only allowed action is `Authenticate`:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> addkey
|
$ gpg --list-keys
|
||||||
Please select what kind of key you want:
|
/tmp.FLZC0xcM/pubring.kbx
|
||||||
(3) DSA (sign only)
|
-------------------------------
|
||||||
(4) RSA (sign only)
|
pub rsa4096/0xFF3E7D88647EBCDB 2021-08-22 [C]
|
||||||
(5) Elgamal (encrypt only)
|
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||||
(6) RSA (encrypt only)
|
uid [ultimate] Dr Duh <doc@duh.to>
|
||||||
(7) DSA (set your own capabilities)
|
sub rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
|
||||||
(8) RSA (set your own capabilities)
|
sub rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
|
||||||
(10) ECC (sign only)
|
sub rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
|
||||||
(11) ECC (set your own capabilities)
|
|
||||||
(12) ECC (encrypt only)
|
|
||||||
(13) Existing key
|
|
||||||
Your selection? 8
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
||||||
Current allowed actions: Sign Encrypt
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? S
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
||||||
Current allowed actions: Encrypt
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? E
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
||||||
Current allowed actions:
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? A
|
|
||||||
|
|
||||||
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
||||||
Current allowed actions: Authenticate
|
|
||||||
|
|
||||||
(S) Toggle the sign capability
|
|
||||||
(E) Toggle the encrypt capability
|
|
||||||
(A) Toggle the authenticate capability
|
|
||||||
(Q) Finished
|
|
||||||
|
|
||||||
Your selection? Q
|
|
||||||
RSA keys may be between 1024 and 4096 bits long.
|
|
||||||
What keysize do you want? (2048) 4096
|
|
||||||
Requested keysize is 4096 bits
|
|
||||||
Please specify how long the key should be valid.
|
|
||||||
0 = key does not expire
|
|
||||||
<n> = key expires in n days
|
|
||||||
<n>w = key expires in n weeks
|
|
||||||
<n>m = key expires in n months
|
|
||||||
<n>y = key expires in n years
|
|
||||||
Key is valid for? (0) 1y
|
|
||||||
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
|
|
||||||
Is this correct? (y/N) y
|
|
||||||
Really create? (y/N) y
|
|
||||||
We need to generate a lot of random bytes. It is a good idea to perform
|
|
||||||
some other action (type on the keyboard, move the mouse, utilize the
|
|
||||||
disks) during the prime generation; this gives the random number
|
|
||||||
generator a better chance to gain enough entropy.
|
|
||||||
|
|
||||||
sec rsa4096/0xFF3E7D88647EBCDB
|
|
||||||
created: 2017-10-09 expires: never usage: C
|
|
||||||
trust: ultimate validity: ultimate
|
|
||||||
ssb rsa4096/0xBECFA3C1AE191D15
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
|
||||||
ssb rsa4096/0x5912A795E90DD2CF
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: E
|
|
||||||
ssb rsa4096/0x3F29127E79649A3D
|
|
||||||
created: 2017-10-09 expires: 2018-10-09 usage: A
|
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Finish by saving the keys.
|
If you want to add an extra UID, open the keyring:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> save
|
-gpg> save
|
||||||
```
|
|
||||||
|
|
||||||
## Add extra identities
|
## Add extra identities
|
||||||
|
|
||||||
(Optional) To add additional email addresses or identities, use `adduid`:
|
(Optional) To add additional email addresses or identities, use `adduid`.
|
||||||
|
|
||||||
|
First open the keyring:
|
||||||
|
```console
|
||||||
|
$ gpg --expert --edit-key $KEYID
|
||||||
|
```
|
||||||
|
|
||||||
|
Then add the new identity:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> adduid
|
gpg> adduid
|
||||||
|
32
contrib/gen-params-ed25519
Normal file
32
contrib/gen-params-ed25519
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# GnuPG v2.1.7 or newer
|
||||||
|
|
||||||
|
%echo Generating a OpenPGP key
|
||||||
|
|
||||||
|
# uncomment the following line to remove asking for a passphrase
|
||||||
|
#%no-protection
|
||||||
|
|
||||||
|
Key-Type: eddsa
|
||||||
|
Key-Curve: Ed25519
|
||||||
|
# Key generated is a master key ("certificate")
|
||||||
|
Key-Usage: cert
|
||||||
|
|
||||||
|
# Parameters to generate a subkey
|
||||||
|
# Subkey-Type: ecdh
|
||||||
|
# Subkey-Curve: Curve25519
|
||||||
|
|
||||||
|
# Choose one of following options
|
||||||
|
# Subkey-Usage: sign
|
||||||
|
# Subkey-Usage: auth
|
||||||
|
# Subkey-Usage: encrypt
|
||||||
|
|
||||||
|
# select a name and email address - neither has to be valid nor existing
|
||||||
|
Name-Real: Dr Duh
|
||||||
|
Name-Email: <doc@duh.to>
|
||||||
|
|
||||||
|
# Do not set the key to expire
|
||||||
|
Expire-Date: 0
|
||||||
|
|
||||||
|
# Do a commit here, so that we can later print "done" :-)
|
||||||
|
%commit
|
||||||
|
|
||||||
|
%echo done
|
29
contrib/gen-params-rsa4096
Normal file
29
contrib/gen-params-rsa4096
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
%echo Generating a OpenPGP key
|
||||||
|
|
||||||
|
# uncomment the following line to remove asking for a passphrase
|
||||||
|
#%no-protection
|
||||||
|
|
||||||
|
Key-Type: RSA
|
||||||
|
Key-Length: 4096
|
||||||
|
# Key generated is a master key ("certificate")
|
||||||
|
Key-Usage: cert
|
||||||
|
|
||||||
|
# Parameters to generate a subkey
|
||||||
|
# Subkey-Type: ELG-E
|
||||||
|
# Subkey-Length: 4096
|
||||||
|
# Choose one of following options
|
||||||
|
# Subkey-Usage: encrypt
|
||||||
|
# Subkey-Usage: sign
|
||||||
|
# Subkey-Usage: auth
|
||||||
|
|
||||||
|
# select a name and email address - neither has to be valid nor existing
|
||||||
|
Name-Real: Dr Duh
|
||||||
|
Name-Email: <doc@duh.to>
|
||||||
|
|
||||||
|
# Do not set the key to expire
|
||||||
|
Expire-Date: 0
|
||||||
|
|
||||||
|
# Do a commit here, so that we can later print "done" :-)
|
||||||
|
%commit
|
||||||
|
|
||||||
|
%echo done
|
Loading…
Reference in New Issue
Block a user