diff --git a/quorum-vault-system/src/component-documents/openpgp-setup.md b/quorum-vault-system/src/component-documents/openpgp-setup.md index cd6b1ad..821d39d 100644 --- a/quorum-vault-system/src/component-documents/openpgp-setup.md +++ b/quorum-vault-system/src/component-documents/openpgp-setup.md @@ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different aspects while bootstrapping QVS. The keys are a fundamental building block, and as such need to be set up in a manner that minimizes exposure risks. -## Generating Keys using `keyfork` and `oct` +## Generating Keys using `keyfork` // ANCHOR: steps-keyfork 1. Insert an SD card into the system @@ -15,26 +15,7 @@ as such need to be set up in a manner that minimizes exposure risks. $ cd /media/TRANSFER ``` -1. Insert a smartcard into the system, and get its ID: - - a. Set variable with card ID - ``` - $ card_id="$(oct list -i | head -1)"` - ``` - b. Test the variable was set correctly - ``` - $ echo $card_id - ``` - -1. Set the smart card to require touch for all operations - - ``` - $ oct admin --card $card_id touch --key SIG --policy On - $ oct admin --card $card_id touch --key DEC --policy On - $ oct admin --card $card_id touch --key AUT --policy On - $ oct admin --card $card_id touch --key ATT --policy On - ``` - Note: default admin PIN is 12345678 +1. Insert all smartcards to be provisioned into the system. 1. Set expiry time via environment variable - you can update 2y to desired value: @@ -43,31 +24,19 @@ as such need to be set up in a manner that minimizes exposure risks. ``` 1. Generate a mnemonic, encrypting to a newly-generated key: - + + Ensure the User ID is your name and your email. + ``` - $ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id" + $ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name " ``` + The `count=` variable can be provided to `provision` to ensure the correct + amount of smartcards is provisioned - the program will error if the amount + of smartcards available is not equal to the count requested. + Note: The PIN can't use sequential numbers, characters or repeated patterns. -1. Rename output to use key fingerprint: - - ``` - $ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')" - $ mv public.asc "${fingerprint}.pub.asc" - $ mv encrypted.asc "${fingerprint}.enc.asc" - ``` - -1. Optional: Create duplicate smartcards. - - You can insert new smartcards and perform the following steps as needed: - - ``` - $ gpg --import *.pub.asc - $ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon - $ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0 - ``` - // ANCHOR_END: steps-keyfork ## Generating Keys on Smartcard