public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 2 Packages Projects Releases Wiki Activity

openpgp-setup: mnemonic generator now automatically makes fingerprint names and touch policies

This commit is contained in:
Ryan Heywood 2025-02-19 21:03:39 -05:00
parent f317310d4c
commit 950a078f4e
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 10 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
quorum-vault-system/src/component-documents/openpgp-setup.md
View File

@ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different
aspects while bootstrapping QVS. The keys are a fundamental building block, and aspects while bootstrapping QVS. The keys are a fundamental building block, and
as such need to be set up in a manner that minimizes exposure risks. as such need to be set up in a manner that minimizes exposure risks.
## Generating Keys using `keyfork` and `oct` ## Generating Keys using `keyfork`
// ANCHOR: steps-keyfork // ANCHOR: steps-keyfork
1. Insert an SD card into the system 1. Insert an SD card into the system
@ -15,26 +15,7 @@ as such need to be set up in a manner that minimizes exposure risks.
$ cd /media/TRANSFER $ cd /media/TRANSFER
``` ```
1. Insert a smartcard into the system, and get its ID: 1. Insert all smartcards to be provisioned into the system.
a. Set variable with card ID
```
$ card_id="$(oct list -i | head -1)"`
```
b. Test the variable was set correctly
```
$ echo $card_id
```
1. Set the smart card to require touch for all operations
```
$ oct admin --card $card_id touch --key SIG --policy On
$ oct admin --card $card_id touch --key DEC --policy On
$ oct admin --card $card_id touch --key AUT --policy On
$ oct admin --card $card_id touch --key ATT --policy On
```
Note: default admin PIN is 12345678
1. Set expiry time via environment variable - you can update 2y to desired value: 1. Set expiry time via environment variable - you can update 2y to desired value:
@ -44,30 +25,18 @@ as such need to be set up in a manner that minimizes exposure risks.
1. Generate a mnemonic, encrypting to a newly-generated key: 1. Generate a mnemonic, encrypting to a newly-generated key:
Ensure the User ID is your name and your email.
``` ```
$ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id" $ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
``` ```
The `count=` variable can be provided to `provision` to ensure the correct
amount of smartcards is provisioned - the program will error if the amount
of smartcards available is not equal to the count requested.
Note: The PIN can't use sequential numbers, characters or repeated patterns. Note: The PIN can't use sequential numbers, characters or repeated patterns.
1. Rename output to use key fingerprint:
```
$ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
$ mv public.asc "${fingerprint}.pub.asc"
$ mv encrypted.asc "${fingerprint}.enc.asc"
```
1. Optional: Create duplicate smartcards.
You can insert new smartcards and perform the following steps as needed:
```
$ gpg --import *.pub.asc
$ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
$ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
```
// ANCHOR_END: steps-keyfork // ANCHOR_END: steps-keyfork
## Generating Keys on Smartcard ## Generating Keys on Smartcard