openpgp-setup: mnemonic generator now automatically makes fingerprint names and touch policies
This commit is contained in:
parent
f317310d4c
commit
950a078f4e
GPG Key ID:
8E401478A3FBEF72
|
|
@ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different
|
|||
aspects while bootstrapping QVS. The keys are a fundamental building block, and
|
||||
as such need to be set up in a manner that minimizes exposure risks.
|
||||
|
||||
## Generating Keys using `keyfork` and `oct`
|
||||
## Generating Keys using `keyfork`
|
||||
// ANCHOR: steps-keyfork
|
||||
|
||||
1. Insert an SD card into the system
|
||||
|
|
@ -15,26 +15,7 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|||
$ cd /media/TRANSFER
|
||||
```
|
||||
|
||||
1. Insert a smartcard into the system, and get its ID:
|
||||
|
||||
a. Set variable with card ID
|
||||
```
|
||||
$ card_id="$(oct list -i | head -1)"`
|
||||
```
|
||||
b. Test the variable was set correctly
|
||||
```
|
||||
$ echo $card_id
|
||||
```
|
||||
|
||||
1. Set the smart card to require touch for all operations
|
||||
|
||||
```
|
||||
$ oct admin --card $card_id touch --key SIG --policy On
|
||||
$ oct admin --card $card_id touch --key DEC --policy On
|
||||
$ oct admin --card $card_id touch --key AUT --policy On
|
||||
$ oct admin --card $card_id touch --key ATT --policy On
|
||||
```
|
||||
Note: default admin PIN is 12345678
|
||||
1. Insert all smartcards to be provisioned into the system.
|
||||
|
||||
1. Set expiry time via environment variable - you can update 2y to desired value:
|
||||
|
||||
|
|
@ -44,30 +25,18 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|||
|
||||
1. Generate a mnemonic, encrypting to a newly-generated key:
|
||||
|
||||
Ensure the User ID is your name and your email.
|
||||
|
||||
```
|
||||
$ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id"
|
||||
$ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
|
||||
```
|
||||
|
||||
The `count=` variable can be provided to `provision` to ensure the correct
|
||||
amount of smartcards is provisioned - the program will error if the amount
|
||||
of smartcards available is not equal to the count requested.
|
||||
|
||||
Note: The PIN can't use sequential numbers, characters or repeated patterns.
|
||||
|
||||
1. Rename output to use key fingerprint:
|
||||
|
||||
```
|
||||
$ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
|
||||
$ mv public.asc "${fingerprint}.pub.asc"
|
||||
$ mv encrypted.asc "${fingerprint}.enc.asc"
|
||||
```
|
||||
|
||||
1. Optional: Create duplicate smartcards.
|
||||
|
||||
You can insert new smartcards and perform the following steps as needed:
|
||||
|
||||
```
|
||||
$ gpg --import *.pub.asc
|
||||
$ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
|
||||
$ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
|
||||
```
|
||||
|
||||
// ANCHOR_END: steps-keyfork
|
||||
|
||||
## Generating Keys on Smartcard
|
||||
|
|
|
|||
Loading…
Reference in New Issue