Compare commits
	
		
			No commits in common. "950a078f4e27f98f9194a2476f6fca9aa27d1408" and "241c45d390e2bd4addb043762ad51cf9aff21d36" have entirely different histories.
		
	
	
		
			950a078f4e
			...
			241c45d390
		
	
		|  | @ -10,8 +10,8 @@ indent_style = tab | ||||||
| indent_size = 2 | indent_size = 2 | ||||||
| 
 | 
 | ||||||
| [*.md] | [*.md] | ||||||
| indent_style = tab | indent_style = space | ||||||
| indent_size = 4 | indent_size = 2 | ||||||
| 
 | 
 | ||||||
| [*] | [*] | ||||||
| end_of_line = lf | end_of_line = lf | ||||||
|  |  | ||||||
|  | @ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different | ||||||
| aspects while bootstrapping QVS. The keys are a fundamental building block, and | aspects while bootstrapping QVS. The keys are a fundamental building block, and | ||||||
| as such need to be set up in a manner that minimizes exposure risks. | as such need to be set up in a manner that minimizes exposure risks. | ||||||
| 
 | 
 | ||||||
| ## Generating Keys using `keyfork` | ## Generating Keys using `keyfork` and `oct` | ||||||
| // ANCHOR: steps-keyfork | // ANCHOR: steps-keyfork | ||||||
| 
 | 
 | ||||||
| 1. Insert an SD card into the system | 1. Insert an SD card into the system | ||||||
|  | @ -15,7 +15,26 @@ as such need to be set up in a manner that minimizes exposure risks. | ||||||
|     $ cd /media/TRANSFER |     $ cd /media/TRANSFER | ||||||
|     ``` |     ``` | ||||||
| 
 | 
 | ||||||
| 1. Insert all smartcards to be provisioned into the system. | 1. Insert a smartcard into the system, and get its ID: | ||||||
|  | 
 | ||||||
|  | 	a. Set variable with card ID | ||||||
|  |     ``` | ||||||
|  |     $ card_id="$(oct list -i | head -1)"` | ||||||
|  |     ``` | ||||||
|  | 	b. Test the variable was set correctly | ||||||
|  |     ``` | ||||||
|  |     $ echo $card_id  | ||||||
|  |     ``` | ||||||
|  | 
 | ||||||
|  | 1. Set the smart card to require touch for all operations | ||||||
|  | 
 | ||||||
|  |     ``` | ||||||
|  |     $ oct admin --card $card_id touch --key SIG --policy On | ||||||
|  |     $ oct admin --card $card_id touch --key DEC --policy On | ||||||
|  |     $ oct admin --card $card_id touch --key AUT --policy On | ||||||
|  |     $ oct admin --card $card_id touch --key ATT --policy On | ||||||
|  |     ``` | ||||||
|  |     Note: default admin PIN is 12345678 | ||||||
| 
 | 
 | ||||||
| 1. Set expiry time via environment variable - you can update 2y to desired value: | 1. Set expiry time via environment variable - you can update 2y to desired value: | ||||||
| 
 | 
 | ||||||
|  | @ -25,18 +44,30 @@ as such need to be set up in a manner that minimizes exposure risks. | ||||||
| 
 | 
 | ||||||
| 1. Generate a mnemonic, encrypting to a newly-generated key: | 1. Generate a mnemonic, encrypting to a newly-generated key: | ||||||
|          |          | ||||||
| 	Ensure the User ID is your name and your email. |  | ||||||
| 
 |  | ||||||
|     ``` |     ``` | ||||||
|     $ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>" |     $ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id" | ||||||
|     ``` |     ``` | ||||||
| 
 | 
 | ||||||
| 	The `count=` variable can be provided to `provision` to ensure the correct |  | ||||||
| 	amount of smartcards is provisioned - the program will error if the amount |  | ||||||
| 	of smartcards available is not equal to the count requested. |  | ||||||
| 
 |  | ||||||
| 	Note: The PIN can't use sequential numbers, characters or repeated patterns. | 	Note: The PIN can't use sequential numbers, characters or repeated patterns. | ||||||
| 
 | 
 | ||||||
|  | 1. Rename output to use key fingerprint: | ||||||
|  | 
 | ||||||
|  |     ``` | ||||||
|  |     $ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')" | ||||||
|  |     $ mv public.asc "${fingerprint}.pub.asc" | ||||||
|  |     $ mv encrypted.asc "${fingerprint}.enc.asc" | ||||||
|  |     ``` | ||||||
|  | 
 | ||||||
|  | 1. Optional: Create duplicate smartcards. | ||||||
|  | 
 | ||||||
|  |     You can insert new smartcards and perform the following steps as needed: | ||||||
|  |      | ||||||
|  |     ``` | ||||||
|  |     $ gpg --import *.pub.asc | ||||||
|  |     $ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon | ||||||
|  |     $ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0 | ||||||
|  |     ``` | ||||||
|  | 
 | ||||||
| // ANCHOR_END: steps-keyfork | // ANCHOR_END: steps-keyfork | ||||||
| 
 | 
 | ||||||
| ## Generating Keys on Smartcard  | ## Generating Keys on Smartcard  | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue