|
|
|
|
@ -5,7 +5,7 @@ Setting up a personal PGP key pair is necessary for a number of different
|
|
|
|
|
aspects while bootstrapping QVS. The keys are a fundamental building block, and
|
|
|
|
|
as such need to be set up in a manner that minimizes exposure risks.
|
|
|
|
|
|
|
|
|
|
## Generating Keys using `keyfork` and `oct`
|
|
|
|
|
## Generating Keys using `keyfork`
|
|
|
|
|
// ANCHOR: steps-keyfork
|
|
|
|
|
|
|
|
|
|
1. Insert an SD card into the system
|
|
|
|
|
@ -15,26 +15,7 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|
|
|
|
$ cd /media/TRANSFER
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Insert a smartcard into the system, and get its ID:
|
|
|
|
|
|
|
|
|
|
a. Set variable with card ID
|
|
|
|
|
```
|
|
|
|
|
$ card_id="$(oct list -i | head -1)"`
|
|
|
|
|
```
|
|
|
|
|
b. Test the variable was set correctly
|
|
|
|
|
```
|
|
|
|
|
$ echo $card_id
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Set the smart card to require touch for all operations
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ oct admin --card $card_id touch --key SIG --policy On
|
|
|
|
|
$ oct admin --card $card_id touch --key DEC --policy On
|
|
|
|
|
$ oct admin --card $card_id touch --key AUT --policy On
|
|
|
|
|
$ oct admin --card $card_id touch --key ATT --policy On
|
|
|
|
|
```
|
|
|
|
|
Note: default admin PIN is 12345678
|
|
|
|
|
1. Insert all smartcards to be provisioned into the system.
|
|
|
|
|
|
|
|
|
|
1. Set expiry time via environment variable - you can update 2y to desired value:
|
|
|
|
|
|
|
|
|
|
@ -43,31 +24,19 @@ as such need to be set up in a manner that minimizes exposure risks.
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Generate a mnemonic, encrypting to a newly-generated key:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ensure the User ID is your name and your email.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ keyfork mnemonic generate --encrypt-to-self public.asc,output=encrypted.asc --provision openpgp-card,identifier="$card_id"
|
|
|
|
|
$ keyfork mnemonic generate --encrypt-to-self output=encrypted.asc --provision openpgp-card,userid="Your Name <your@email.co>"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The `count=` variable can be provided to `provision` to ensure the correct
|
|
|
|
|
amount of smartcards is provisioned - the program will error if the amount
|
|
|
|
|
of smartcards available is not equal to the count requested.
|
|
|
|
|
|
|
|
|
|
Note: The PIN can't use sequential numbers, characters or repeated patterns.
|
|
|
|
|
|
|
|
|
|
1. Rename output to use key fingerprint:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
|
|
|
|
|
$ mv public.asc "${fingerprint}.pub.asc"
|
|
|
|
|
$ mv encrypted.asc "${fingerprint}.enc.asc"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
1. Optional: Create duplicate smartcards.
|
|
|
|
|
|
|
|
|
|
You can insert new smartcards and perform the following steps as needed:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ gpg --import *.pub.asc
|
|
|
|
|
$ gpg --decrypt $fingerprint.enc.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
|
|
|
|
|
$ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
// ANCHOR_END: steps-keyfork
|
|
|
|
|
|
|
|
|
|
## Generating Keys on Smartcard
|
|
|
|
|
|
Ryan Heywood