public
/
docs
5
0
Fork 0
Code Issues 9 Pull Requests 3 Packages Projects Releases Wiki Activity
docs/quorum-vault-system/src/component-documents/openpgp-setup.md

3.0 KiB
Raw Blame History

/* ANCHOR: all */

OpenPGP Setup

Setting up a personal PGP key pair is necessary for a number of different aspects while bootstrapping QVS. The keys are a fundamental building block, and as such need to be set up in a manner that minimizes exposure risks.

Generating Keys using keyfork and oct

// ANCHOR: steps-keyfork

  1. Insert a smartcard into the system, and get its ID:

    • smart_card_id="$(oct list -i | head -1)"

    • You may test the variable was set correctly using echo $smart_card_id (tapping tab for auto-completion is helpful here)

  2. Set the smart card to require touch for all operations (defau admin PIN is 12345678):

    • oct admin --card $smart_card_id touch --key SIG --policy On
    • oct admin --card $smart_card_id touch --key DEC --policy On
    • oct admin --card $smart_card_id touch --key AUT --policy On
    • oct admin --card $smart_card_id touch --key ATT --policy On

  3. Generate a mnemonic, encrypting to a newly-generated key:

    • keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"

    • The PIN can't use sequential numbers, characters or repeated patterns.

  4. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:

    • gpg --import cert.asc

    • gpg --decrypt encrypted-mnemonic.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon

    • Remove your previous key, and plug in the new key.

    • smart_card_id="$(oct list -i | head -1)"

    • keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0

  5. Insert an SD card to contain the public certificate and the encrypted mnemonic.

    • cp cert.asc encrypted-mnemonic.asc /media

// ANCHOR_END: steps-keyfork

Generating Keys on Smartcard

// ANCHOR: steps-on-key-gen

  1. Insert the smart card into the USB port if it is not already plugged in.

  2. Open Command Prompt (Windows) or Terminal (macOS / Linux).

  3. Enter the GPG command:

    • gpg --card-edit

  4. At the gpg/card> prompt, enter the command: admin

  5. If you want to use keys larger than 2048 bits, run: key-attr

  6. Enter the command: generate

  7. When prompted, specify if you want to make an off-card backup of your encryption key.

    • Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore the key.

  8. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).

  9. Confirm the expiration day.

  10. When prompted, enter your name.

  11. Enter your email address.

  12. If needed, enter a comment.

  13. Review the name and email, and accept or make changes.

  14. Enter the default admin PIN again. The green light on the smart card will flash while the keys are being written.

  15. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail.

// ANCHOR_END: steps-on-key-gen

/* ANCHOR_END: all */