88 lines
3.0 KiB
Markdown
88 lines
3.0 KiB
Markdown
/* ANCHOR: all */
|
|
# OpenPGP Setup
|
|
|
|
Setting up a personal PGP key pair is necessary for a number of different
|
|
aspects while bootstrapping QVS. The keys are a fundamental building block, and
|
|
as such need to be set up in a manner that minimizes exposure risks.
|
|
|
|
## Generating Keys using `keyfork` and `oct`
|
|
// ANCHOR: steps-keyfork
|
|
|
|
1. Insert a smartcard into the system, and get its ID:
|
|
|
|
* `smart_card_id="$(oct list -i | head -1)"`
|
|
|
|
* You may test the variable was set correctly using `echo $smart_card_id` (tapping tab for auto-completion is helpful here)
|
|
|
|
1. Set the smart card to require touch for all operations (defau admin PIN is 12345678):
|
|
|
|
* `oct admin --card $smart_card_id touch --key SIG --policy On`
|
|
* `oct admin --card $smart_card_id touch --key DEC --policy On`
|
|
* `oct admin --card $smart_card_id touch --key AUT --policy On`
|
|
* `oct admin --card $smart_card_id touch --key ATT --policy On`
|
|
|
|
1. Generate a mnemonic, encrypting to a newly-generated key:
|
|
|
|
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
|
|
|
|
* The PIN can't use sequential numbers, characters or repeated patterns.
|
|
|
|
1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:
|
|
|
|
* `gpg --import cert.asc`
|
|
|
|
* `gpg --decrypt encrypted-mnemonic.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon`
|
|
|
|
* Remove your previous key, and plug in the new key.
|
|
|
|
* `smart_card_id="$(oct list -i | head -1)"`
|
|
|
|
* `keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0`
|
|
|
|
1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
|
|
|
|
* `cp cert.asc encrypted-mnemonic.asc /media`
|
|
|
|
// ANCHOR_END: steps-keyfork
|
|
|
|
## Generating Keys on Smartcard
|
|
// ANCHOR: steps-on-key-gen
|
|
|
|
1. Insert the smart card into the USB port if it is not already plugged in.
|
|
|
|
1. Open Command Prompt (Windows) or Terminal (macOS / Linux).
|
|
|
|
1. Enter the GPG command:
|
|
|
|
* `gpg --card-edit`
|
|
|
|
1. At the gpg/card> prompt, enter the command: admin
|
|
|
|
1. If you want to use keys larger than 2048 bits, run: key-attr
|
|
|
|
1. Enter the command: generate
|
|
|
|
1. When prompted, specify if you want to make an off-card backup of your encryption key.
|
|
|
|
* Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore the key.
|
|
|
|
1. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
|
|
|
|
1. Confirm the expiration day.
|
|
|
|
1. When prompted, enter your name.
|
|
|
|
1. Enter your email address.
|
|
|
|
1. If needed, enter a comment.
|
|
|
|
1. Review the name and email, and accept or make changes.
|
|
|
|
1. Enter the default admin PIN again. The green light on the smart card will flash while the keys are being written.
|
|
|
|
1. Enter a Passphrase as the key will not allow you to pass without having a passphrase. If you do not enter a Passphrase generation will fail.
|
|
|
|
// ANCHOR_END: steps-on-key-gen
|
|
|
|
/* ANCHOR_END: all */
|