4

Yubikey 5 NFC 同 GPG 密钥的使用

 2 years ago
source link: https://seo.g2soft.net/2021/11/24/yubikey-5-nfc-gpg.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Yubikey 5 NFC 同 GPG 密钥的使用

作者:David Yin

最后更新于 2021年11月24日 | 最初发布于 2021年11月24日 | 分类: 搜索引擎优化之无类可分

我有两个 Yubikey,一个是功能有限的 Yubico Security Key NFC,和 Yubikey 5 NFC,我使用了两个的 U2F 功能,用来登录那些支持此协议的二步登录。

而对于 Yubikey 5 NFC,因为它还能当做一个 smart card 使用。

于是在生成了 GPG 主密钥,和具有三个单独用处的三个子密钥之后,我需要把子密钥的私钥存入到 Yubikey 中。

这只是我的使用环境。在 Windows 10 上安装了 Git Bash,它所自带的 gpg 命令。目前的版本是 2.2.29.


david@DESKTOP-David MINGW64 ~
$ gpg --version
gpg (GnuPG) 2.2.29-unknown
libgcrypt 1.9.3-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /c/Users/david/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

在系统中,已经有了一个主密钥具有 certify 功能,三个子密钥分别有 Sign,Encrypt,Auth 功能。而主密钥的私钥已经藏好了,不再操作系统中了。

密钥的过期时间

主密钥我给的是10年。
子密钥是2年。

密钥的算法

主密钥是 RSA 4096
子密钥是 Curve 25519

打开 Git Bash 窗口,插入Yubikey 5 NFC。


david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg -K  #查看私钥
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
sec#  rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
ssb   ed25519 2021-11-18 [S] [expires: 2023-11-23]
ssb   cv25519 2021-11-18 [E] [expires: 2023-11-23]
ssb   ed25519 2021-11-18 [A] [expires: 2023-11-23]


david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg -k  #查看公钥
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
pub   rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
sub   ed25519 2021-11-18 [S] [expires: 2023-11-23]
sub   cv25519 2021-11-18 [E] [expires: 2023-11-23]
sub   ed25519 2021-11-18 [A] [expires: 2023-11-23]
@yinfor.com>@yinfor.com>

上面可以看到私钥的 sec后面有个井字号,就是表示不存在系统中。
接下来查看一下 Yubikey 里面的信息。


david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: Dxxxxxxxxxxxxxx0000  #内容已经被我手工打码
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx   #内容已经被我手工打码
Name of cardholder: David Yin
Language prefs ...: en
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

上面的信息中可以看到三个 key 的位置是空的。
下面就是存入了。


$ gpg --edit-key davidyin
gpg (GnuPG) 2.2.29-unknown; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> key 1 #选择第一个子密钥,选择后 ssb 后出现一个星号

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb* ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> keytocard  #存入的命令
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb* ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> key 1  #取消第一个子密钥的选择
gpg> key 2  #选择第二个子密钥
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg> key 2 #取消第二个子密钥的选择
gpg> key 3 #选择第三个子密钥
gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

gpg> quit
Save changes? (y/N) y
@yinfor.com>@yinfor.com>@yinfor.com>

在进行保存的时候,会提示输入密钥的密码,然后会提示输入 yubikey 的 PIN 码。
在三个子密钥都保存好之后,再次查看 Yubikey 的情况,和密钥的情况。


$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: Dxxxxxxxxxxxxxx00
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: David Yin
Language prefs ...: en
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: 9D6B 8BA0 82B0 8ABF 03ED  27CF 4F4D 78D0 2543 10EF
      created ....: 2021-11-18 10:55:50
Encryption key....: 6C2D 1A67 897F C026 32F5  6A4C 2863 8F7E CD4C AD1B
      created ....: 2021-11-18 11:05:56
Authentication key: 80D7 A5D8 C15E 3240 9C4F  5C56 C8D3 F144 61F2 B128
      created ....: 2021-11-18 11:08:55
General key info..: sub  ed25519/4F4D78D0254310EF 2021-11-18 DavidYin 
sec#  rsa4096/4E7983E6303EE209  created: 2021-11-18  expires: 2031-11-21
ssb>  ed25519/4F4D78D0254310EF  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
ssb>  cv25519/28638F7ECD4CAD1B  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
ssb>  ed25519/C8D3F14461F2B128  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
$ gpg -K
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
sec#  rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
ssb>  ed25519 2021-11-18 [S] [expires: 2023-11-23]
ssb>  cv25519 2021-11-18 [E] [expires: 2023-11-23]
ssb>  ed25519 2021-11-18 [A] [expires: 2023-11-23]
@yinfor.com>@yinfor.com>
可以看到子密钥们的 ssb 字符之后有个大于号,表示私钥实际上不在电脑系统中,而是在 yubikey 中。如果我需要用到子密钥的私钥做一些事情,会提示插入 Yubikey 来完成操作。

现在安全措施是这样的。
主密钥以及吊销证书,和三个子密钥,公钥,放在了两个 USB 加密盘中。离线储存,分别保存。
本机上,只有公钥,子密钥的私钥在 Yubikey 上,随时使用。
而Yubico Security key 也同其中的一个 USB 盘放在了一起。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK