Closed7
YubiKeyに副鍵を知らせる手順
zundahttps://mitome.in/device/yubiKey.html の作業だけではEncryption keyがYubiKeyに行かないため自分宛の暗号文を復号できないようなのだけれど、Encryption keyを利用可能にする方法がわらない。
$ gpg -d test.asc
gpg: decryption failed: No secret key
https://www.gnupg.org/howtos/card-howto/en/ch05s02.html#id2523237 に従い副鍵を生成したみたが変化はなかった。YubiKeyのPIN、Admin PIN、私有鍵のパスフレーズを入力する必要がある。
よくみると鍵長が2048ビットになっている。この副鍵の公開鍵を公開しないといけないのかもしれない。
https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP では4096ビットを推奨している。鍵のビット数がよくなかった?
$ gpg --edit-key F60960D80B224382CA8D831CB56C20316D6E8279
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa3072/B56C20316D6E8279
created: 2020-06-24 expires: 2022-06-24 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/164F21FF001C8CD1
created: 2020-06-24 expires: 2022-06-24 usage: E
[ultimate] (1). zunda <zundan@gmail.com>
gpg> addcardkey
Signature key ....: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
Encryption key....: [none]
Authentication key: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 6m
Key expires at Thu 29 Sep 2022 04:52:49 PM HST
Is this correct? (y/N) y
Really create? (y/N) y
sec rsa3072/B56C20316D6E8279
created: 2020-06-24 expires: 2022-06-24 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/164F21FF001C8CD1
created: 2020-06-24 expires: 2022-06-24 usage: E
ssb rsa2048/4231368189018B53
created: 2022-04-03 expires: 2022-09-30 usage: E
card-no: 0006 ********
[ultimate] (1). zunda <zundan@gmail.com>
gpg> quit
Save changes? (y/N) y
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006********0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: ********
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/F60960D80B224382CA8D831CB56C20316D6E8279
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa3072 rsa2048 rsa3072
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 11
KDF setting ......: off
Signature key ....: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
Encryption key....: 6434 4818 49FE 3DF8 9AF5 A6CB 4231 3681 8901 8B53
created ....: 2022-04-03 02:52:20
Authentication key: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
General key info..: pub rsa3072/B56C20316D6E8279 2020-06-24 zunda <zundan@gmail.com>
sec rsa3072/B56C20316D6E8279 created: 2020-06-24 expires: 2022-06-24
ssb rsa3072/164F21FF001C8CD1 created: 2020-06-24 expires: 2022-06-24
ssb> rsa2048/4231368189018B53 created: 2022-04-03 expires: 2022-09-30
card-no: 0006 ********
YubiKeyに暗号鍵を作成した環境では対応する公開鍵が見える。
$ gpg --list-keys F60960D80B224382CA8D831CB56C20316D6E8279
pub rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
uid [ultimate] zunda <zundan@gmail.com>
sub rsa3072 2020-06-24 [E] [expires: 2022-06-24]
sub rsa2048 2022-04-03 [E] [expires: 2022-09-30]
YubiKeyを挿入していない場合には今回作成した鍵には>マークがついている。
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
------------------------------
sec rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
uid [ultimate] zunda <zundan@gmail.com>
ssb rsa3072 2020-06-24 [E] [expires: 2022-06-24]
ssb> rsa2048 2022-04-03 [E] [expires: 2022-09-30]
別の環境では何かの方法でYuibiKeyの内容を更新しないといけないようだ。
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006********0000
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: ********
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/F60960D80B224382CA8D831CB56C20316D6E8279
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa3072 rsa2048 rsa3072
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 11
Signature key ....: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
Encryption key....: 6434 4818 49FE 3DF8 9AF5 A6CB 4231 3681 8901 8B53
created ....: 2022-04-03 02:52:20
Authentication key: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
General key info..: pub rsa3072/B56C20316D6E8279 2020-06-24 zunda <zundan@gmail.com>
sec> rsa3072/B56C20316D6E8279 created: 2020-06-24 expires: 2022-06-24
card-no: 0006 ********
ssb# rsa3072/164F21FF001C8CD1 created: 2020-06-24 expires: 2022-06-24
別の環境でgpg --card-editをするようだ。https://mitome.in/device/yubiKey.html#他のlinuxでの私有鍵の利用 ではgpg --edit-keyして同様の効果を得たのかもしれない。
--card-edit/fetchでは公開鍵サーバからの情報の取得をするだけだった。上記で作成した暗号鍵はまだ公開していないからか、変化はなかった。
$ gpg --card-edit
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006********0000
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: ********
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/F60960D80B224382CA8D831CB56C20316D6E8279
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa3072 rsa2048 rsa3072
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 11
Signature key ....: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
Encryption key....: 6434 4818 49FE 3DF8 9AF5 A6CB 4231 3681 8901 8B53
created ....: 2022-04-03 02:52:20
Authentication key: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
General key info..: pub rsa3072/B56C20316D6E8279 2020-06-24 zunda <zundan@gmail.com>
sec> rsa3072/B56C20316D6E8279 created: 2020-06-24 expires: 2022-06-24
card-no: 0006 ********
ssb# rsa3072/164F21FF001C8CD1 created: 2020-06-24 expires: 2022-06-24
gpg/card> fetch
gpg: requesting key from 'https://keys.openpgp.org/vks/v1/by-fingerprint/F60960D80B224382CA8D831CB56C20316D6E8279'
gpg: key B56C20316D6E8279: "zunda <zundan@gmail.com>" 4 new signatures
gpg: Total number processed: 1
gpg: new signatures: 4
gpg/card> quit
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
--------------------------------
sec> rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
Card serial no. = 0006 ********
uid [ unknown] zunda <zundan@gmail.com>
ssb# rsa3072 2020-06-24 [E] [expires: 2022-06-24]
https://wiki.debian.org/Subkeys をちゃんと読んで、主鍵から作り直すべきか
you need the primary private key:
- when you sign someone else's key or revoke an existing signature,
- when you add a new UID or mark an existing UID as primary,
- when you create a new subkey,
- when you revoke an existing UID or subkey,
- when you change the preferences (e.g., with setpref) on a UID,
- when you change the expiration date on your primary key or any of its subkey, or
- when you revoke or generate a revocation certificate for the complete key.
Because each of these operation is done by adding a new self- or revocation signatures from the private primary key
subkey creation or revocation does not affect the reputation of the primary key. So in case your subkey gets stolen while your primary key remains safe, you can revoke the compromised subkey and replace it with a new subkey without having to rebuild your reputation and without reducing reputation of other people's keys signed with your primary key.
-
~/.gnupgをバックアップし - 署名用副鍵を生成し
- 暗号用副鍵を生成し
-
~/.gnupgをバックアップ(?)し - 主鍵対の私有鍵を消去(たぶん常用する環境から)し
- 主鍵対の公開鍵を公開鍵サーバにアップロードする
- 副鍵の公開鍵と副鍵への署名もアップロードされるのだろう。
One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising.
But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys.
gpg --list-secret-keysでsecの代わりにsec#と表示されているのは存在しない私有鍵。
zundagpgは最新の暗号副鍵に向けて暗号化するのがデフォルトの動作、過去の暗号副鍵に向けて暗号化する必要がある場合には暗号副鍵のIDに!を付ける。びっくりを付けてローカルに私有鍵がある暗号鍵を指定すればばYubiKey無しで復号できる。
$ echo こんにちは世界 | gpg -er 164F21FF001C8CD1! | gpg -d
gpg: encrypted with 3072-bit RSA key, ID 164F21FF001C8CD1, created 2020-06-24
"zunda <zundan@gmail.com>"
こんにちは世界
$ echo こんにちは世界 | gpg -er 164F21FF001C8CD1 | gpg -d
gpg: encrypted with 2048-bit RSA key, ID 4231368189018B53, created 2022-04-03
"zunda <zundan@gmail.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
Yubicoによる手順 https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
- 主鍵を生成し、
- 認証副鍵と署名暗号副鍵を生成し、
- バックアップを
gpg --export-secret-key --armorで作成し、 - 主鍵と一緒に
keytocardする
zunda
gpg --edit-keyでのtoggleとkey 1などが重要かもしれない。keytocardコマンドは選択された鍵をカードに送るとのこと:
Transfer the selected secret subkey (or the primary key if no subkey has been selected) to a smartcard. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card. A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere.
~/.gnupgを上記で暗号副鍵をつくる前の状態に戻して試してみよう。
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
------------------------------
sec rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
uid [ultimate] zunda <zundan@gmail.com>
ssb rsa3072 2020-06-24 [E] [expires: 2022-06-24]
$ gpg --edit-key F60960D80B224382CA8D831CB56C20316D6E8279
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa3072/B56C20316D6E8279
created: 2020-06-24 expires: 2022-06-24 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/164F21FF001C8CD1
created: 2020-06-24 expires: 2022-06-24 usage: E
[ultimate] (1). zunda <zundan@gmail.com>
gpg> key 1
sec rsa3072/B56C20316D6E8279
created: 2020-06-24 expires: 2022-06-24 usage: SC
trust: ultimate validity: ultimate
ssb* rsa3072/164F21FF001C8CD1
created: 2020-06-24 expires: 2022-06-24 usage: E
[ultimate] (1). zunda <zundan@gmail.com>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
sec rsa3072/B56C20316D6E8279
created: 2020-06-24 expires: 2022-06-24 usage: SC
trust: ultimate validity: ultimate
ssb* rsa3072/164F21FF001C8CD1
created: 2020-06-24 expires: 2022-06-24 usage: E
[ultimate] (1). zunda <zundan@gmail.com>
gpg> quit
Save changes? (y/N) y
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
------------------------------
sec> rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
Card serial no. = 0006 ********
uid [ultimate] zunda <zundan@gmail.com>
ssb> rsa3072 2020-06-24 [E] [expires: 2022-06-24]
YubiKeyを抜くと
/home/zunda/.gnupg/pubring.kbx
------------------------------
sec> rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
Card serial no. = 0006 ********
uid [ultimate] zunda <zundan@gmail.com>
ssb> rsa3072 2020-06-24 [E] [expires: 2022-06-24]
無いマークではないのか。
別環境にYubiKeyを移して、
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
--------------------------------
sec> rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
Card serial no. = 0006 ********
uid [ unknown] zunda <zundan@gmail.com>
ssb# rsa3072 2020-06-24 [E] [expires: 2022-06-24]
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240103040006********0000
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: ********
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/F60960D80B224382CA8D831CB56C20316D6E8279
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa3072 rsa3072 rsa3072
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 11
Signature key ....: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
Encryption key....: CAE6 B476 3A84 A557 2636 25CE 164F 21FF 001C 8CD1
created ....: 2020-06-24 05:26:57
Authentication key: F609 60D8 0B22 4382 CA8D 831C B56C 2031 6D6E 8279
created ....: 2020-06-24 05:26:57
General key info..: pub rsa3072/B56C20316D6E8279 2020-06-24 zunda <zundan@gmail.com>
sec> rsa3072/B56C20316D6E8279 created: 2020-06-24 expires: 2022-06-24
card-no: 0006 ********
ssb> rsa3072/164F21FF001C8CD1 created: 2020-06-24 expires: 2022-06-24
card-no: 0006 ********
$ gpg -K
/home/zunda/.gnupg/pubring.kbx
--------------------------------
sec> rsa3072 2020-06-24 [SC] [expires: 2022-06-24]
F60960D80B224382CA8D831CB56C20316D6E8279
Card serial no. = 0006 ********
uid [ unknown] zunda <zundan@gmail.com>
ssb> rsa3072 2020-06-24 [E] [expires: 2022-06-24]
このスクラップは2022/04/04にクローズされました
ログインするとコメントできます