Generiranje ključa OpenPGP z varnostno kopijo

Compatible Nitrokeys

3A/C/Mini

Passkey

HSM 2

Pro 2

FIDO2

Storage 2

Start

U2F

active

inactive

inactive

active

inactive

active

active

inactive

Naslednja navodila pojasnjujejo izdelavo ključev OpenPGP in njihovo kopiranje v ključ Nitrokey. Prednost te metode je, da zagotavlja varnostno kopijo ključev v primeru izgube ali zloma ključa Nitrokey. Navodila temeljijo na vmesniku ukazne vrstice programa GnuPG. Zato morate imeti v svojem sistemu nameščen program GnuPG. Najnovejšo različico GnuPG za Windows najdete tudi, najnovejšo različico za MacOS pa tudi. Uporabniki sistemov Linux namestite GnuPG s pomočjo upravitelja paketov.

Ustvarjanje ključev

Najprej morate ključ ustvariti lokalno. Lahko se odločite, katere atribute ključa boste uporabili, in - kar je najpomembneje - ključ lahko izvozite in ga shranite, če ga boste morali obnoviti.

Glavni ključ in šifrirni podključ

Z ukazom gpg --full-generate-key --expert lahko zaženemo vodeno generiranje ključa z vsemi možnimi možnostmi. Izberete lahko vrsto ključa (običajno RSA (1) ali ECC (9)), dolžino ključa in druge atribute. Naslednji izpis je le preprost primer, lahko izberete tudi druge vrednosti.

> gpg --full-generate-key --expert
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Jane Doe
Email address: jane@example.com
Comment:
You selected this USER-ID:
    "Jane Doe "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0EFFB0704391497C marked as ultimately trusted
gpg: revocation certificate stored as '/home/nitrokey//.gnupg/openpgp-revocs.d/9D12C91F6FC4CD6E10A1727A0EFFB0704391497C.rev'
public and secret key created and signed.

pub   rsa2048 2018-09-17 [SC]
      9D12C91F6FC4CD6E10A1727A0EFFB0704391497C
uid                      Jane Doe
sub   rsa2048 2018-09-17 [E]

Opomba

Informacije o podprtih algoritmih so na voljo na spletni strani faq.

Podključ za preverjanje pristnosti

Zdaj imate glavni ključ z možnostjo podpisovanja in potrjevanja (označen kot [SC]) in podključ za šifriranje (označen kot [E]). Za primere uporabe, v katerih je potrebna avtentikacija, je treba imeti še en podključ. Ta podključ se ustvari v naslednjem koraku. Vnesite gpg --edit-key --expert keyID za začetek postopka, medtem ko je „keyID“ bodisi id ključa bodisi e-poštni naslov, uporabljen med generiranjem ključa.

> gpg --edit-key --expert jane@example.com
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
[ultimate] (1). Jane Doe

gpg>

Zdaj ste v interaktivnem načinu programa GnuPG in lahko dodate ključ tako, da preprosto vnesete addkey. Izbrati morate ključ, ki ga želite uporabiti. Ključnega pomena je, da izberete možnost „nastavite svoje zmožnosti“, saj želimo imeti zmožnost „avtentificirati“, ki sicer ni na voljo. Podpisovanje in šifriranje preklapljamo tako, da vnesemo s in e in aktiviramo preverjanje pristnosti z vnosom a.

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q

Končamo z q. Nato moramo odgovoriti na ista vprašanja kot prej. Na koncu imamo pripravljen nabor ključev, ki ga lahko uvozimo v našo napravo.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> quit
Save changes? (y/N) y

Zdaj je pravi čas, da naredite varnostno kopijo ključa. To varnostno kopijo shranite zelo varno. Najboljša praksa je, da tega ključa nikoli ne uporabljate v običajnem računalniku, ki ima povezavo z internetom, da ključ ne bo ogrožen. Varnostno kopijo lahko ustvarite z naslednjimi orodji:

> gpg --export-secret-keys jane@example.com > sec-key.asc

Ključni uvoz

Imate glavni ključ in dva podključa, ki jih lahko uvozite v ključ Nitrokey. Preden nadaljujete, se prepričajte, da imate res varnostno kopijo ključa, če jo potrebujete. Ukaz keytocard, uporabljen v naslednjih korakih, bo izbrisal vaš ključ z diska!

Postopek začnemo tako, da ponovno dostopamo do interaktivnega vmesnika GnuPG z gpg --edit-key --expert keyID, keyID pa je id ključa ali e-poštni naslov, uporabljen med generiranjem ključa.

> gpg --edit-key --expert jane@example.com
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

Na kartico smo pravkar uvozili glavni ključ. Zdaj nadaljujemo z dvema podključema. Vnesemo key 1, da izberemo podključ za šifriranje, in ponovno vnesemo keytocard ter izberemo režo za uporabo.

gpg> key 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

Zdaj prvi ključ odstranimo z key 1 in izberemo drugi podključ z key 2 in ga prav tako premaknemo z keytocard. Nato zaključimo in shranimo spremembe.

gpg> key 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> key 2

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb* rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb* rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> quit
Save changes? (y/N) y

Vaši ključi so zdaj preneseni v napravo Nitrokey in tako zavarovani v strojni opremi. Čestitamo!

Izvoz javnega ključa in uporaba strežnika Keyserver

Čeprav lahko ključ Nitrokey začnete uporabljati takoj po generiranju ključev v sistemu, morate javni ključ uvoziti v vsak sistem, v katerem želite uporabljati ključ Nitrokey. Če želite biti pripravljeni, imate dve možnosti: Javni ključ shranite kamorkoli želite in ga uporabite v drugem sistemu ali pa javni ključ shranite na spletno stran/ključarski strežnik.

Ustvarjanje datoteke z javnim ključem

Če želite pridobiti preprosto datoteko svojega javnega ključa, lahko uporabite gpg --armor --export keyID > pubkey.asc. Kot „keyID“ uporabite prstni odtis (za njegovo pridobitev poglejte gpg -K) ali pa kot identifikator uporabite svoj e-poštni naslov.

To datoteko lahko nosite s seboj ali jo pošljete komur koli želite. Ta datoteka sploh ni skrivnost. Če želite uporabiti ključ Nitrokey v drugem sistemu, najprej uvozite ta javni ključ prek gpg --import pubkey.asc in nato vnesite gpg --card-status, da bo sistem vedel, kje naj ta ključ poišče. To je vse.

Prenos javnega ključa

If you don’t want to carry a public key file, you can upload it to keyserver. For the common SKS federated keyservers, for example, keyserver.ubuntu.com. Type gpg --keyserver keyserver.ubuntu.com --send-key keyID. If you are using another machine, you can just import it by using gpg --keyserver keyserver.ubuntu.com --recv-key keyID.

Uporabite lahko tudi openpgp.keys.org. Priporočljivo je, da to storite tako, da gpg --export your_address@example.net. Če uporabljate drug računalnik, ga lahko preprosto uvozite z uporabo gpg --auto-key-locate hkps://keys.openpgp.org.

Another possibility is to change the URL setting on your card. Start gpg --card-edit again and first set the URL where the key is situated (e.g. on the keyserver or on your webpage etc.) via the url command. From now on you can import the key on another system by just using the fetch command within the gpg --card-edit environment.