Generiranje ključa OpenPGP z varnostno kopijo#

(Nitrokey Start - Windows)

The following instructions explain the generation of OpenPGP keys and how to copy them to the Nitrokey. This method has the advantage of providing a backup of the keys in case of losing or breaking the Nitrokey. The instructions are based on the command line interface of GnuPG. Thus, you need to have GnuPG installed on your system. The newest GnuPG version for Windows can be found here and the newest version for MacOS can be found here. Users of Linux systems please install GnuPG with help of the package manager.

Ustvarjanje ključev#

Najprej morate ključ ustvariti lokalno. Odločite se lahko, katere atribute ključa boste uporabili, in - kar je najpomembneje - ključ lahko izvozite in ga shranite, če ga boste morali obnoviti.

Glavni ključ in šifrirni podključ#

Z ukazom gpg --full-generate-key --expert lahko zaženemo vodeno generiranje ključa z vsemi možnimi možnostmi. Izberete lahko vrsto ključa (običajno RSA (1) ali ECC (9)), dolžino ključa in druge atribute. Naslednji izpis je le preprost primer, lahko izberete tudi druge vrednosti.

> gpg --full-generate-key --expert
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Jane Doe
Email address: jane@example.com
Comment:
You selected this USER-ID:
    "Jane Doe "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0EFFB0704391497C marked as ultimately trusted
gpg: revocation certificate stored as '/home/nitrokey//.gnupg/openpgp-revocs.d/9D12C91F6FC4CD6E10A1727A0EFFB0704391497C.rev'
public and secret key created and signed.

pub   rsa2048 2018-09-17 [SC]
      9D12C91F6FC4CD6E10A1727A0EFFB0704391497C
uid                      Jane Doe
sub   rsa2048 2018-09-17 [E]

Naslednja tabela prikazuje, kateri algoritem lahko uporabite v posamezni napravi, če želite uporabiti različne atribute ključev.

Začetek

Pro + shranjevanje

Pro 2 + shranjevanje 2

rsa1024

rsa2048

rsa3072

rsa4096

krivulja25519 (ECC)

NIST (ECC)

Brainpool (ECC)

secp256k1

Podključ za preverjanje pristnosti#

Zdaj imate glavni ključ z možnostjo podpisovanja in potrjevanja (označen kot [SC]) in podključ za šifriranje (označen kot [E]). Za primere uporabe, v katerih je potrebna avtentikacija, je treba imeti še en podključ. Ta podključ se ustvari v naslednjem koraku. Vnesite gpg --edit-key --expert keyID za začetek postopka, medtem ko je „keyID“ bodisi id ključa bodisi e-poštni naslov, uporabljen med generiranjem ključa.

> gpg --edit-key --expert jane@example.com
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
[ultimate] (1). Jane Doe

gpg>

Zdaj ste v interaktivnem načinu programa GnuPG in lahko dodate ključ tako, da preprosto vnesete addkey. Izbrati morate ključ, ki ga želite uporabiti. Ključnega pomena je, da izberete možnost „nastavite svoje zmožnosti“, saj želimo imeti zmožnost „avtentificirati“, ki sicer ni na voljo. Podpisovanje in šifriranje preklapljamo tako, da vnesemo s in e in aktiviramo preverjanje pristnosti z vnosom a.

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q

Končamo z q. Nato moramo odgovoriti na ista vprašanja kot prej. Na koncu imamo pripravljen nabor ključev, ki ga lahko uvozimo v našo napravo.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> quit
Save changes? (y/N) y

Zdaj je pravi čas, da naredite varnostno kopijo ključa. To varnostno kopijo shranite zelo varno. Najboljša praksa je, da tega ključa nikoli ne uporabljate v običajnem računalniku, ki ima povezavo z internetom, da ključ ne bo ogrožen. Varnostno kopijo lahko ustvarite z naslednjimi orodji:

> gpg --export-secret-keys jane@example.com > sec-key.asc

Ključni uvoz#

Imate glavni ključ in dva podključa, ki jih lahko uvozite v ključ Nitrokey. Preden nadaljujete, se prepričajte, da imate res varnostno kopijo ključa, če jo potrebujete. Ukaz keytocard, uporabljen v naslednjih korakih, bo izbrisal vaš ključ z diska!

Postopek začnemo tako, da ponovno dostopamo do interaktivnega vmesnika GnuPG z gpg --edit-key --expert keyID, keyID pa je id ključa ali e-poštni naslov, uporabljen med generiranjem ključa.

> gpg --edit-key --expert jane@example.com
gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

Na kartico smo pravkar uvozili glavni ključ. Zdaj nadaljujemo z dvema podključema. Vnesemo key 1, da izberemo podključ za šifriranje, in ponovno vnesemo keytocard ter izberemo režo za uporabo.

gpg> key 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb* rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

Zdaj prvi ključ odstranimo z key 1 in izberemo drugi podključ z key 2 in ga prav tako premaknemo z keytocard. Nato zaključimo in shranimo spremembe.

gpg> key 1

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb  rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> key 2

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb* rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec  rsa2048/0EFFB0704391497C
     created: 2018-09-17  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/A9A814C210F16700
     created: 2018-09-17  expires: never       usage: E
ssb* rsa2048/61F186B8B0BBD5D5
     created: 2018-09-17  expires: never       usage: A
[ultimate] (1). Jane Doe

gpg> quit
Save changes? (y/N) y

Vaši ključi so zdaj preneseni v napravo Nitrokey in tako zavarovani v strojni opremi. Čestitamo!

Izvoz javnega ključa in uporaba strežnika Keyserver#

Čeprav lahko ključ Nitrokey začnete uporabljati takoj po generiranju ključev v sistemu, morate javni ključ uvoziti v vsak sistem, v katerem želite uporabljati ključ Nitrokey. Če želite biti pripravljeni, imate dve možnosti: Javni ključ shranite kamorkoli želite in ga uporabite v drugem sistemu ali pa javni ključ shranite na spletno stran/ključarski strežnik.

Ustvarjanje datoteke z javnim ključem#

Če želite pridobiti preprosto datoteko svojega javnega ključa, lahko uporabite gpg --armor --export keyID > pubkey.asc. Kot „keyID“ uporabite prstni odtis (za njegovo pridobitev poglejte gpg -K) ali pa kot identifikator uporabite svoj e-poštni naslov.

To datoteko lahko nosite s seboj ali jo pošljete komur koli želite. Ta datoteka sploh ni skrivnost. Če želite uporabiti ključ Nitrokey v drugem sistemu, najprej uvozite ta javni ključ prek gpg --import pubkey.asc in nato vnesite gpg --card-status, da bo sistem vedel, kje naj ta ključ poišče. To je vse.

Prenos javnega ključa#

Če datoteke z javnim ključem ne želite nositi s seboj, jo lahko naložite v strežnik ključev. To lahko storite tako, da vnesete gpg --keyserver search.keyserver.net --send-key keyID. Če uporabljate drug računalnik, ga lahko uvozite z uporabo gpg --keyserver search.keyserver.net --recv-key keyID.

Druga možnost je, da spremenite nastavitev URL na kartici. Ponovno zaženite gpg --card-edit in z ukazom url najprej nastavite URL, na katerem je ključ (npr. na strežniku ključev ali na vaši spletni strani itd.). Odslej lahko uvozite ključ v drug sistem samo z uporabo ukaza fetch znotraj gpg --card-edit environment.