在设备上生成OpenPGP密钥

Compatible Nitrokeys

3A/C/Mini

Passkey

HSM 2

Pro 2

FIDO2

Storage 2

Start

U2F

active

inactive

inactive

active

inactive

active

active

inactive

下面的说明解释了如何在Nitrokey上直接生成OpenPGP密钥。这是通过使用GnuPG的命令行界面完成的。因此,你需要在你的系统上安装GnuPG。最新的Windows版GnuPG可以在`这里 <https://www.gpg4win.org/>`__,最新的MacOS版可以在`这里 <https://gpgtools.org/>`__。Linux系统的用户请在软件包管理器的帮助下安装GnuPG。

备注

These instructions are based on GnuPG version 2.2.6 or higher. Some Linux Distributions have an older version installed. In this case please choose a different method as listed here or install a newer version if possible.

密钥生成

The following descriptions explain the basic key generation on-device via GnuPG's command line interface. The default behaviour is to generate RSA keys of 2048 bit size. If you want to change the key algorithm and length, have a look at the next section first.

打开一个命令行,输入``gpg2 --card-edit``。

To open the Windows command line please push the Windows-key and R-key. Now type cmd.exe in the text field and hit enter. To open a Terminal on macOS or GNU/Linux please use the application search (e.g. spotlight on macOS).

> gpg2 --card-edit

Reader ...........: 20A0:4108:0000320E0000000000000000:0
Application ID ...: D27600012401020100050000320E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000320E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>

现在你进入了GnuPG的交互界面。用``admin``激活管理命令,之后用``generate``开始生成密钥。

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
You should change them using the command --change-pin

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Jane Doe
Email address: jane@example.com
Comment:
You selected this USER-ID:
"Jane Doe <jane@doecom>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key 817E149CA002B92F marked as ultimately trusted
gpg: revocation certificate stored as '/home/nitrokey//.gnupg/openpgp-revocs.d/E62F445E8BB4B5085C031F5381
7E149CA002B92F.rev'
public and secret key created and signed.


gpg/card>
</jane@doe.com></n></n></n></n>

**请不要创建建议的卡外备份。**这种 "备份 "只保存加密密钥,但不保存签名和认证密钥。在设备丢失的情况下,你将无法恢复整个密钥集。因此,一方面,它不是完整的备份(如果你需要,可以使用`这些说明<openpgp-keygen-backup.html>`_代替),另一方面,你有可能被其他人占有你的加密密钥。在设备上生成密钥的好处是确保密钥被安全地存储。因此,我们建议跳过这个半备份。

现在你的设备上有一个完整的密钥集,可以用于我们网站上列出的各种应用程序`<https://www.nitrokey.com/documentation/applications>`__。输入``quit``并点击回车键退出。

改变关键属性

本节是关于改变关键属性的。如果你想使用默认值,你可以继续下一节。

打开一个命令行,输入``gpg2 --card-edit --expert``。

> gpg2 --card-edit --expert

Reader ...........: 20A0:4108:0000320E0000000000000000:0
Application ID ...: D27600012401020100050000320E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000320E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

现在你进入了GnuPG的交互界面。正如你在上面的 "密钥属性 "字段中看到的,默认值是rsa2048。要改变它们,用``admin``激活管理命令,然后用``key-attr``来改变钥匙的属性。

gpg/card> admin
Admin commands are allowed

gpg/card> key-attr
Changing card key attribute for: Signature key
Please select what kind of key you want:
&nbsp;&nbsp; (1) RSA
&nbsp;&nbsp; (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Encryption key
Please select what kind of key you want:
&nbsp;&nbsp; (1) RSA
&nbsp;&nbsp; (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Authentication key
Please select what kind of key you want:
&nbsp;&nbsp; (1) RSA
&nbsp;&nbsp; (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits

你可以为每个密钥(即签名、加密和认证密钥)选择属性。大多数人将为每个密钥使用相同的属性。输入``list``以查看结果(请看 "密钥属性 "字段,现在是rsa4096)。

gpg/card> list

Reader ...........: 20A0:4108:0000320E0000000000000000:0
Application ID ...: D27600012401020100050000320E0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000320E
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

输入``quit``,然后点击回车键退出,或者直接进行上一节,用你刚才设置的钥匙属性实际生成钥匙。

下表说明了哪种算法可以在哪种设备上使用。

Supported algorithms per device

Algorithm

开始

Pro + Storage

Pro 2 + Storage 2

rsa1024

rsa2048

rsa3072

rsa4096

curve25519 (ECC)

NIST (ECC)

脑库(ECC)

secp256k1

导出公钥和钥匙服务器的使用

虽然你可以在你的系统上生成钥匙后立即开始使用你的Nitrokey,但你需要在每个你想使用Nitrokey的系统上导入你的公钥。所以为了做好准备,你有两个选择。你可以把公钥保存在你喜欢的任何地方,然后在另一个系统上使用,或者把公钥保存在一个网页/钥匙服务器上。

生成公钥文件

要获得你的公钥的简单文件,你可以直接使用``gpg2 --armor --export keyID > pubkey.asc``。使用指纹作为 "keyID"(查看``gpg -K``来获得它),或者直接使用你的电子邮件地址作为标识。

You can carry this file with you or send it to anyone who you like. This file is not secret at all. If you want to use the Nitrokey on another system, you first import this public key via gpg2 --import pubkey.asc and then types gpg2 --card-status so that the system knows where to look for this key. That's all.

上传公钥

如果你不想随身携带公钥文件,你可以把它上传到钥匙服务器。你可以通过输入``gpg --keyserver search.keyserver.net --send-key keyID``来实现。如果你使用另一台机器,你可以通过使用``gpg --keyserver search.keyserver.net --recv-key keyID``导入它。

Another possibility is to change the URL setting on your card. Run gpg --card-edit again and first set the URL where the key is situated (e.g. on the keyserver or on your webpage etc.) via the url command. From now on you can import the key on another system by just using the fetch command within the gpg --card-edit environment.