不怎么精简地添加 GPG key 到 Yubikey 教程

年初的时候买了个 Yubikey 但是它一直在抽屉里面吃灰,也没好好用过几次,所以这次打算趁有空的时候,折腾一下这个东西。

太长不看的话,请直接往下拉到有关添加的章节。

准备工作

首先我们要确定你的机子可以读出你插入的 Yubikey ,如果读不出来的话,可以参考一下官方的疑难解答。

我们需要初始化一下 Yubikey ,设置它的密码和管理员密码。

使用 gpg --edit-card 指令来进行一个智能卡的编辑。

$ gpg --edit-card 

Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: [MASKED]
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: [MASKED]
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: user
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off

一般显示大概会如上所示,这时候我们需要进行一个密码重设的操作(如果重设过密码,请跳过这步)

预设的密码是 123456 ,预设的管理密码是 12345678

首先我先输入 admin 允许管理员选项,之后输入 passwd 按照操作进行重设。

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. [MASKED] detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 

输入 1 来更改预设密码,输入 3 来更改管理员密码。 2 的选项是你在忘记第一个密码的时候给你解锁用的,所以务必记得管理员密码。 4 的话可以做一个恢复代码的设置,也是用来重设的。

设置好密码后,就可以开始进行下一步了。

生成 gpg key

这里只讲解 ed25519 的生成, RSA 的方式应该差不多。如果已经有 key 则可以考虑跳过这一步。

首先我们执行 gpg --expert --full-generate-key

$ gpg --expert --full-generate-key
gpg (GnuPG) 2.2.29; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 

这里选择 9

Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

这里选择 1 使用 Cv25519 做加密工作。因为 Ed25519 没办法执行加密操作,只能靠 Cv25519 代劳。

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: user
Email address: [email protected]
Comment: 
You selected this USER-ID:
    "user <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key D2F475D29D00AB02 marked as ultimately trusted
gpg: revocation certificate stored as '479F2CF8B814423F45A58B05D2F475D29D00AB02.rev'
public and secret key created and signed.

pub   ed25519 2021-08-04 [SC]
      479F2CF8B814423F45A58B05D2F475D29D00AB02
uid                      user <[email protected]>
sub   cv25519 2021-08-04 [E]

然后预设的话会生成一个 primary key 和一个 sub key 。我们还需要一个 key 来进行一个 ssh 的认证,所以这里在再添加一个 sub key (或者更改 primary key 来支援认证也可以)

添加 sub key

使用 gpg --expert --edit-key <YOUR KEY ID> 来进行一个key的编辑。

$ gpg --expert --edit-key 479F2CF8B814423F45A58B05D2F475D29D00AB02
gpg (GnuPG) 2.2.29; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/D2F475D29D00AB02
     created: 2021-08-04  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/CE765FB433B0B0DB
     created: 2021-08-04  expires: never       usage: E   
[ultimate] (1). user <[email protected]>

gpg>

这时候输入 addkey

gpg>addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 

选择 11

Your selection? 11

Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Sign 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

然后输入一个 A 来允许使用 key 进行认证。

Your selection? A

Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
Current allowed actions: Sign Authenticate 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

然后 Q 即可,接着按提示操作。

sec  ed25519/D2F475D29D00AB02
     created: 2021-08-04  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/CE765FB433B0B0DB
     created: 2021-08-04  expires: never       usage: E   
ssb  ed25519/927366AF0BD16702
     created: 2021-08-04  expires: never       usage: A  
[ultimate] (1). user <[email protected]>

最后应该会如上显示,接着我们就需要把这个 GPG key 转移到 Yubikey 里面。

添加 GPG key 到 Yubikey

请注意,这个指令会导致你的 secret key 永久地移动到 Yubikey 中,请事先做好备份

如果您没有在 GnuPG edit key 界面,请打开它。使用 gpg --edit-key <YOUR KEY ID> 来打开界面。

$ gpg --expert --edit-key 479F2CF8B814423F45A58B05D2F475D29D00AB02
gpg (GnuPG) 2.2.29; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/D2F475D29D00AB02
     created: 2021-08-04  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/CE765FB433B0B0DB
     created: 2021-08-04  expires: never       usage: E   
ssb  ed25519/927366AF0BD16702
     created: 2021-08-04  expires: never       usage: A  
[ultimate] (1). user <[email protected]>

稍加讲解一下 usage 代表的意思, S 代表 sign , E 代表 encrypt , A 代表 authenticate 。

然后我们把 key 复制进卡里,首先选择你需要的 key ,使用 key <id> id 为上面显示的 key 的顺序。

gpg> key 1

sec  ed25519/D2F475D29D00AB02
     created: 2021-08-04  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/CE765FB433B0B0DB
     created: 2021-08-04  expires: never       usage: E   
ssb* ed25519/927366AF0BD16702
     created: 2021-08-04  expires: never       usage: A  
[ultimate] (1). user <[email protected]>

选择成功后,会在上面显示一个星号。

再提醒一次,这个指令会导致你的 secret key 永久地移动到 Yubikey 中,请事先做好备份

然后输入 keytocard 后,根据提示操作。

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection?

如此反复之后,应该就可以从 gpg --edit-card 中看到 Yubikey 中的 key 的情况。

导出 GPG ssh key

使用 gpg --export-ssh-key <YOUR KEY ID> 即可

可选的安全选项1

建议开启的选项(可自定义),需要 Yubikey Manager CLI

ykman openpgp keys set-touch aut off
ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on

这几个选项要求 Yubikey 在使用 gpg 时,是否需要进行物理的触碰。按需开启。