Gnuk: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
No edit summary
No edit summary
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
'''Using Gnuk on Debian Wheezy
'''Using Gnuk on Debian Wheezy'''
'''


This is a quick tutorial on how to get your public and private key to work with the Flying Stone Tiny[1] GPG token. All the information here was taken from the complete documentation of Gnuk written by its author[2]. Benefits of the Flying Stone Tiny-01 include: a) keeping your secrets separated from a hard-disk, which is a common medium for the storage of GPG secrets and could potentially represent a major security risk; b) ability to use your keys in multiple computers; c) hardware-lock preventing the secrets to be read from the token; d) it is USB, which means it is (almost) universal, dipensing the need for a Smart Card reader, while having all the benefits of a smart card; d) it is all free software-based (GPLv3), therefore it is not only transparent and widely available, but also free for further improvements and new inventive usages. After completing the tutorial, if you still have questions, access the Q&A forum [3] and check Riseup's tutorial [7].
This is a quick tutorial on how to get your public and private key to work with the Flying Stone Tiny[1] GPG token. All the information here was taken from the complete documentation of Gnuk written by its author[2]. Benefits of the Flying Stone Tiny-01 include: a) keeping your secrets separated from a hard-disk, which is a common medium for the storage of GPG secrets and could potentially represent a major security risk; b) ability to use your keys in multiple computers; c) hardware-lock preventing the secrets to be read from the token; d) it is USB, which means it is (almost) universal, dipensing the need for a Smart Card reader, while having all the benefits of a smart card; d) it is all free software-based (GPLv3), therefore it is not only transparent and widely available, but also free for further improvements and new inventive usages. After completing the tutorial, if you still have questions, access the Q&A forum [3] and check Riseup's tutorial [7], or just pop-up at #noisebridge on Freenode and ask us.




1. Check requerements for using the GPG token:
1. Check requerements for using the GPG token:


  - Your GPG keys must be RSA 2048 bits, if your keys do not met the requirement, generate new keys[4];
* Your GPG keys must be RSA 2048 bits, if your keys do not met the requirement, generate new keys[4];
  - FST-01 USB token with Gnuk pre-installed (click here for alternatives);
* FST-01 USB token with Gnuk pre-installed;
  - GNU/Linux system (should work on other *nix systems, but not yet tested).
* GNU/Linux system (should work on other *nix systems, but not yet tested).




2. Install the following packages:
2. Install the following packages:


  - gnupg/gnupg2 (gnupg version >= 1.4 or gnupg2)
* gnupg/gnupg2 (gnupg version >= 1.4)
  - gpg-agent
* gpg-agent
  - gnupg-pkcs11-scd (substitute for scdaemon under 'Squeeze')
* scdaemon
  - python-pyscard (to use a tool for removing keys)
* python-pyscard (to use a tool for removing keys)
     
   


3. Edit your GPG configuration:
3. Edit your GPG configuration:
Line 39: Line 38:


Generate your ssh keys [5]:
Generate your ssh keys [5]:
     gpgkey2ssh ADD_YOUR_SUBKEY_ID_HERE >> sshpubkey.txt
     gpgkey2ssh TYPE_YOUR_SUBKEY_ID_HERE >> sshpubkey.txt
      
      
Add your pub key to the server you want to auth with your GPG token:
Add your pub key to the server you want to auth with your GPG token:
     ssh ~/.ssh/authorized_keys
     ssh ~/.ssh/authorized_keys
5a. Add udev rules for the FST. Create a file called /lib/udev/rules.d/60-gnupg.rules with the following contents:
    ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="plugdev", MODE="644"
    LABEL="gnupg_rules_end"




Line 75: Line 80:
     gpg> save
     gpg> save
     This will apply the changes
     This will apply the changes
      
      
7. Write your public and private GPG keys to the token
7. Write your public and private GPG keys to the token


Invoke GPG shell with this command, adding your key ID where indicated:
Invoke GPG shell with this command, adding your key ID where indicated:
     gpg --edit-key ADD_YOUR_KEY_ID_HERE
     gpg --edit-key TYPE_YOUR_KEY_ID_HERE
    
    
     gpg> keytocard  
     gpg> keytocard  
Line 93: Line 97:
     gpg> save
     gpg> save
     This command will save the info to the token and exit the shell
     This command will save the info to the token and exit the shell


8. Using your keys in other computers with GPG installed
8. Using your keys in other computers with GPG installed
Line 104: Line 107:
      
      
The key is now registered by your local install of GPG, but you have to set the trust of it:
The key is now registered by your local install of GPG, but you have to set the trust of it:
     gpg --edit-key ADD_YOUR_KEY_ID_HERE
     gpg --edit-key TYPE_YOUR_KEY_ID_HERE
      
      
     gpg> trust
     gpg> trust
     This command will set the key you just installed as 'trusted'. Given it is your own key, set it to (5) 'ultimate' trust
     This command will set the key you just installed as 'trusted'. Given it is your own key, set it to (5) 'ultimate' trust
   
         
   
9. Before you use the token, make sure you deactivate other gpg agents. Here are some popular agents:
9. Before you use the token, make sure you deactivate other gpg agents. Here are some popular agents:


  - gnome-keyring (GNOME)
* gnome-keyring (GNOME)
  - kwallet (KDE)
* kwallet (KDE)
  - seahorse  
* seahorse  




Line 121: Line 123:
Add this line to 'gnome-keyring-ssh.desktop':
Add this line to 'gnome-keyring-ssh.desktop':
     X-GNOME-Autostart-enabled=false
     X-GNOME-Autostart-enabled=false
 
Add this line to 'gnome-keyring-gpg.desktop':
Add this line to 'gnome-keyring-gpg.desktop':
     X-GNOME-Autostart-enabled=false
     X-GNOME-Autostart-enabled=false


11. Common Issues
11. Common Issues


  * If you get the 'OpenPGP card not available: general error', try killing gpg-agents, such as gnome-keyring;
* If you get 'OpenPGP card not available: general error', try killing gpg-agents, such as gnome-keyring;
  * If you type a wrong PIN three times, you will lock the device permanently, *be extra carefull*!
* If you type a wrong PIN three times, you will lock the device permanently, *be extra carefull*!
  * If you need to re-write keys to the token, make sure to delete the keys on it first [6].
* If you need to re-write keys to the token, make sure to delete the keys on it first [6].
  * If you remove your keys from the device, your PIN will be erased as well and reverted to the default PIN (12345678), *remember to change it*.
* If you remove your keys from the device, your PIN will be erased as well and reverted to the default PIN (12345678), *remember to change it!*.


    
    

Latest revision as of 09:23, 31 October 2013

Using Gnuk on Debian Wheezy

This is a quick tutorial on how to get your public and private key to work with the Flying Stone Tiny[1] GPG token. All the information here was taken from the complete documentation of Gnuk written by its author[2]. Benefits of the Flying Stone Tiny-01 include: a) keeping your secrets separated from a hard-disk, which is a common medium for the storage of GPG secrets and could potentially represent a major security risk; b) ability to use your keys in multiple computers; c) hardware-lock preventing the secrets to be read from the token; d) it is USB, which means it is (almost) universal, dipensing the need for a Smart Card reader, while having all the benefits of a smart card; d) it is all free software-based (GPLv3), therefore it is not only transparent and widely available, but also free for further improvements and new inventive usages. After completing the tutorial, if you still have questions, access the Q&A forum [3] and check Riseup's tutorial [7], or just pop-up at #noisebridge on Freenode and ask us.


1. Check requerements for using the GPG token:

  • Your GPG keys must be RSA 2048 bits, if your keys do not met the requirement, generate new keys[4];
  • FST-01 USB token with Gnuk pre-installed;
  • GNU/Linux system (should work on other *nix systems, but not yet tested).


2. Install the following packages:

  • gnupg/gnupg2 (gnupg version >= 1.4)
  • gpg-agent
  • scdaemon
  • python-pyscard (to use a tool for removing keys)


3. Edit your GPG configuration:

Add the following content to your ~/.gnupg/gpg.conf file:

    use-agent
    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    default-key ADD_YOUR_KEY_ID_HERE   

4. In order to use the token, make sure you are running gpg-agent, if not:

Run gpg-agent:

    gpg-agent --daemon --enable-ssh-support


5. If you are planning to use the token to authenticate with OpenSSH

Generate your ssh keys [5]:

    gpgkey2ssh TYPE_YOUR_SUBKEY_ID_HERE >> sshpubkey.txt
    

Add your pub key to the server you want to auth with your GPG token:

    ssh ~/.ssh/authorized_keys


5a. Add udev rules for the FST. Create a file called /lib/udev/rules.d/60-gnupg.rules with the following contents:

   ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="plugdev", MODE="644"
   LABEL="gnupg_rules_end"


6. Personalize your token

To change your personal info, URL where your pub key is, etc., run:

    gpg --card-edit
    
    gpg> admin
    Allow admin commands to be executed
    
    gpg> name
    Register name and surname of the token owner
    
    gpg> url
    Address for the location of your public keys, important setting to help you register the token in other machines

    gpg> passwd
    Set-up your PIN for the usage of the token, please this is not your 'passphrase' for the GPG private key
    The default PIN from the factory is "123456"; your new PIN should not be bigger than 8 characters.
    It does not have to be numbers -- the acronym PIN is misleading here.
    
    gpg> forcesig 
    This will change the default setting of 'signature force PIN' OFF
    
    gpg> login
    Register your login name
    
    gpg> help
    This is command is your friend, if you want to further customize the token!
    
    gpg> save
    This will apply the changes
    

7. Write your public and private GPG keys to the token

Invoke GPG shell with this command, adding your key ID where indicated:

    gpg --edit-key TYPE_YOUR_KEY_ID_HERE
  
    gpg> keytocard 
    This command will *move* your pub GPG key to the token
    
    gpg> toggle
    This command changes from pub key to the private key operation
    
    gpg> keytocard
    This command will move your private key to the token
    
    gpg> save
    This command will save the info to the token and exit the shell

8. Using your keys in other computers with GPG installed

Invoke the GPG shell with this command:

    gpg --card-edit
    
    gpg> fetch
    This command will retrieve your keys and add it to the local GPG keychain
    

The key is now registered by your local install of GPG, but you have to set the trust of it:

    gpg --edit-key TYPE_YOUR_KEY_ID_HERE
    
    gpg> trust
    This command will set the key you just installed as 'trusted'. Given it is your own key, set it to (5) 'ultimate' trust
         

9. Before you use the token, make sure you deactivate other gpg agents. Here are some popular agents:

  • gnome-keyring (GNOME)
  • kwallet (KDE)
  • seahorse


10. Access '/etc/xdg/autostart' and '~/.config/autostart' and add a new entry to the following config files:

Add this line to 'gnome-keyring-ssh.desktop':

    X-GNOME-Autostart-enabled=false

Add this line to 'gnome-keyring-gpg.desktop':

    X-GNOME-Autostart-enabled=false

11. Common Issues

  • If you get 'OpenPGP card not available: general error', try killing gpg-agents, such as gnome-keyring;
  • If you type a wrong PIN three times, you will lock the device permanently, *be extra carefull*!
  • If you need to re-write keys to the token, make sure to delete the keys on it first [6].
  • If you remove your keys from the device, your PIN will be erased as well and reverted to the default PIN (12345678), *remember to change it!*.


12. Sources

[1] http://www.seeedstudio.com/wiki/FST-01

[2] http://www.fsij.org/doc-gnuk/

[3] http://no-passwd.net/askbot/questions/scope:all/sort:activity-desc/page:1/

[4] http://keyring.debian.org/creating-key.html

[5] http://www.programmierecke.net/howto/gpg-ssh.html

[6] http://no-passwd.net/askbot/question/51/how-to-deletereplace-the-key-in-gnuk/

[7] https://we.riseup.net/debian/using-the-openpgp-card-with-subkeys