歡迎光臨
每天分享高質量文章

在 Gentoo 中使用 Yubikey PGP 卡

PGP 卡是一種智慧卡,這種智慧卡可以執行加密、解密、數字簽名/驗證、認證等任務。它允許我們安全地儲存密鑰。
— Locez


致謝
轉載自 | http://locez.com/linux/cryptography/yubikey-pgp-card/
 作者 | Locez

本文環境

◈ OS:Gentoo
◈ 內核:4.9.76
◈ gpg (GnuPG): 2.2.4
◈ yubikey-manager: 0.6.0
◈ pcsc-tools: 1.4.27

什麼是 PGP 卡?

在加密技術中,PGP 卡是一種智慧卡,這種智慧卡可以執行加密、解密、數字簽名/驗證、認證等任務。它允許我們安全地儲存密鑰。私鑰和密碼不能用任何命令或功能從卡上讀取,但是可以將新密鑰寫入到卡上改寫舊密鑰。Yubikey 裡面有 PGP 卡的功能,因此可以將密鑰安全地存進去,使得我們的密鑰有一個物理設備的載體,類似於銀行的 U 盾。

軟體安裝

Yubikey 相關的包都被 Gentoo 標記為 Masked,所以首先是要解除掉才能安裝:

  1. # vim /etc/portage/package.accept_keywords/yubikey

將以下內容填入:

  1. # required by app-crypt/yubikey-manager-0.6.0::gentoo

  2. # required by app-crypt/yubikey-manager (argument)

  3. =dev-python/pyusb-1.0.2 ~amd64

  4. # required by app-crypt/yubikey-manager (argument)

  5. =app-crypt/yubikey-manager-0.6.0 ~amd64

  6. # required by app-crypt/yubikey-manager-0.6.0::gentoo

  7. # required by app-crypt/yubikey-manager (argument)

  8. =dev-python/pyscard-1.9.5 ~amd64

  9. # required by sys-apps/pcsc-tools-1.4.27::gentoo

  10. # required by pcsc-tools (argument)

  11. =dev-perl/pcsc-perl-1.4.14 ~amd64

  12. # required by pcsc-tools (argument)

  13. =sys-apps/pcsc-tools-1.4.27 ~amd64

安裝 yubikey-manager:

  1. # emerge --ask app-crypt/yubikey-manager

安裝 pcsc-tools:

  1. # emerge --ask  pcsc-tools

連接設備

因為本人是的桌面環境是 awesome,因此需要禁用 OTP 功能,只啟用 U2FCCID

  1. $ ykpersonalize -m5

註意: 在其它桌面環境中,如啟用全部 3 個功能只需要 ykpersonalize -m6 即可。

啟動 pcscd 守護行程:

  1. # systemctl start pcscd.socket

測試連接:

  1. $ pcsc_scan

  2. PC/SC device scanner

  3. V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>

  4. Compiled with PC/SC lite version: 1.8.22

  5. Using reader plug'n play mechanism

  6. Scanning present readers...

  7. 0: Yubico Yubikey 4 U2F+CCID 00 00

  8. Tue Apr 24 14:46:32 2018

  9. Reader 0: Yubico Yubikey 4 U2F+CCID 00 00

  10. ...

  1. $ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye

  2. D[0000]  04 03 07 90 00                                     .....

  3. OK

編輯 PGP 卡信息

  1. $ gpg --card-edit

  2. Reader ...........: Yubico Yubikey 4 U2F CCID 00 00

  3. Application ID ...: D2760001240102010006069500550000

  4. Version ..........: 2.1

  5. Manufacturer .....: Yubico

  6. Serial number ....: 06950055

  7. Name of cardholder: [not set]

  8. Language prefs ...: [not set]

  9. Sex ..............: unspecified

  10. URL of public key : [not set]

  11. Login data .......: [not set]

  12. Signature PIN ....: not forced

  13. Key attributes ...: rsa2048 rsa2048 rsa2048

  14. Max. PIN lengths .: 127 127 127

  15. PIN retry counter : 3 0 3

  16. Signature counter : 0

  17. Signature key ....: [none]

  18. Encryption key....: [none]

  19. Authentication key: [none]

  20. General key info..: [none]

設置密碼等信息,預設的 PIN 是 123456,PUK 是 12345678

  1. gpg/card> admin

  2. Admin commands are allowed

  3. gpg/card> passwd

  4. gpg: OpenPGP card no. D2760001240102010006069500550000 detected

  5. 1 - change PIN

  6. 2 - unblock PIN

  7. 3 - change Admin PIN

  8. 4 - set the Reset Code

  9. Q - quit

  10. Your selection? 1

  11. PIN changed.

  12. 1 - change PIN

  13. 2 - unblock PIN

  14. 3 - change Admin PIN

  15. 4 - set the Reset Code

  16. Q - quit

  17. Your selection? 3

  18. PIN changed.

  19. 1 - change PIN

  20. 2 - unblock PIN

  21. 3 - change Admin PIN

  22. 4 - set the Reset Code

  23. Q - quit

  24. Your selection? 4

  25. Reset Code set.

  26. 1 - change PIN

  27. 2 - unblock PIN

  28. 3 - change Admin PIN

  29. 4 - set the Reset Code

  30. Q - quit

  31. Your selection? q

  32. gpg/card>

設置個人信息:

  1. gpg/card> name

  2. Cardholder's surname: Locez

  3. Cardholder's given name: Locez

  4. gpg/card> lang

  5. Language preferences: zh

  6. gpg/card> sex

  7. Sex ((M)ale, (F)emale or space): M

  8. gpg/card> login

  9. Login data (account name): Locez

  10. gpg/card>

  11. Reader ...........: Yubico Yubikey 4 U2F CCID 00 00

  12. Application ID ...: D2760001240102010006069500550000

  13. Version ..........: 2.1

  14. Manufacturer .....: Yubico

  15. Serial number ....: 06950055

  16. Name of cardholder: Locez Locez

  17. Language prefs ...: zh

  18. Sex ..............: male

  19. URL of public key : [not set]

  20. Login data .......: Locez

  21. Signature PIN ....: not forced

  22. Key attributes ...: rsa2048 rsa2048 rsa2048

  23. Max. PIN lengths .: 127 127 127

  24. PIN retry counter : 3 3 3

  25. Signature counter : 0

  26. Signature key ....: [none]

  27. Encryption key....: [none]

  28. Authentication key: [none]

  29. General key info..: [none]

  30. gpg/card>

生成與匯入 key

生成 PGP 主密鑰:

  1. $ gpg --full-generate-key

  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.

  3. This is free software: you are free to change and redistribute it.

  4. There is NO WARRANTY, to the extent permitted by law.

  5. gpg: directory '/home/locez/.gnupg' created

  6. gpg: keybox '/home/locez/.gnupg/pubring.kbx' created

  7. Please select what kind of key you want:

  8.   (1) RSA and RSA (default)

  9.   (2) DSA and Elgamal

  10.   (3) DSA (sign only)

  11.   (4) RSA (sign only)

  12. Your selection? 1

  13. RSA keys may be between 1024 and 4096 bits long.

  14. What keysize do you want? (2048) 4096

  15. Requested keysize is 4096 bits

  16. Please specify how long the key should be valid.

  17.         0 = key does not expire

  18.      <n>  = key expires in n days

  19.      <n>w = key expires in n weeks

  20.      <n>m = key expires in n months

  21.      <n>y = key expires in n years

  22. Key is valid for? (0) 0

  23. Key does not expire at all

  24. Is this correct? (y/N) y

  25. GnuPG needs to construct a user ID to identify your key.

  26. Real name: Locez

  27. Email address: loki.a@live.cn

  28. Comment:

  29. You selected this USER-ID:

  30.    "Locez "

  31. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

  32. We need to generate a lot of random bytes. It is a good idea to perform

  33. some other action (type on the keyboard, move the mouse, utilize the

  34. disks) during the prime generation; this gives the random number

  35. generator a better chance to gain enough entropy.

此時可以動動滑鼠鍵盤讓他收集足夠的隨機資料。

生成一個用於認證的子密鑰:

  1. $ gpg --expert --edit-key Locez

  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.

  3. This is free software: you are free to change and redistribute it.

  4. There is NO WARRANTY, to the extent permitted by law.

  5. gpg> addkey

然後跟著嚮導進行選擇就可以了,通常是選擇 (8) RSA (set your own capabilities) ,然後 4096 位密鑰 其中子密鑰對的型別選擇應該如下:

  1. Possible actions for a RSA key: Sign Encrypt Authenticate

  2. Current allowed actions: Sign Encrypt  #此處顯示的為該子密鑰可以使用的用途,

  3.                                       #通過多次選擇下麵的開關進行調整

  4.   (S) Toggle the sign capability

  5.   (E) Toggle the encrypt capability

  6.   (A) Toggle the authenticate capability

  7.   (Q) Finished

  8. Your selection?

然後重覆上面的操作再次添加一個用於簽名的子密鑰,最終效果大概如下,使用 save 命令儲存退出:

  1. gpg: checking the trustdb

  2. gpg: marginals needed: 3  completes needed: 1  trust model: pgp

  3. gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

  4. pub  rsa4096/AAAAAAAAAAAAAAAA

  5.     created: 2018-04-24  expires: never       usage: SC

  6.     trust: ultimate      validity: ultimate

  7. ssb  rsa4096/BBBBBBBBBBBBBBBB

  8.     created: 2018-04-24  expires: never       usage: E

  9. ssb  rsa4096/CCCCCCCCCCCCCCCC

  10.     created: 2018-04-24  expires: never       usage: A

  11. ssb  rsa4096/DDDDDDDDDDDDDDDD

  12.     created: 2018-04-24  expires: never       usage: S

  13. [ultimate] (1). Locez <loki.a@live.cn>

備份公鑰與私鑰

當我們把密鑰匯入 Yubikey 的時候,我們就無法取出密鑰,因此在匯入之前最好備份 備份主密鑰私鑰:

  1. $ gpg --export-secret-key --armor Locez >> master.key

備份主密鑰公鑰:

  1. $ gpg -a --export Locez >> master.pub

當然也可以對單獨子密鑰進行備份,語法如下:

  1. gpg --export-secret-subkeys  --armor DDDDDDDDDDDDDDDD >> sign.key

DDDDDDDDDDDDDDDD 為子密鑰的指紋信息。子密鑰公鑰當然也可以單獨匯出,但是在匯出主密鑰公鑰的時候其實已經把子密鑰公鑰匯出了,因此可以不必重覆備份。

匯入進 Yubikey

備份做好以後,就可以將 RSA 密鑰匯入進 Yubikey 了,通常不建議直接將主密鑰匯入,因此在本文除了主密鑰外,另外有三個子密鑰用於匯入進 Yubikey。

採用 key index 語法選擇或者取消選擇密鑰,主密鑰為 0, 其它依次遞增,被選中會有星號。

  1. gpg> key 1

  2. ssb* rsa4096/BBBBBBBBBBBBBBBB

  3.     created: 2018-04-24  expires: never       usage: E

然後接著:

  1. gpg> keytocard

  2. Signature key ....: [none]

  3. Encryption key....: [none]

  4. Authentication key: [none]

  5. Please select where to store the key:

  6.   (2) Encryption key

  7. Your selection? 2

取消選擇子密鑰 1 並選擇子密鑰 2:

  1. gpg> key 1

  2. gpg> key 2

  3. gpg> keytocard

  4. Signature key ....: [none]

  5. Encryption key....: BBBB BBBB BBBB BBBB BBBB  BBBB BBBB BBBB BBBB BBBB

  6. Authentication key: [none]

  7. Please select where to store the key:

  8.   (3) Authentication key

  9. Your selection? 3

重覆操作,直至把 3 個子密鑰都匯入進 Yubikey,最後 save 命令儲存,當你看到多了這樣的 card-no 字樣即錶面匯入成功:

  1. gpg --edit-key Locez

  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.

  3. This is free software: you are free to change and redistribute it.

  4. There is NO WARRANTY, to the extent permitted by law.

  5. Secret key is available.

  6. sec  rsa4096/AAAAAAAAAAAAAAAA

  7.     created: 2018-04-24  expires: never       usage: SC

  8.     trust: ultimate      validity: ultimate

  9. ssb  rsa4096/BBBBBBBBBBBBBBBB

  10.     created: 2018-04-24  expires: never       usage: E

  11.     card-no: 0000 00000001

  12. ssb  rsa4096/CCCCCCCCCCCCCCCC

  13.     created: 2018-04-24  expires: never       usage: A

  14.     card-no: 00000 00000001

  15. ssb  rsa4096/DDDDDDDDDDDDDDDD

  16.     created: 2018-04-24  expires: never       usage: S

  17.     card-no: 000000 00000001

  18. [ultimate] (1). Locez <loki.a@live.cn>

刪除主密鑰私鑰

通常,為了保證安全,日常操作採用子密鑰足以,主密鑰私鑰應該離線儲存在一個非常安全的地方,對的就是剛剛備份的那些東西需要離線儲存,例如找個保險柜,此時先刪除主密鑰私鑰:

  1. $ gpg --delete-secret-key Locez

  2. gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.

  3. This is free software: you are free to change and redistribute it.

  4. There is NO WARRANTY, to the extent permitted by law.

  5. sec  rsa4096/AAAAAAAAAAAAAAAA 2018-04-24 Locez <loki.a@live.cn>

  6. Delete this key from the keyring? (y/N) y

  7. This is a secret key! - really delete? (y/N) y

還可通過輸入以下命令進行確認, sec 後的 # 即表明主密鑰私鑰不可用:

  1. $ gpg -K

  2. /home/locez/.gnupg/pubring.kbx

  3. sec#  rsa4096 2018-04-24 [SC]    

  4.      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  5. uid           [ultimate] Locez <loki.a@live.cn>

  6. ssb>  rsa4096 2018-04-24 [E]

  7. ssb>  rsa4096 2018-04-24 [A]

  8. ssb>  rsa4096 2018-04-24 [S]

同樣輸入 gpg --edit-key Locez 會看到 Secret subkeys are available. 字樣,是子密鑰可用,而不是原來的主密鑰了。

簡單測試

為了驗證卡片寫入成功,做個簡單的測試,先拔掉 Yubikey:

  1. $ echo "Hello, this is a test" > test

  2. $ gpg --output test.en -se test

  3. You did not specify a user ID. (you may use "-r")

  4. Current recipients:

  5. Enter the user ID.  End with an empty line: Locez

  6. Current recipients:

  7. rsa4096/BBBBBBBBBBBBBBBB 2018-04-24 "Locez "

  8. Enter the user ID.  End with an empty line:

空行結束,然後會要求你插入 Yubikey 並輸入 PIN 進行加密。

解密如下:

  1. gpg --decrypt test.en

  2. gpg: encrypted with 4096-bit RSA key, ID BBBBBBBBBBBBBBBB, created 2018-04-24

  3.      "Locez "

  4. Hello, this is a test

  5. gpg: Signature made Tue 24 Apr 2018 09:08:28 PM CST

  6. gpg:                using RSA key BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

  7. gpg: Good signature from "Locez " [ultimate]

參考資料

◈ https://developers.yubico.com/PGP/
◈ https://en.wikipedia.org/wiki/OpenPGP_card
◈ https://wiki.archlinux.org/index.php/GnuPG
◈ https://zhuanlan.zhihu.com/p/24103240

赞(0)

分享創造快樂

© 2021 知識星球   网站地图