[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Thu Sep 8 16:32:21 UTC 2016
Ah that explains why. I find it very awesome that it works with these
larger keys. I also experimented with the EC keys, Curve 25519. That works
as well, super cool!
Generate key on host:
$ gpg2 --expert --full-gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
Your selection? 9
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1m
Key expires at Sat Oct 8 18:24:21 2016 CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: c25519 remy
Email address: remy at remy.nl
Comment: test
You selected this USER-ID:
"c25519 remy (test) <remy at remy.nl>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0x2670351E6ECB1A9F marked as ultimately trusted
gpg: revocation certificate stored as
'/home/remy/.gnupg/openpgp-revocs.d/DA432D2A9DAB96074BC6F38E2670351E6ECB1A9F.rev'
public and secret key created and signed.
pub ed25519/0x2670351E6ECB1A9F 2016-09-08 [SC] [expires: 2016-10-08]
Key fingerprint = DA43 2D2A 9DAB 9607 4BC6 F38E 2670 351E 6ECB
1A9F
uid c25519 remy (test) <remy at remy.nl>
sub cv25519/0x59A85A111997E614 2016-09-08 [E] [expires: 2016-10-08]
Keytocard:
$ gpg --expert --edit-key 2670351E6ECB1A9F
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: public key of ultimately trusted key 0xB9073AEB64937870 not found
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 4 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 13 signed: 4 trust: 12-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2016-09-10
sec ed25519/0x2670351E6ECB1A9F
created: 2016-09-08 expires: 2016-10-08 usage: SC
trust: ultimate validity: ultimate
ssb cv25519/0x59A85A111997E614
created: 2016-09-08 expires: 2016-10-08 usage: E
[ultimate] (1). c25519 remy (test) <remy at remy.nl>
gpg> key 1
sec ed25519/0x2670351E6ECB1A9F
created: 2016-09-08 expires: 2016-10-08 usage: SC
trust: ultimate validity: ultimate
ssb* cv25519/0x59A85A111997E614
created: 2016-09-08 expires: 2016-10-08 usage: E
[ultimate] (1). c25519 remy (test) <remy at remy.nl>
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
sec ed25519/0x2670351E6ECB1A9F
created: 2016-09-08 expires: 2016-10-08 usage: SC
trust: ultimate validity: ultimate
ssb* cv25519/0x59A85A111997E614
created: 2016-09-08 expires: 2016-10-08 usage: E
[ultimate] (1). c25519 remy (test) <remy at remy.nl>
gpg> save
Keytocard also works
$ gpg --card-status
Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
Application ID ...: D276000124010200FFFE870223260000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 87022326
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 cv25519 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: 80C3 884D 5FEF 484A BE57 E05E 59A8 5A11 1997 E614
created ....: 2016-09-08 16:24:36
Authentication key: [none]
General key info..: sub cv25519/0x59A85A111997E614 2016-09-08 c25519
remy (test) <remy at remy.nl>
sec ed25519/0x2670351E6ECB1A9F created: 2016-09-08 expires:
2016-10-08
ssb> cv25519/0x59A85A111997E614 created: 2016-09-08 expires:
2016-10-08
card-no: FFFE 87022326
Afterwards I was able to successfully encrypt a file with another key and
use this key on the device to decrypt it. Yay!
https://raymii.org
On Thu, Sep 8, 2016 at 11:46 AM, Gary <gary at mups.co.uk> wrote:
> On 07/09/16 19:54, Remy van Elst wrote:
> > One of the nice things now is that I can put a 4096 bit key on the card,
> > yay:
> >
> [snip]
> > Generating the key on the card fails however:
> >
> [snip]
>
> Although I could be mistaken, I seem to recall it mentioned that the
> gnuk does not have enough memory to be able to generate a 4096 key on
> the card itself but works fine if you generate on another machine then
> upload.
>
> I didn't try generating a key on the gnuk itself I just uploaded my
> existing key 4096 key to mine and other than a bit of a delay (6-8
> seconds or so) for signing, it works great :)
>
> Gary
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160908/c88c2b78/attachment.html>
More information about the gnuk-users
mailing list