[Gnuk-users] Upgrading gnuk on a nitrokey start

Remy van Elst relst at relst.nl
Thu Sep 8 16:32:21 UTC 2016


Ah that explains why. I find it very awesome that it works with these
larger keys. I also experimented with the EC keys, Curve 25519. That works
as well, super cool!

Generate key on host:

    $ gpg2 --expert --full-gen-key
    gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
       (7) DSA (set your own capabilities)
       (8) RSA (set your own capabilities)
       (9) ECC and ECC
      (10) ECC (sign only)
      (11) ECC (set your own capabilities)
    Your selection? 9
    Please select which elliptic curve you want:
       (1) Curve 25519
       (3) NIST P-256
       (4) NIST P-384
       (5) NIST P-521
       (6) Brainpool P-256
       (7) Brainpool P-384
       (8) Brainpool P-512
       (9) secp256k1
    Your selection? 1
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 1m
    Key expires at Sat Oct  8 18:24:21 2016 CEST
    Is this correct? (y/N) y

    GnuPG needs to construct a user ID to identify your key.

    Real name: c25519 remy
    Email address: remy at remy.nl
    Comment: test
    You selected this USER-ID:
        "c25519 remy (test) <remy at remy.nl>"

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    gpg: key 0x2670351E6ECB1A9F marked as ultimately trusted
    gpg: revocation certificate stored as
'/home/remy/.gnupg/openpgp-revocs.d/DA432D2A9DAB96074BC6F38E2670351E6ECB1A9F.rev'
    public and secret key created and signed.

    pub   ed25519/0x2670351E6ECB1A9F 2016-09-08 [SC] [expires: 2016-10-08]
          Key fingerprint = DA43 2D2A 9DAB 9607 4BC6  F38E 2670 351E 6ECB
1A9F
    uid                              c25519 remy (test) <remy at remy.nl>
    sub   cv25519/0x59A85A111997E614 2016-09-08 [E] [expires: 2016-10-08]



Keytocard:

    $ gpg --expert --edit-key 2670351E6ECB1A9F
    gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Secret key is available.

    gpg: checking the trustdb
    gpg: public key of ultimately trusted key 0xB9073AEB64937870 not found
    gpg: marginals needed: 3  completes needed: 1  trust model: pgp
    gpg: depth: 0  valid:   4  signed:  13  trust: 0-, 0q, 0n, 0m, 0f, 4u
    gpg: depth: 1  valid:  13  signed:   4  trust: 12-, 0q, 0n, 0m, 1f, 0u
    gpg: next trustdb check due at 2016-09-10
    sec  ed25519/0x2670351E6ECB1A9F
         created: 2016-09-08  expires: 2016-10-08  usage: SC
         trust: ultimate      validity: ultimate
    ssb  cv25519/0x59A85A111997E614
         created: 2016-09-08  expires: 2016-10-08  usage: E
    [ultimate] (1). c25519 remy (test) <remy at remy.nl>

    gpg> key 1

    sec  ed25519/0x2670351E6ECB1A9F
         created: 2016-09-08  expires: 2016-10-08  usage: SC
         trust: ultimate      validity: ultimate
    ssb* cv25519/0x59A85A111997E614
         created: 2016-09-08  expires: 2016-10-08  usage: E
    [ultimate] (1). c25519 remy (test) <remy at remy.nl>

    gpg> keytocard
    Please select where to store the key:
       (2) Encryption key
    Your selection? 2

    sec  ed25519/0x2670351E6ECB1A9F
         created: 2016-09-08  expires: 2016-10-08  usage: SC
         trust: ultimate      validity: ultimate
    ssb* cv25519/0x59A85A111997E614
         created: 2016-09-08  expires: 2016-10-08  usage: E
    [ultimate] (1). c25519 remy (test) <remy at remy.nl>

    gpg> save



Keytocard also works

    $ gpg --card-status

    Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
    Application ID ...: D276000124010200FFFE870223260000
    Version ..........: 2.0
    Manufacturer .....: unmanaged S/N range
    Serial number ....: 87022326
    Name of cardholder: [not set]
    Language prefs ...: [not set]
    Sex ..............: unspecified
    URL of public key : [not set]
    Login data .......: [not set]
    Signature PIN ....: not forced
    Key attributes ...: rsa4096 cv25519 rsa4096
    Max. PIN lengths .: 127 127 127
    PIN retry counter : 3 3 3
    Signature counter : 0
    Signature key ....: [none]
    Encryption key....: 80C3 884D 5FEF 484A BE57  E05E 59A8 5A11 1997 E614
          created ....: 2016-09-08 16:24:36
    Authentication key: [none]
    General key info..: sub  cv25519/0x59A85A111997E614 2016-09-08 c25519
remy (test) <remy at remy.nl>
    sec   ed25519/0x2670351E6ECB1A9F  created: 2016-09-08  expires:
2016-10-08
    ssb>  cv25519/0x59A85A111997E614  created: 2016-09-08  expires:
2016-10-08
                                      card-no: FFFE 87022326


Afterwards I was able to successfully encrypt a file with another key and
use this key on the device to decrypt it. Yay!



https://raymii.org

On Thu, Sep 8, 2016 at 11:46 AM, Gary <gary at mups.co.uk> wrote:

> On 07/09/16 19:54, Remy van Elst wrote:
> > One of the nice things now is that I can put a 4096 bit key on the card,
> > yay:
> >
> [snip]
> > Generating the key on the card fails however:
> >
> [snip]
>
> Although I could be mistaken, I seem to recall it mentioned that the
> gnuk does not have enough memory to be able to generate a 4096 key on
> the card itself but works fine if you generate on another machine then
> upload.
>
> I didn't try generating a key on the gnuk itself I just uploaded my
> existing key 4096 key to mine and other than a bit of a delay (6-8
> seconds or so) for signing, it works great :)
>
> Gary
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160908/c88c2b78/attachment.html>


More information about the gnuk-users mailing list