[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Thu Sep 8 16:34:58 UTC 2016
I did also wrote down the upgrade process if anyone is interested:
https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html
https://raymii.org
On Thu, Sep 8, 2016 at 6:32 PM, Remy van Elst <relst at relst.nl> wrote:
> Ah that explains why. I find it very awesome that it works with these
> larger keys. I also experimented with the EC keys, Curve 25519. That works
> as well, super cool!
>
> Generate key on host:
>
> $ gpg2 --expert --full-gen-key
> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Please select what kind of key you want:
> (1) RSA and RSA (default)
> (2) DSA and Elgamal
> (3) DSA (sign only)
> (4) RSA (sign only)
> (7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
> (9) ECC and ECC
> (10) ECC (sign only)
> (11) ECC (set your own capabilities)
> Your selection? 9
> Please select which elliptic curve you want:
> (1) Curve 25519
> (3) NIST P-256
> (4) NIST P-384
> (5) NIST P-521
> (6) Brainpool P-256
> (7) Brainpool P-384
> (8) Brainpool P-512
> (9) secp256k1
> Your selection? 1
> Please specify how long the key should be valid.
> 0 = key does not expire
> <n> = key expires in n days
> <n>w = key expires in n weeks
> <n>m = key expires in n months
> <n>y = key expires in n years
> Key is valid for? (0) 1m
> Key expires at Sat Oct 8 18:24:21 2016 CEST
> Is this correct? (y/N) y
>
> GnuPG needs to construct a user ID to identify your key.
>
> Real name: c25519 remy
> Email address: remy at remy.nl
> Comment: test
> You selected this USER-ID:
> "c25519 remy (test) <remy at remy.nl>"
>
> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
> We need to generate a lot of random bytes. It is a good idea to perform
> some other action (type on the keyboard, move the mouse, utilize the
> disks) during the prime generation; this gives the random number
> generator a better chance to gain enough entropy.
> We need to generate a lot of random bytes. It is a good idea to perform
> some other action (type on the keyboard, move the mouse, utilize the
> disks) during the prime generation; this gives the random number
> generator a better chance to gain enough entropy.
> gpg: key 0x2670351E6ECB1A9F marked as ultimately trusted
> gpg: revocation certificate stored as '/home/remy/.gnupg/openpgp-
> revocs.d/DA432D2A9DAB96074BC6F38E2670351E6ECB1A9F.rev'
> public and secret key created and signed.
>
> pub ed25519/0x2670351E6ECB1A9F 2016-09-08 [SC] [expires: 2016-10-08]
> Key fingerprint = DA43 2D2A 9DAB 9607 4BC6 F38E 2670 351E 6ECB
> 1A9F
> uid c25519 remy (test) <remy at remy.nl>
> sub cv25519/0x59A85A111997E614 2016-09-08 [E] [expires: 2016-10-08]
>
>
>
> Keytocard:
>
> $ gpg --expert --edit-key 2670351E6ECB1A9F
> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Secret key is available.
>
> gpg: checking the trustdb
> gpg: public key of ultimately trusted key 0xB9073AEB64937870 not found
> gpg: marginals needed: 3 completes needed: 1 trust model: pgp
> gpg: depth: 0 valid: 4 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 4u
> gpg: depth: 1 valid: 13 signed: 4 trust: 12-, 0q, 0n, 0m, 1f, 0u
> gpg: next trustdb check due at 2016-09-10
> sec ed25519/0x2670351E6ECB1A9F
> created: 2016-09-08 expires: 2016-10-08 usage: SC
> trust: ultimate validity: ultimate
> ssb cv25519/0x59A85A111997E614
> created: 2016-09-08 expires: 2016-10-08 usage: E
> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
> gpg> key 1
>
> sec ed25519/0x2670351E6ECB1A9F
> created: 2016-09-08 expires: 2016-10-08 usage: SC
> trust: ultimate validity: ultimate
> ssb* cv25519/0x59A85A111997E614
> created: 2016-09-08 expires: 2016-10-08 usage: E
> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
> gpg> keytocard
> Please select where to store the key:
> (2) Encryption key
> Your selection? 2
>
> sec ed25519/0x2670351E6ECB1A9F
> created: 2016-09-08 expires: 2016-10-08 usage: SC
> trust: ultimate validity: ultimate
> ssb* cv25519/0x59A85A111997E614
> created: 2016-09-08 expires: 2016-10-08 usage: E
> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
> gpg> save
>
>
>
> Keytocard also works
>
> $ gpg --card-status
>
> Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
> Application ID ...: D276000124010200FFFE870223260000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87022326
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: not forced
> Key attributes ...: rsa4096 cv25519 rsa4096
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: 80C3 884D 5FEF 484A BE57 E05E 59A8 5A11 1997 E614
> created ....: 2016-09-08 16:24:36
> Authentication key: [none]
> General key info..: sub cv25519/0x59A85A111997E614 2016-09-08 c25519
> remy (test) <remy at remy.nl>
> sec ed25519/0x2670351E6ECB1A9F created: 2016-09-08 expires:
> 2016-10-08
> ssb> cv25519/0x59A85A111997E614 created: 2016-09-08 expires:
> 2016-10-08
> card-no: FFFE 87022326
>
>
> Afterwards I was able to successfully encrypt a file with another key and
> use this key on the device to decrypt it. Yay!
>
>
>
> https://raymii.org
>
> On Thu, Sep 8, 2016 at 11:46 AM, Gary <gary at mups.co.uk> wrote:
>
>> On 07/09/16 19:54, Remy van Elst wrote:
>> > One of the nice things now is that I can put a 4096 bit key on the card,
>> > yay:
>> >
>> [snip]
>> > Generating the key on the card fails however:
>> >
>> [snip]
>>
>> Although I could be mistaken, I seem to recall it mentioned that the
>> gnuk does not have enough memory to be able to generate a 4096 key on
>> the card itself but works fine if you generate on another machine then
>> upload.
>>
>> I didn't try generating a key on the gnuk itself I just uploaded my
>> existing key 4096 key to mine and other than a bit of a delay (6-8
>> seconds or so) for signing, it works great :)
>>
>> Gary
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160908/8a84f00c/attachment-0001.html>
More information about the gnuk-users
mailing list