[Gnuk-users] Upgrading gnuk on a nitrokey start

Remy van Elst relst at relst.nl
Thu Sep 8 16:34:58 UTC 2016


I did also wrote down the upgrade process if anyone is interested:
https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html



https://raymii.org

On Thu, Sep 8, 2016 at 6:32 PM, Remy van Elst <relst at relst.nl> wrote:

> Ah that explains why. I find it very awesome that it works with these
> larger keys. I also experimented with the EC keys, Curve 25519. That works
> as well, super cool!
>
> Generate key on host:
>
>     $ gpg2 --expert --full-gen-key
>     gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>     This is free software: you are free to change and redistribute it.
>     There is NO WARRANTY, to the extent permitted by law.
>
>     Please select what kind of key you want:
>        (1) RSA and RSA (default)
>        (2) DSA and Elgamal
>        (3) DSA (sign only)
>        (4) RSA (sign only)
>        (7) DSA (set your own capabilities)
>        (8) RSA (set your own capabilities)
>        (9) ECC and ECC
>       (10) ECC (sign only)
>       (11) ECC (set your own capabilities)
>     Your selection? 9
>     Please select which elliptic curve you want:
>        (1) Curve 25519
>        (3) NIST P-256
>        (4) NIST P-384
>        (5) NIST P-521
>        (6) Brainpool P-256
>        (7) Brainpool P-384
>        (8) Brainpool P-512
>        (9) secp256k1
>     Your selection? 1
>     Please specify how long the key should be valid.
>              0 = key does not expire
>           <n>  = key expires in n days
>           <n>w = key expires in n weeks
>           <n>m = key expires in n months
>           <n>y = key expires in n years
>     Key is valid for? (0) 1m
>     Key expires at Sat Oct  8 18:24:21 2016 CEST
>     Is this correct? (y/N) y
>
>     GnuPG needs to construct a user ID to identify your key.
>
>     Real name: c25519 remy
>     Email address: remy at remy.nl
>     Comment: test
>     You selected this USER-ID:
>         "c25519 remy (test) <remy at remy.nl>"
>
>     Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
>     We need to generate a lot of random bytes. It is a good idea to perform
>     some other action (type on the keyboard, move the mouse, utilize the
>     disks) during the prime generation; this gives the random number
>     generator a better chance to gain enough entropy.
>     We need to generate a lot of random bytes. It is a good idea to perform
>     some other action (type on the keyboard, move the mouse, utilize the
>     disks) during the prime generation; this gives the random number
>     generator a better chance to gain enough entropy.
>     gpg: key 0x2670351E6ECB1A9F marked as ultimately trusted
>     gpg: revocation certificate stored as '/home/remy/.gnupg/openpgp-
> revocs.d/DA432D2A9DAB96074BC6F38E2670351E6ECB1A9F.rev'
>     public and secret key created and signed.
>
>     pub   ed25519/0x2670351E6ECB1A9F 2016-09-08 [SC] [expires: 2016-10-08]
>           Key fingerprint = DA43 2D2A 9DAB 9607 4BC6  F38E 2670 351E 6ECB
> 1A9F
>     uid                              c25519 remy (test) <remy at remy.nl>
>     sub   cv25519/0x59A85A111997E614 2016-09-08 [E] [expires: 2016-10-08]
>
>
>
> Keytocard:
>
>     $ gpg --expert --edit-key 2670351E6ECB1A9F
>     gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>     This is free software: you are free to change and redistribute it.
>     There is NO WARRANTY, to the extent permitted by law.
>
>     Secret key is available.
>
>     gpg: checking the trustdb
>     gpg: public key of ultimately trusted key 0xB9073AEB64937870 not found
>     gpg: marginals needed: 3  completes needed: 1  trust model: pgp
>     gpg: depth: 0  valid:   4  signed:  13  trust: 0-, 0q, 0n, 0m, 0f, 4u
>     gpg: depth: 1  valid:  13  signed:   4  trust: 12-, 0q, 0n, 0m, 1f, 0u
>     gpg: next trustdb check due at 2016-09-10
>     sec  ed25519/0x2670351E6ECB1A9F
>          created: 2016-09-08  expires: 2016-10-08  usage: SC
>          trust: ultimate      validity: ultimate
>     ssb  cv25519/0x59A85A111997E614
>          created: 2016-09-08  expires: 2016-10-08  usage: E
>     [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
>     gpg> key 1
>
>     sec  ed25519/0x2670351E6ECB1A9F
>          created: 2016-09-08  expires: 2016-10-08  usage: SC
>          trust: ultimate      validity: ultimate
>     ssb* cv25519/0x59A85A111997E614
>          created: 2016-09-08  expires: 2016-10-08  usage: E
>     [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
>     gpg> keytocard
>     Please select where to store the key:
>        (2) Encryption key
>     Your selection? 2
>
>     sec  ed25519/0x2670351E6ECB1A9F
>          created: 2016-09-08  expires: 2016-10-08  usage: SC
>          trust: ultimate      validity: ultimate
>     ssb* cv25519/0x59A85A111997E614
>          created: 2016-09-08  expires: 2016-10-08  usage: E
>     [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>
>     gpg> save
>
>
>
> Keytocard also works
>
>     $ gpg --card-status
>
>     Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
>     Application ID ...: D276000124010200FFFE870223260000
>     Version ..........: 2.0
>     Manufacturer .....: unmanaged S/N range
>     Serial number ....: 87022326
>     Name of cardholder: [not set]
>     Language prefs ...: [not set]
>     Sex ..............: unspecified
>     URL of public key : [not set]
>     Login data .......: [not set]
>     Signature PIN ....: not forced
>     Key attributes ...: rsa4096 cv25519 rsa4096
>     Max. PIN lengths .: 127 127 127
>     PIN retry counter : 3 3 3
>     Signature counter : 0
>     Signature key ....: [none]
>     Encryption key....: 80C3 884D 5FEF 484A BE57  E05E 59A8 5A11 1997 E614
>           created ....: 2016-09-08 16:24:36
>     Authentication key: [none]
>     General key info..: sub  cv25519/0x59A85A111997E614 2016-09-08 c25519
> remy (test) <remy at remy.nl>
>     sec   ed25519/0x2670351E6ECB1A9F  created: 2016-09-08  expires:
> 2016-10-08
>     ssb>  cv25519/0x59A85A111997E614  created: 2016-09-08  expires:
> 2016-10-08
>                                       card-no: FFFE 87022326
>
>
> Afterwards I was able to successfully encrypt a file with another key and
> use this key on the device to decrypt it. Yay!
>
>
>
> https://raymii.org
>
> On Thu, Sep 8, 2016 at 11:46 AM, Gary <gary at mups.co.uk> wrote:
>
>> On 07/09/16 19:54, Remy van Elst wrote:
>> > One of the nice things now is that I can put a 4096 bit key on the card,
>> > yay:
>> >
>> [snip]
>> > Generating the key on the card fails however:
>> >
>> [snip]
>>
>> Although I could be mistaken, I seem to recall it mentioned that the
>> gnuk does not have enough memory to be able to generate a 4096 key on
>> the card itself but works fine if you generate on another machine then
>> upload.
>>
>> I didn't try generating a key on the gnuk itself I just uploaded my
>> existing key 4096 key to mine and other than a bit of a delay (6-8
>> seconds or so) for signing, it works great :)
>>
>> Gary
>>
>> _______________________________________________
>> gnuk-users mailing list
>> gnuk-users at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160908/8a84f00c/attachment-0001.html>


More information about the gnuk-users mailing list