[Gnuk-users] Upgrading gnuk on a nitrokey start
Remy van Elst
relst at relst.nl
Thu Sep 8 19:46:56 UTC 2016
Flashing back from NeuG to GnuK also works via USB:
[21:44:51] [remy at gateway] [ ~/repo/neug/tool (master) ]
$ python2 neug_upgrade.py ../../gnuk/regnual/regnual.bin
../../gnuk/src/build/gnuk.bin
Admin password:
../../gnuk/regnual/regnual.bin: 4412
../../gnuk/src/build/gnuk.bin: 110592
CRC32: 303d2f62
Device:
Configuration: 1
Interface: 1
20000a00:20005000
Downloading flash upgrade program...
start 20000a00
end 20001b00
# 20001b00: 27 : 64
Run flash upgrade program...
Wait 3 seconds...
Device:
08001000:08020000
Downloading the program
start 08001000
end 0801b000
NeuG works as well via rng-tools, cool!
I'm amazed by all the hard work and effort you put in here (Niibe) :)
Really amazing!
https://raymii.org
On Thu, Sep 8, 2016 at 6:34 PM, Remy van Elst <relst at relst.nl> wrote:
> I did also wrote down the upgrade process if anyone is interested:
> https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html
>
>
>
> https://raymii.org
>
> On Thu, Sep 8, 2016 at 6:32 PM, Remy van Elst <relst at relst.nl> wrote:
>
>> Ah that explains why. I find it very awesome that it works with these
>> larger keys. I also experimented with the EC keys, Curve 25519. That works
>> as well, super cool!
>>
>> Generate key on host:
>>
>> $ gpg2 --expert --full-gen-key
>> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> Please select what kind of key you want:
>> (1) RSA and RSA (default)
>> (2) DSA and Elgamal
>> (3) DSA (sign only)
>> (4) RSA (sign only)
>> (7) DSA (set your own capabilities)
>> (8) RSA (set your own capabilities)
>> (9) ECC and ECC
>> (10) ECC (sign only)
>> (11) ECC (set your own capabilities)
>> Your selection? 9
>> Please select which elliptic curve you want:
>> (1) Curve 25519
>> (3) NIST P-256
>> (4) NIST P-384
>> (5) NIST P-521
>> (6) Brainpool P-256
>> (7) Brainpool P-384
>> (8) Brainpool P-512
>> (9) secp256k1
>> Your selection? 1
>> Please specify how long the key should be valid.
>> 0 = key does not expire
>> <n> = key expires in n days
>> <n>w = key expires in n weeks
>> <n>m = key expires in n months
>> <n>y = key expires in n years
>> Key is valid for? (0) 1m
>> Key expires at Sat Oct 8 18:24:21 2016 CEST
>> Is this correct? (y/N) y
>>
>> GnuPG needs to construct a user ID to identify your key.
>>
>> Real name: c25519 remy
>> Email address: remy at remy.nl
>> Comment: test
>> You selected this USER-ID:
>> "c25519 remy (test) <remy at remy.nl>"
>>
>> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
>> We need to generate a lot of random bytes. It is a good idea to
>> perform
>> some other action (type on the keyboard, move the mouse, utilize the
>> disks) during the prime generation; this gives the random number
>> generator a better chance to gain enough entropy.
>> We need to generate a lot of random bytes. It is a good idea to
>> perform
>> some other action (type on the keyboard, move the mouse, utilize the
>> disks) during the prime generation; this gives the random number
>> generator a better chance to gain enough entropy.
>> gpg: key 0x2670351E6ECB1A9F marked as ultimately trusted
>> gpg: revocation certificate stored as '/home/remy/.gnupg/openpgp-rev
>> ocs.d/DA432D2A9DAB96074BC6F38E2670351E6ECB1A9F.rev'
>> public and secret key created and signed.
>>
>> pub ed25519/0x2670351E6ECB1A9F 2016-09-08 [SC] [expires: 2016-10-08]
>> Key fingerprint = DA43 2D2A 9DAB 9607 4BC6 F38E 2670 351E 6ECB
>> 1A9F
>> uid c25519 remy (test) <remy at remy.nl>
>> sub cv25519/0x59A85A111997E614 2016-09-08 [E] [expires: 2016-10-08]
>>
>>
>>
>> Keytocard:
>>
>> $ gpg --expert --edit-key 2670351E6ECB1A9F
>> gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> Secret key is available.
>>
>> gpg: checking the trustdb
>> gpg: public key of ultimately trusted key 0xB9073AEB64937870 not found
>> gpg: marginals needed: 3 completes needed: 1 trust model: pgp
>> gpg: depth: 0 valid: 4 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 4u
>> gpg: depth: 1 valid: 13 signed: 4 trust: 12-, 0q, 0n, 0m, 1f, 0u
>> gpg: next trustdb check due at 2016-09-10
>> sec ed25519/0x2670351E6ECB1A9F
>> created: 2016-09-08 expires: 2016-10-08 usage: SC
>> trust: ultimate validity: ultimate
>> ssb cv25519/0x59A85A111997E614
>> created: 2016-09-08 expires: 2016-10-08 usage: E
>> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>>
>> gpg> key 1
>>
>> sec ed25519/0x2670351E6ECB1A9F
>> created: 2016-09-08 expires: 2016-10-08 usage: SC
>> trust: ultimate validity: ultimate
>> ssb* cv25519/0x59A85A111997E614
>> created: 2016-09-08 expires: 2016-10-08 usage: E
>> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>>
>> gpg> keytocard
>> Please select where to store the key:
>> (2) Encryption key
>> Your selection? 2
>>
>> sec ed25519/0x2670351E6ECB1A9F
>> created: 2016-09-08 expires: 2016-10-08 usage: SC
>> trust: ultimate validity: ultimate
>> ssb* cv25519/0x59A85A111997E614
>> created: 2016-09-08 expires: 2016-10-08 usage: E
>> [ultimate] (1). c25519 remy (test) <remy at remy.nl>
>>
>> gpg> save
>>
>>
>>
>> Keytocard also works
>>
>> $ gpg --card-status
>>
>> Reader ...........: 234B:0000:FSIJ-1.2.1-87022326:0
>> Application ID ...: D276000124010200FFFE870223260000
>> Version ..........: 2.0
>> Manufacturer .....: unmanaged S/N range
>> Serial number ....: 87022326
>> Name of cardholder: [not set]
>> Language prefs ...: [not set]
>> Sex ..............: unspecified
>> URL of public key : [not set]
>> Login data .......: [not set]
>> Signature PIN ....: not forced
>> Key attributes ...: rsa4096 cv25519 rsa4096
>> Max. PIN lengths .: 127 127 127
>> PIN retry counter : 3 3 3
>> Signature counter : 0
>> Signature key ....: [none]
>> Encryption key....: 80C3 884D 5FEF 484A BE57 E05E 59A8 5A11 1997 E614
>> created ....: 2016-09-08 16:24:36
>> Authentication key: [none]
>> General key info..: sub cv25519/0x59A85A111997E614 2016-09-08 c25519
>> remy (test) <remy at remy.nl>
>> sec ed25519/0x2670351E6ECB1A9F created: 2016-09-08 expires:
>> 2016-10-08
>> ssb> cv25519/0x59A85A111997E614 created: 2016-09-08 expires:
>> 2016-10-08
>> card-no: FFFE 87022326
>>
>>
>> Afterwards I was able to successfully encrypt a file with another key and
>> use this key on the device to decrypt it. Yay!
>>
>>
>>
>> https://raymii.org
>>
>> On Thu, Sep 8, 2016 at 11:46 AM, Gary <gary at mups.co.uk> wrote:
>>
>>> On 07/09/16 19:54, Remy van Elst wrote:
>>> > One of the nice things now is that I can put a 4096 bit key on the
>>> card,
>>> > yay:
>>> >
>>> [snip]
>>> > Generating the key on the card fails however:
>>> >
>>> [snip]
>>>
>>> Although I could be mistaken, I seem to recall it mentioned that the
>>> gnuk does not have enough memory to be able to generate a 4096 key on
>>> the card itself but works fine if you generate on another machine then
>>> upload.
>>>
>>> I didn't try generating a key on the gnuk itself I just uploaded my
>>> existing key 4096 key to mine and other than a bit of a delay (6-8
>>> seconds or so) for signing, it works great :)
>>>
>>> Gary
>>>
>>> _______________________________________________
>>> gnuk-users mailing list
>>> gnuk-users at lists.alioth.debian.org
>>> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20160908/99821125/attachment.html>
More information about the gnuk-users
mailing list