在 Gentoo 中使用 Yubikey PGP 卡
來自專欄 Linux
13 人贊了文章
本文環境
- OS:Gentoo
- 內核:4.9.76
- gpg (GnuPG): 2.2.4
- yubikey-manager: 0.6.0
- pcsc-tools: 1.4.27
什麼是 PGP 卡?
在加密技術中,PGP 卡是一種智能卡,這種智能卡可以執行加密、解密、數字簽名/驗證、認證等任務。它允許我們安全地存儲密鑰。私鑰和密碼不能用任何命令或功能從卡上讀取,但是可以將新密鑰寫入到卡上覆蓋舊密鑰。Yubikey 裡面有 PGP 卡的功能,因此可以將密鑰安全地存進去,使得我們的密鑰有一個物理設備的載體,類似於銀行的 U 盾。
軟體安裝
Yubikey 相關的包都被 Gentoo 標記為 Masked,所以首先是要解除掉才能安裝:
# vim /etc/portage/package.accept_keywords/yubikey
將以下內容填入:
# required by app-crypt/yubikey-manager-0.6.0::gentoo# required by app-crypt/yubikey-manager (argument)=dev-python/pyusb-1.0.2 ~amd64# required by app-crypt/yubikey-manager (argument)=app-crypt/yubikey-manager-0.6.0 ~amd64# required by app-crypt/yubikey-manager-0.6.0::gentoo# required by app-crypt/yubikey-manager (argument)=dev-python/pyscard-1.9.5 ~amd64# required by sys-apps/pcsc-tools-1.4.27::gentoo# required by pcsc-tools (argument)=dev-perl/pcsc-perl-1.4.14 ~amd64# required by pcsc-tools (argument)=sys-apps/pcsc-tools-1.4.27 ~amd64
安裝 yubikey-manager:
# emerge --ask app-crypt/yubikey-manager
安裝 pcsc-tools:
# emerge --ask pcsc-tools
連接設備
因為本人是的桌面環境是 awesome,因此需要禁用 OTP 功能,只啟用 U2F、CCID:
$ ykpersonalize -m5
注意: 在其它桌面環境中,如啟用全部 3 個功能只需要 ykpersonalize -m6 即可。
啟動 pcscd 守護進程:
# systemctl start pcscd.socket
測試連接:
$ pcsc_scanPC/SC device scannerV 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>Compiled with PC/SC lite version: 1.8.22Using reader plugn play mechanismScanning present readers...0: Yubico Yubikey 4 U2F+CCID 00 00Tue Apr 24 14:46:32 2018Reader 0: Yubico Yubikey 4 U2F+CCID 00 00...$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /byeD[0000] 04 03 07 90 00 .....OK
編輯 PGP 卡信息
$ gpg --card-editReader ...........: Yubico Yubikey 4 U2F CCID 00 00Application ID ...: D2760001240102010006069500550000Version ..........: 2.1Manufacturer .....: YubicoSerial number ....: 06950055Name of cardholder: [not set]Language prefs ...: [not set]Sex ..............: unspecifiedURL of public key : [not set]Login data .......: [not set]Signature PIN ....: not forcedKey attributes ...: rsa2048 rsa2048 rsa2048Max. PIN lengths .: 127 127 127PIN retry counter : 3 0 3Signature counter : 0Signature key ....: [none]Encryption key....: [none]Authentication key: [none]General key info..: [none]
設置密碼等信息,默認的 PIN 是 123456,PUK 是 12345678:
gpg/card> adminAdmin commands are allowedgpg/card> passwdgpg: OpenPGP card no. D2760001240102010006069500550000 detected1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? 1PIN changed.1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? 3PIN changed.1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? 4Reset Code set.1 - change PIN2 - unblock PIN3 - change Admin PIN4 - set the Reset CodeQ - quitYour selection? qgpg/card>
設置個人信息:
gpg/card> nameCardholders surname: LocezCardholders given name: Locezgpg/card> langLanguage preferences: zhgpg/card> sexSex ((M)ale, (F)emale or space): Mgpg/card> loginLogin data (account name): Locezgpg/card>Reader ...........: Yubico Yubikey 4 U2F CCID 00 00Application ID ...: D2760001240102010006069500550000Version ..........: 2.1Manufacturer .....: YubicoSerial number ....: 06950055Name of cardholder: Locez LocezLanguage prefs ...: zhSex ..............: maleURL of public key : [not set]Login data .......: LocezSignature PIN ....: not forcedKey attributes ...: rsa2048 rsa2048 rsa2048Max. PIN lengths .: 127 127 127PIN retry counter : 3 3 3Signature counter : 0Signature key ....: [none]Encryption key....: [none]Authentication key: [none]General key info..: [none]gpg/card>
生成與導入 key
生成 PGP 主密鑰:
$ gpg --full-generate-keygpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.gpg: directory /home/locez/.gnupg createdgpg: keybox /home/locez/.gnupg/pubring.kbx createdPlease select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)Your selection? 1RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 4096Requested keysize is 4096 bitsPlease specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) 0Key does not expire at allIs this correct? (y/N) yGnuPG needs to construct a user ID to identify your key.Real name: LocezEmail address: loki.a@live.cnComment: You selected this USER-ID: "Locez <loki.a@live.cn>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? oWe need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.
此時可以動動滑鼠鍵盤讓他收集足夠的隨機數據。
生成一個用於認證的子密鑰:
$ gpg --expert --edit-key Locezgpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.gpg> addkey
然後跟著嚮導進行選擇就可以了,通常是選擇 (8) RSA (set your own capabilities) ,然後 4096 位密鑰 其中子密鑰對的類型選擇應該如下:
Possible actions for a RSA key: Sign Encrypt AuthenticateCurrent allowed actions: Sign Encrypt #此處顯示的為該子密鑰可以使用的用途, #通過多次選擇下面的開關進行調整 (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) FinishedYour selection?
然後重複上面的操作再次添加一個用於簽名的子密鑰,最終效果大概如下,使用 save 命令保存退出:
gpg: checking the trustdbgpg: marginals needed: 3 completes needed: 1 trust model: pgpgpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1upub rsa4096/AAAAAAAAAAAAAAAA created: 2018-04-24 expires: never usage: SC trust: ultimate validity: ultimatessb rsa4096/BBBBBBBBBBBBBBBB created: 2018-04-24 expires: never usage: Essb rsa4096/CCCCCCCCCCCCCCCC created: 2018-04-24 expires: never usage: Assb rsa4096/DDDDDDDDDDDDDDDD created: 2018-04-24 expires: never usage: S[ultimate] (1). Locez <loki.a@live.cn>
備份公鑰與私鑰
當我們把密鑰導入 Yubikey 的時候,我們就無法取出密鑰,因此在導入之前最好備份 備份主密鑰私鑰:
$ gpg --export-secret-key --armor Locez >> master.key
備份主密鑰公鑰:
$ gpg -a --export Locez >> master.pub
當然也可以對單獨子密鑰進行備份,語法如下:
gpg --export-secret-subkeys --armor DDDDDDDDDDDDDDDD >> sign.key
DDDDDDDDDDDDDDDD 為子密鑰的指紋信息。子密鑰公鑰當然也可以單獨導出,但是在導出主密鑰公鑰的時候其實已經把子密鑰公鑰導出了,因此可以不必重複備份。
導入進 Yubikey
備份做好以後,就可以將 RSA 密鑰導入進 Yubikey 了,通常不建議直接將主密鑰導入,因此在本文除了主密鑰外,另外有三個子密鑰用於導入進 Yubikey。
採用 key index 語法選擇或者取消選擇密鑰,主密鑰為 0, 其它依次遞增,被選中會有星號。
gpg> key 1ssb* rsa4096/BBBBBBBBBBBBBBBB created: 2018-04-24 expires: never usage: E
然後接著:
gpg> keytocardSignature key ....: [none]Encryption key....: [none]Authentication key: [none]Please select where to store the key: (2) Encryption keyYour selection? 2
取消選擇子密鑰 1 並選擇子密鑰 2:
gpg> key 1gpg> key 2gpg> keytocardSignature key ....: [none]Encryption key....: BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB BBBB Authentication key: [none]Please select where to store the key: (3) Authentication keyYour selection? 3
重複操作,直至把 3 個子密鑰都導入進 Yubikey,最後 save 命令保存,當你看到多了這樣的 card-no 字樣即表面導入成功:
gpg --edit-key Locezgpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/AAAAAAAAAAAAAAAA created: 2018-04-24 expires: never usage: SC trust: ultimate validity: ultimatessb rsa4096/BBBBBBBBBBBBBBBB created: 2018-04-24 expires: never usage: E card-no: 0000 00000001ssb rsa4096/CCCCCCCCCCCCCCCC created: 2018-04-24 expires: never usage: A card-no: 00000 00000001ssb rsa4096/DDDDDDDDDDDDDDDD created: 2018-04-24 expires: never usage: S card-no: 000000 00000001[ultimate] (1). Locez <loki.a@live.cn>
刪除主密鑰私鑰
通常,為了保證安全,日常操作採用子密鑰足以,主密鑰私鑰應該離線保存在一個非常安全的地方,對的就是剛剛備份的那些東西需要離線存儲,例如找個保險柜,此時先刪除主密鑰私鑰:
$ gpg --delete-secret-key Locezgpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.sec rsa4096/AAAAAAAAAAAAAAAA 2018-04-24 Locez <loki.a@live.cn>Delete this key from the keyring? (y/N) yThis is a secret key! - really delete? (y/N) y
還可通過輸入以下命令進行確認, sec 後的 # 即表明主密鑰私鑰不可用:
$ gpg -K/home/locez/.gnupg/pubring.kbxsec# rsa4096 2018-04-24 [SC] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuid [ultimate] Locez <loki.a@live.cn>ssb> rsa4096 2018-04-24 [E]ssb> rsa4096 2018-04-24 [A]ssb> rsa4096 2018-04-24 [S]
同樣輸入 gpg --edit-key Locez 會看到 Secret subkeys are available. 字樣,是子密鑰可用,而不是原來的主密鑰了。
簡單測試
為了驗證卡片寫入成功,做個簡單的測試,先拔掉 Yubikey:
$ echo "Hello, this is a test" > test$ gpg --output test.en -se test You did not specify a user ID. (you may use "-r")Current recipients:Enter the user ID. End with an empty line: LocezCurrent recipients:rsa4096/BBBBBBBBBBBBBBBB 2018-04-24 "Locez <loki.a@live.cn>"Enter the user ID. End with an empty line:
空行結束,然後會要求你插入 Yubikey 並輸入 PIN 進行加密。
解密如下:
gpg --decrypt test.engpg: encrypted with 4096-bit RSA key, ID BBBBBBBBBBBBBBBB, created 2018-04-24 "Locez <loki.a@live.cn>"Hello, this is a testgpg: Signature made Tue 24 Apr 2018 09:08:28 PM CSTgpg: using RSA key BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBgpg: Good signature from "Locez <loki.a@live.cn>" [ultimate]
參考資料
- https://developers.yubico.com/PGP/
- https://en.wikipedia.org/wiki/OpenPGP_card
- https://wiki.archlinux.org/index.php/GnuPG
- https://zhuanlan.zhihu.com/p/24103240
推薦閱讀:
※有哪些適合舊電腦且對新手友好的Linux發行版?
※GCC的參數-march=native是如何獲取cpu類型和指令集的?
※Ubuntu伺服器上配置NFS的一個坑
※黑客伴侶1——nmap網路嗅探
※想學習Linux源碼,哪些方法值得一試?