【yubikey】yubikey实用教程

yubikey 实用教程

GPG

续签

导入 master private key

gpg --import private.key

生成为期一年的各种 sub private key

PS C:\Users\Nyove> gpg --expert  --edit-key [data expunged]
gpg (GnuPG) 2.3.6; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/[data expunged]
     created: 2021-06-07  expires: never       usage: C
     trust: unknown       validity: unknown
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: S
     card-no: 0006 16059699
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: A
     card-no: 0006 16059699
ssb  cv25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: E
     card-no: 0006 16059699
[ unknown] (1). Canarypwn ([data expunged]) <nyovelt@outlook.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 10
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (2) Curve 448
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at 6/19/2023 5:26:10 PM China Standard Time
Is this correct? (y/N) y
Really create? (y/N) y
gpg: AllowSetForegroundWindow(1516) failed: Access is denied.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/[data expunged]
     created: 2021-06-07  expires: never       usage: C
     trust: unknown       validity: unknown
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: S
     card-no: 0006 16059699
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: A
     card-no: 0006 16059699
ssb  cv25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: E
     card-no: 0006 16059699
ssb  ed25519/[data expunged]
     created: 2022-06-19  expires: 2023-06-19  usage: S
[ unknown] (1). Canarypwn (Alex Qin) <nyovelt@outlook.com>

gpg> key 4 # 直到有选定的 key 有 * 号

sec  rsa4096/[data expunged]
     created: 2021-06-07  expires: never       usage: C
     trust: unknown       validity: unknown
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: S
     card-no: 0006 16059699
ssb  ed25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: A
     card-no: 0006 16059699
ssb  cv25519/[data expunged]
     created: 2021-06-07  expired: 2022-06-07  usage: E
     card-no: 0006 16059699
ssb* ed25519/[data expunged]
     created: 2022-06-19  expires: 2023-06-19  usage: S
[ unknown] (1). Canarypwn ([data expunged]) <nyovelt@outlook.com>

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

之后如法炮制,生成并转移 Signature, Encryption and Authentication.

经过 gpg --card-edit 检查确认无误

最后记得 save

续命

还是进入 edit key 界面, 逐一选中要虚名的 subkeys 然后 expire 之后 save

Reset

Windows

PS C:\Program Files\Yubico\YubiKey Manager> ./ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove the YubiKey...
Success! All data has been cleared and default PINs are set.
PIN:         123456
Reset code:  NOT SET
Admin PIN:   12345678

Windows

Install GPG4Win

choco install gpg4win

Import GPG public key from yubikey

gpg --card-edit
fetch # Get public key from your yubikey

Config your Git

git config --global user.signingkey <key>   # 配置 Git 签名
git config commit.gpgsign true # 当前仓库签名 (strongly suggest)
# or
# git config --global commit.gpgsign true
# git config commit.gpgsign false
git config --global gpg.program "<InstallPath>/GnuPG/bin/gpg.exe"

这里墙裂推荐单独在 git 文件夹下开启 gpgsign 不然就太脏了

Reference

comments powered by Disqus