Yubikey 5 NFC 同 GPG 密钥的使用

我有两个 Yubikey,一个是功能有限的 Yubico Security Key NFC,和 Yubikey 5 NFC,我使用了两个的 U2F 功能,用来登录那些支持此协议的二步登录。

而对于 Yubikey 5 NFC,因为它还能当做一个 smart card 使用。

于是在生成了 GPG 主密钥,和具有三个单独用处的三个子密钥之后,我需要把子密钥的私钥存入到 Yubikey 中。

前提

这只是我的使用环境。在 Windows 10 上安装了 Git Bash,它所自带的 gpg 命令。目前的版本是 2.2.29.


david@DESKTOP-David MINGW64 ~
$ gpg --version
gpg (GnuPG) 2.2.29-unknown
libgcrypt 1.9.3-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /c/Users/david/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

在系统中,已经有了一个主密钥具有 certify 功能,三个子密钥分别有 Sign,Encrypt,Auth 功能。而主密钥的私钥已经藏好了,不再操作系统中了。

密钥的过期时间

主密钥我给的是10年。
子密钥是2年。


密钥的算法

主密钥是 RSA 4096
子密钥是 Curve 25519

实际操作

打开 Git Bash 窗口,插入Yubikey 5 NFC。

david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg -K  #查看私钥
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
sec#  rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
ssb   ed25519 2021-11-18 [S] [expires: 2023-11-23]
ssb   cv25519 2021-11-18 [E] [expires: 2023-11-23]
ssb   ed25519 2021-11-18 [A] [expires: 2023-11-23]


david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg -k  #查看公钥
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
pub   rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
sub   ed25519 2021-11-18 [S] [expires: 2023-11-23]
sub   cv25519 2021-11-18 [E] [expires: 2023-11-23]
sub   ed25519 2021-11-18 [A] [expires: 2023-11-23]
上面可以看到私钥的 sec后面有个井字号,就是表示不存在系统中。
接下来查看一下 Yubikey 里面的信息。

david@DESKTOP-David MINGW64 /d/yin/davidyin.key.d
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: Dxxxxxxxxxxxxxx0000  #内容已经被我手工打码
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx   #内容已经被我手工打码
Name of cardholder: David Yin
Language prefs ...: en
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
上面的信息中可以看到三个 key 的位置是空的。
下面就是存入了。

$ gpg --edit-key davidyin
gpg (GnuPG) 2.2.29-unknown; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> key 1 #选择第一个子密钥,选择后 ssb 后出现一个星号

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb* ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> keytocard  #存入的命令
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

pub  rsa4096/4E7983E6303EE209
     created: 2021-11-18  expires: 2031-11-21  usage: C
     trust: ultimate      validity: ultimate
ssb* ed25519/4F4D78D0254310EF
     created: 2021-11-18  expires: 2023-11-23  usage: S
ssb  cv25519/28638F7ECD4CAD1B
     created: 2021-11-18  expires: 2023-11-23  usage: E
ssb  ed25519/C8D3F14461F2B128
     created: 2021-11-18  expires: 2023-11-23  usage: A
[ultimate] (1). DavidYin 

gpg> key 1  #取消第一个子密钥的选择
gpg> key 2  #选择第二个子密钥
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg> key 2 #取消第二个子密钥的选择
gpg> key 3 #选择第三个子密钥
gpg> keytocard
Please select where to store the key:
   (3) Authentication key
Your selection? 3

gpg> quit
Save changes? (y/N) y
在进行保存的时候,会提示输入密钥的密码,然后会提示输入 yubikey 的 PIN 码。
在三个子密钥都保存好之后,再次查看 Yubikey 的情况,和密钥的情况。



$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: Dxxxxxxxxxxxxxx00
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: David Yin
Language prefs ...: en
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: 9D6B 8BA0 82B0 8ABF 03ED  27CF 4F4D 78D0 2543 10EF
      created ....: 2021-11-18 10:55:50
Encryption key....: 6C2D 1A67 897F C026 32F5  6A4C 2863 8F7E CD4C AD1B
      created ....: 2021-11-18 11:05:56
Authentication key: 80D7 A5D8 C15E 3240 9C4F  5C56 C8D3 F144 61F2 B128
      created ....: 2021-11-18 11:08:55
General key info..: sub  ed25519/4F4D78D0254310EF 2021-11-18 DavidYin 
sec#  rsa4096/4E7983E6303EE209  created: 2021-11-18  expires: 2031-11-21
ssb>  ed25519/4F4D78D0254310EF  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
ssb>  cv25519/28638F7ECD4CAD1B  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
ssb>  ed25519/C8D3F14461F2B128  created: 2021-11-18  expires: 2023-11-23
                                card-no: 0006 17903989
$ gpg -K
/c/Users/david/.gnupg/pubring.kbx
---------------------------------
sec#  rsa4096 2021-11-18 [C] [expires: 2031-11-21]
      3DACA9F369840781B0A8D96E4E7983E6303EE209
uid           [ultimate] DavidYin 
ssb>  ed25519 2021-11-18 [S] [expires: 2023-11-23]
ssb>  cv25519 2021-11-18 [E] [expires: 2023-11-23]
ssb>  ed25519 2021-11-18 [A] [expires: 2023-11-23]
可以看到子密钥们的 ssb 字符之后有个大于号,表示私钥实际上不在电脑系统中,而是在 yubikey 中。如果我需要用到子密钥的私钥做一些事情,会提示插入 Yubikey 来完成操作。


安全保护

现在安全措施是这样的。
主密钥以及吊销证书,和三个子密钥,公钥,放在了两个 USB 加密盘中。离线储存,分别保存。
本机上,只有公钥,子密钥的私钥在 Yubikey 上,随时使用。
而Yubico Security key 也同其中的一个 USB 盘放在了一起。

usb-and-keys.jpg

文章来源:

Author:David Yin
link:https://seo.g2soft.net/2021/11/24/yubikey-5-nfc-gpg.html