Merge pull request #91 from kalbasit/yubikey_improve-security
Master key should have Certify-capability only!
This commit is contained in:
commit
ae3e9703f9
68
README.md
68
README.md
|
@ -206,17 +206,53 @@ $ gpg --gen-random -a 0 24
|
|||
ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
|
||||
```
|
||||
|
||||
Generate a new key with GPG, selecting `(4) RSA (sign only)` and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes).
|
||||
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify`-only and `4096` bit keysize. Do not set the key to expire - see [Note #3](#notes).
|
||||
|
||||
```console
|
||||
$ gpg --full-generate-key
|
||||
$ gpg --expert --full-generate-key
|
||||
|
||||
Please select what kind of key you want:
|
||||
(1) RSA and RSA (default)
|
||||
(2) DSA and Elgamal
|
||||
(3) DSA (sign only)
|
||||
(4) RSA (sign only)
|
||||
Your selection? 4
|
||||
(7) DSA (set your own capabilities)
|
||||
(8) RSA (set your own capabilities)
|
||||
(9) ECC and ECC
|
||||
(10) ECC (sign only)
|
||||
(11) ECC (set your own capabilities)
|
||||
(13) Existing key
|
||||
Your selection? 8
|
||||
|
||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
||||
Current allowed actions: Sign Certify Encrypt
|
||||
|
||||
(S) Toggle the sign capability
|
||||
(E) Toggle the encrypt capability
|
||||
(A) Toggle the authenticate capability
|
||||
(Q) Finished
|
||||
|
||||
Your selection? e
|
||||
|
||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
||||
Current allowed actions: Sign Certify
|
||||
|
||||
(S) Toggle the sign capability
|
||||
(E) Toggle the encrypt capability
|
||||
(A) Toggle the authenticate capability
|
||||
(Q) Finished
|
||||
|
||||
Your selection? s
|
||||
|
||||
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
|
||||
Current allowed actions: Certify
|
||||
|
||||
(S) Toggle the sign capability
|
||||
(E) Toggle the encrypt capability
|
||||
(A) Toggle the authenticate capability
|
||||
(Q) Finished
|
||||
|
||||
Your selection? q
|
||||
RSA keys may be between 1024 and 4096 bits long.
|
||||
What keysize do you want? (2048) 4096
|
||||
Requested keysize is 4096 bits
|
||||
|
@ -252,7 +288,7 @@ public and secret key created and signed.
|
|||
|
||||
Note that this key cannot be used for encryption. You may want to use
|
||||
the command "--edit-key" to generate a subkey for this purpose.
|
||||
pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
|
||||
pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
|
||||
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||
uid Dr Duh <doc@duh.to>
|
||||
```
|
||||
|
@ -275,7 +311,7 @@ $ gpg --expert --edit-key $KEYID
|
|||
Secret key is available.
|
||||
|
||||
sec rsa4096/0xEA5DE91459B80592
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
||||
```
|
||||
|
@ -323,7 +359,7 @@ disks) during the prime generation; this gives the random number
|
|||
generator a better chance to gain enough entropy.
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -367,7 +403,7 @@ disks) during the prime generation; this gives the random number
|
|||
generator a better chance to gain enough entropy.
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -455,7 +491,7 @@ disks) during the prime generation; this gives the random number
|
|||
generator a better chance to gain enough entropy.
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -476,7 +512,7 @@ List the generated secret keys and verify the output:
|
|||
$ gpg --list-secret-keys
|
||||
/tmp.FLZC0xcM/pubring.kbx
|
||||
-------------------------------------------------------------------------
|
||||
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
|
||||
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
|
||||
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||
uid Dr Duh <doc@duh.to>
|
||||
ssb rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
|
||||
|
@ -782,7 +818,7 @@ $ gpg --edit-key $KEYID
|
|||
Secret key is available.
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -801,7 +837,7 @@ Select and move the signature key. You will be prompted for the key passphrase a
|
|||
gpg> key 1
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb* rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -832,7 +868,7 @@ gpg> key 1
|
|||
gpg> key 2
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -860,7 +896,7 @@ gpg> key 2
|
|||
gpg> key 3
|
||||
|
||||
sec rsa4096/0xFF3E7D88647EBCDB
|
||||
created: 2017-10-09 expires: never usage: SC
|
||||
created: 2017-10-09 expires: never usage: C
|
||||
trust: ultimate validity: ultimate
|
||||
ssb rsa4096/0xBECFA3C1AE191D15
|
||||
created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
|
@ -886,7 +922,7 @@ Verify the subkeys have moved to YubiKey as indicated by `ssb>`:
|
|||
$ gpg --list-secret-keys
|
||||
/tmp.FLZC0xcM/pubring.kbx
|
||||
-------------------------------------------------------------------------
|
||||
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [SC]
|
||||
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
|
||||
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||
uid Dr Duh <doc@duh.to>
|
||||
ssb> rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
|
||||
|
@ -1008,7 +1044,7 @@ $ gpg --edit-key $KEYID
|
|||
Secret key is available.
|
||||
|
||||
gpg> trust
|
||||
pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
|
||||
pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: C
|
||||
trust: unknown validity: unknown
|
||||
sub 4096R/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
sub 4096R/0x5912A795E90DD2CF created: 2017-10-09 expires: 2018-10-09 usage: E
|
||||
|
@ -1028,7 +1064,7 @@ Please decide how far you trust this user to correctly verify other users' keys
|
|||
Your decision? 5
|
||||
Do you really want to set this key to ultimate trust? (y/N) y
|
||||
|
||||
pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
|
||||
pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: C
|
||||
trust: ultimate validity: unknown
|
||||
sub 4096R/0xBECFA3C1AE191D15 created: 2017-10-09 expires: 2018-10-09 usage: S
|
||||
sub 4096R/0x5912A795E90DD2CF created: 2017-10-09 expires: 2018-10-09 usage: E
|
||||
|
|
Loading…
Reference in New Issue