Use larger partition sizes to fix #149.

This commit is contained in:
drduh 2019-12-30 15:22:39 -08:00
parent 9bc4e6b24e
commit be7addad3c
1 changed files with 22 additions and 21 deletions

View File

@ -185,7 +185,7 @@ Open the terminal and install required software packages.
```console ```console
$ sudo apt update $ sudo apt update
$ sudo apt install -y gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization $ sudo apt install -y wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
``` ```
## Arch ## Arch
@ -324,7 +324,7 @@ You'll be prompted to enter and verify a passphrase - keep it handy as you'll ne
To generate a strong passphrase which could be written down in a hidden or secure place; or memorized: To generate a strong passphrase which could be written down in a hidden or secure place; or memorized:
```console ```console
$ gpg --gen-random -a 0 24 $ gpg --gen-random --armor 0 24
ydOmByxmDe63u7gqx2XI9eDgpvJwibNH ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
``` ```
@ -767,7 +767,7 @@ $ gpg -o \path\to\dir\sub.gpg --armor --export-secret-subkeys $KEYID
Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypted** backup of the keyring and consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure. Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypted** backup of the keyring and consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
**Tip**: The ext2 filesystem (without encryption) can be mounted on both Linux and OpenBSD. **Tip** The ext2 filesystem (without encryption) can be mounted on both Linux and OpenBSD. Consider using a FAT32/NTFS filesystem for MacOS/Windows compatibility instead.
**Linux** **Linux**
@ -821,7 +821,7 @@ Partition type
Select (default p): Select (default p):
Partition number (1-4, default 1): Partition number (1-4, default 1):
First sector (2048-62980095, default 2048): First sector (2048-62980095, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095): +10M Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095): +25M
Created a new partition 1 of type 'Linux' and of size 10 MiB. Created a new partition 1 of type 'Linux' and of size 10 MiB.
@ -883,7 +883,7 @@ $ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-usb
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save. Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
Otherwise, unmount and disconnected the encrypted volume: Unmount, close and disconnected the encrypted volume:
```console ```console
$ sudo umount /mnt/encrypted-usb $ sudo umount /mnt/encrypted-usb
@ -905,7 +905,7 @@ Partition type
Select (default p): Select (default p):
Partition number (2-4, default 2): Partition number (2-4, default 2):
First sector (22528-31116287, default 22528): First sector (22528-31116287, default 22528):
Last sector, +sectors or +size{K,M,G,T,P} (22528-31116287, default 31116287): +10M Last sector, +sectors or +size{K,M,G,T,P} (22528-31116287, default 31116287): +25M
Created a new partition 2 of type 'Linux' and of size 10 MiB. Created a new partition 2 of type 'Linux' and of size 10 MiB.
@ -1074,7 +1074,7 @@ Use GPG to configure YubiKey as a smartcard:
$ gpg --card-edit $ gpg --card-edit
Reader ...........: Yubico Yubikey 4 OTP U2F CCID Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D2760001240102010006055532110000 Application ID ...: D2760001240102010006055532110000
Version ..........: 2.1 Version ..........: 3.4
Manufacturer .....: Yubico Manufacturer .....: Yubico
Serial number ....: 05553211 Serial number ....: 05553211
Name of cardholder: [not set] Name of cardholder: [not set]
@ -1151,7 +1151,7 @@ Login data (account name): doc@duh.to
gpg/card> list gpg/card> list
Application ID ...: D2760001240102010006055532110000 Application ID ...: D2760001240102010006055532110000
Version ..........: 2.1 Version ..........: 3.4
Manufacturer .....: unknown Manufacturer .....: unknown
Serial number ....: 05553211 Serial number ....: 05553211
Name of cardholder: Dr Duh Name of cardholder: Dr Duh
@ -1161,7 +1161,7 @@ URL of public key : [not set]
Login data .......: doc@duh.to Login data .......: doc@duh.to
Private DO 4 .....: [not set] Private DO 4 .....: [not set]
Signature PIN ....: not forced Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127 Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3 PIN retry counter : 3 0 3
Signature counter : 0 Signature counter : 0
@ -1346,10 +1346,10 @@ $ doas pkg_add gnupg pcsc-tools
$ doas mount /dev/sd2b /mnt $ doas mount /dev/sd2b /mnt
``` ```
Import the public key: Import the public key file:
```console ```console
$ gpg --import /mnt/pubkey.txt $ gpg --import /mnt/0x*txt
gpg: key 0xFF3E7D88647EBCDB: public key "Dr Duh <doc@duh.to>" imported gpg: key 0xFF3E7D88647EBCDB: public key "Dr Duh <doc@duh.to>" imported
gpg: Total number processed: 1 gpg: Total number processed: 1
gpg: imported: 1 gpg: imported: 1
@ -1408,8 +1408,9 @@ Remove and re-insert YubiKey and check the status:
```console ```console
$ gpg --card-status $ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240102010006055532110000 Application ID ...: D2760001240102010006055532110000
Version ..........: 2.1 Version ..........: 3.4
Manufacturer .....: Yubico Manufacturer .....: Yubico
Serial number ....: 05553211 Serial number ....: 05553211
Name of cardholder: Dr Duh Name of cardholder: Dr Duh
@ -1418,7 +1419,7 @@ Sex ..............: unspecified
URL of public key : [not set] URL of public key : [not set]
Login data .......: doc@duh.to Login data .......: doc@duh.to
Signature PIN ....: not forced Signature PIN ....: not forced
Key attributes ...: 4096R 4096R 4096R Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127 Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3 PIN retry counter : 3 3 3
Signature counter : 0 Signature counter : 0
@ -1585,7 +1586,7 @@ pinentry-program /usr/bin/pinentry-curses
**Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`. **Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`.
On macOS, use `brew install pinentry-mac` and set the program path to `pinentry-program /usr/local/bin/pinentry-mac` On macOS, use `brew install pinentry-mac` and set the program path to `pinentry-program /usr/local/bin/pinentry-mac` or `pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac` if using MacGPG Suite.
## Replace agents ## Replace agents
@ -1599,7 +1600,7 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye > /dev/null gpg-connect-agent updatestartuptty /bye > /dev/null
``` ```
On modern systems, you can use the following instead, as `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value; and is therefore typically better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available: On modern systems, `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value and is better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available:
```console ```console
export GPG_TTY="$(tty)" export GPG_TTY="$(tty)"
@ -1668,7 +1669,7 @@ debug1: Authentication succeeded (publickey).
[...] [...]
``` ```
**Note** To make multiple connections or securely transfer many files, consider using the [ControlMaster](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing) ssh option. Also see [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config). **Tip** To make multiple connections or securely transfer many files, consider using the [ControlMaster](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing) ssh option. Also see [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config).
## Import SSH keys ## Import SSH keys
@ -1683,7 +1684,7 @@ $ ssh-add ~/.ssh/id_rsa && rm ~/.ssh/id_rsa
When invoking `ssh-add`, it will prompt for the SSH key's passphrase if present, then the `pinentry` program will prompt and confirm for a new passphrase to use to encrypt the converted key within the GPG key store. When invoking `ssh-add`, it will prompt for the SSH key's passphrase if present, then the `pinentry` program will prompt and confirm for a new passphrase to use to encrypt the converted key within the GPG key store.
The migrated key should be listed in `ssh-add -l`: The migrated key will be listed in `ssh-add -l`:
```console ```console
$ ssh-add -l $ ssh-add -l
@ -1802,10 +1803,10 @@ $ doas reboot
## Windows ## Windows
Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your YubiKey, open the Device Manager, select "View->Show hidden devices". Go to the Software Devices list, you should see something like `Yubico YubiKey OTP+FIDO+CCID 0`. The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information. Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your YubiKey, open the Device Manager, select "View > Show hidden devices". Go to the Software Devices list, you should see something like `Yubico YubiKey OTP+FIDO+CCID 0`. The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information.
* Create or edit %APPDATA%/gnupg/scdaemon.conf, add `reader-port <your yubikey device's full name>`. * Create or edit `%APPDATA%/gnupg/scdaemon.conf` to add `reader-port <your yubikey device's full name>`
* In %APPDATA%/gnupg/gpg-agent.conf, add: * Edit `%APPDATA%/gnupg/gpg-agent.conf` to add:
``` ```
enable-ssh-support enable-ssh-support
@ -1821,7 +1822,7 @@ enable-putty-support
* Enter `> gpg --card-status` to see YubiKey details. * Enter `> gpg --card-status` to see YubiKey details.
* Import the [public key](#export-public-key): `> gpg --import <path to public key file>` * Import the [public key](#export-public-key): `> gpg --import <path to public key file>`
* Trust it: [Trust master key](#trust-master-key) * [Trust the master key](#trust-master-key)
* Retrieve the public key id: `> gpg --list-public-keys` * Retrieve the public key id: `> gpg --list-public-keys`
* Export the SSH key from GPG: `> gpg --export-ssh-key <public key id>` * Export the SSH key from GPG: `> gpg --export-ssh-key <public key id>`