aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md73
1 files changed, 45 insertions, 28 deletions
diff --git a/README.md b/README.md
index c276804..935352d 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
* [Authentication](#authentication)
* [Add extra emails](#add-extra-emails)
- [Verify](#verify)
+- [Create a revoke certificate](#create-a-revoke-certificate)
- [Export](#export)
- [Backup](#backup)
- [Configure Smartcard](#configure-smartcard)
@@ -326,6 +327,8 @@ An entropy pool value greater than 2000 is sufficient.
# Creating keys
+## Using a temporary file system (Tmpfs)
+
Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs):
```console
@@ -334,6 +337,19 @@ $ export GNUPGHOME=$(mktemp -d)
$ cd $GNUPGHOME
```
+## Use the Storage Device as backup and reusable enviroment
+
+As you may want to keep a offline backup of your keys as well as a clean enviroment to be set up easily, you also might consider to keep your USB-Storage device including the keys in a save place. Therefore, just set your desired GNUPGHOME-Variable:
+
+```console
+$ export GNUPGHOME=~/gnupg-workspace
+
+$ cd $GNUPGHOME
+```
+**Remember** You must store the device in a secure place afterwards or destroy it physically (smash, burn, shred etc.)
+
+## Harden your setup
+
Create a hardened configuration in the temporary directory with the following options:
```console
@@ -843,6 +859,20 @@ $ gpg -o \path\to\dir\mastersub.gpg --armor --export-secret-keys $KEYID
$ gpg -o \path\to\dir\sub.gpg --armor --export-secret-subkeys $KEYID
```
+# Create a revoke certificate
+
+Although we will backup and store the master key in a safe place, it is best practice to never rule out the possibility of losing it or having the backup fail. Without the master key it will be impossible to renew or rotate subkeys or generate a revoke certificate, our keychain will be basically useless.
+
+Even worse, we cannot advertise this fact in any way to those that are using our keys. It is therefore safe to assume that at some point in the future this *will* happen and the only thing that will allow us to deprecate our *orphan* keys is a revoke certificate.
+
+In order to create the revoke certificate:
+
+``` console
+gpg --output revoke.asc --gen-revoke $KEYID
+```
+
+The newly created `revoke.asc` file should be stored (or printed) in a place that allows us to retrieve it in case our backup strategy fails.
+
# Backup
Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypted** backup of the keyring and consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
@@ -2117,38 +2147,24 @@ To use a single identity with multiple YubiKeys - or to replace a lost card with
$ gpg-connect-agent "scd serialno" "learn --force" /bye
```
-Alternatively, you could manually delete the GnuPG shadowed key - where the card serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)).
-
-Find the `Keygrip` number of each key:
-
-```console
-$ gpg --with-keygrip -k $KEYID
-pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
- Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
- Keygrip = 7A20855980A62C10569DE893157F38A696B1300E
-uid [ ultime ] Dr Duh <doc@duh.to>
-sub rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
- Keygrip = 85D44BD52AD45C0852BD15BF41161EE9AE477398
-sub rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
- Keygrip = A0AA3D9F626BDEA3B833F290C7BCA79216C8A996
-sub rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
- Keygrip = 7EF25A1115294342F451BC1CDD0FA94395F2D074
-```
+Alternatively, you could delete via a script the GnuPG shadowed key - where the card serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)).
-Delete all the shadow keys using their `Keygrip` number:
+Put it somewhere in your `$PATH`. E.g.:
```console
-$ cd ~/.gnupg/private-keys-v1.d
-
-$ rm 85D44BD52AD45C0852BD15BF41161EE9AE477398.key \
- A0AA3D9F626BDEA3B833F290C7BCA79216C8A996.key \
- 7EF25A1115294342F451BC1CDD0FA94395F2D074.key
-```
-
-Insert the new YubiKey and re-generate shadow-keys by checking card status:
+$ cat >> ~/.scripts/remove-keygrips.sh <<EOF
+#!/usr/bin/env bash
+test ! "$@" && echo "Specify a key." && exit 1
+KEYGRIPS="$(gpg --with-keygrip --list-secret-keys $@ | grep Keygrip | awk '{print $3}')"
+for keygrip in $KEYGRIPS
+do
+ rm "$HOME/.gnupg/private-keys-v1.d/$keygrip.key" 2> /dev/null
+done
-```console
-$ gpg --card-status
+gpg --card-status
+EOF
+$ chmod +x ~/.scripts/remove-keygrips.sh
+$ remove-keygrips.sh $KEYID
```
See discussion in Issues [#19](https://github.com/drduh/YubiKey-Guide/issues/19) and [#112](https://github.com/drduh/YubiKey-Guide/issues/112) for more information and troubleshooting steps.
@@ -2286,6 +2302,7 @@ $ ykman openpgp reset
- If it still fails, it may be useful to stop the background `sshd` daemon process service on the server (e.g. using `sudo systemctl stop sshd`) and instead start it in the foreground with extensive debugging output, using `/usr/sbin/sshd -eddd`. Note that the server will not fork and will only process one connection, therefore has to be re-started after every `ssh` test.
+- If you receive the error, `Please insert the card with serial number: *` see [management of multiple keys](#multiple-keys).
# Links
generated by cgit, for Dennis Eriksen