Gpg
為什麼 gpg 無法從我的智能卡中獲取密鑰存根?
我最近得到了一個 Yubikey 並按照這裡的說明將鑰匙載入到它上面。gpg 成功讀取和寫入卡,我可以從中看到密鑰指紋。但是,當我嘗試使用
gpg --edit-cardthenfetch獲取密鑰存根時,什麼也沒有發生。沒有錯誤,而且我的鑰匙也沒有出現。當我檢查
journalctl -f時,有一條消息來自dirmngr:Apr 14 12:02:25 {snip} gpg-agent[1816]: card has S/N: D27{...snip...}0000 Apr 14 12:02:33 {snip} dirmngr[1823]: command 'KS_GET' failed: Server indicated a failure <Unspecified source>
man gpg將我發送到 gnupg.org 文件,該文件提供了將密鑰傳輸到卡的說明(第 5.2.2 節),但只說“您可以按照通常的方式對文件進行簽名、解密和加密”。我的最終目標是用來pass安全地儲存密碼,但是當我嘗試以通常的方式使用它時,我看到gpg: decryption failed: No secret key.我應該怎麼做?
我正在使用
gnupg來自主記憶體儲庫版本 2.2.15-1 的 Arch Linux。作為參考,這裡是我的 gpg 會話的完整列表:
$ gpg --list-secret-keys $ gpg --list-keys $ gpg --edit-card Reader ...........: 1050:0407:X:0 Application ID ...: D27{...snip...}0000 Version ..........: 2.1 Manufacturer .....: Yubico Serial number ....: 0{...snip...}6 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: 8DD5 {...snip...} C8B3 created ....: 2019-04-13 23:49:11 Encryption key....: B9B0 {...snip...} 9B22 created ....: 2019-04-13 23:49:11 Authentication key: 6447 {...snip...} 21C0 created ....: 2019-04-13 23:53:30 General key info..: [none] gpg/card> fetch gpg/card> quit $ gpg --list-secret-keys $ gpg --list-keys
GPG 智能卡迷你操作指南
簡答
似乎密鑰已正確複製到 Yubikey 智能卡。但是,本地密鑰環中缺少公鑰。為了使 gpg 正常工作,公鑰必須在本地可用。
有幾種方法可以導入公鑰。但是,智能卡上有一個方便的欄位,用於儲存可以找到公鑰的 URL。因此,如果公鑰放置在 Internet 上可公開訪問的位置,則可以使用菜單中的選項或 gpg 命令行上的選項
fetch檢索公鑰並將其添加到本地密鑰環中。gpg/card``--fetch-keys URL一旦本地密鑰環知道公鑰,儲存在智能卡上的私鑰應該可以正常使用設置的使用者密碼來解鎖密鑰。
迷你操作指南
本教程將貫穿創建無密碼 PGP 密鑰集、在智能卡上傳入密鑰、在 Internet 上發佈公鑰以及卡的基本使用。
請注意,本文中包含的密鑰僅是測試和展示密鑰。它沒有密碼,如果需要,可以通過複製和粘貼在本地導入。但是,請不要將此測試密鑰用於測試以外的任何目的。
GPG版
gpg --versiongpg (GnuPG) 2.2.12 libgcrypt 1.8.4密鑰生成
讓我們生成一個密鑰來玩:
$ cat << EOF | gpg --gen-key --batch - > Key-Type: rsa > Key-Length: 2048 > Key-Usage: sign > Subkey-Type: rsa > Subkey-Length: 2048 > Name-Real: demo card > Name-Comment: DeleteMe > Name-Email: demo.card@domain.tld > %no-protection > %commit > EOF這是秘鑰
gpg --armor --export-secret-key demo.card@domain.tld-----BEGIN PGP PRIVATE KEY BLOCK----- lQEmBFy0xCUBCAC4WZl7y5QYe7k8g1/JV21hrvgE7A1LWFbCnX8CP35poGfUfJEz /GB7s0j1D9nvQIse2QOfQQO+f9rJOfiB4Cc7vqXZghFS0lESgluK4M9ygQJwizvt yJG0517zD3sKeqBO19EB4ElEPkcvQRrbKvPLXlL7mdjIGPpmIdSZh7u+28Qedv6a 2d7WHXXH7dfVDt5izRxn9ar9qyGO54AIHmHJ0O2RyPW8kaYsRESdHs2klbHtHN+n mvV85+jQ7DABh3A8VlaMtXLRNt79osUSNPLiUh8ZltXcbb3flwCVrRxR2cQBN9P/ qoOFhkTe92RipUQENr5CEeK2t+Zk64JQfSLPABEBAAH/AGUAR05VAhDSdgABJAEC AXYVAAAAGQAAtCtkZW1vIGNhcmQgKERlbGV0ZU1lKSA8ZGVtby5jYXJkQGRvbWFp bi50bGQ+iQFOBBMBCgA4FiEE9Epupl6CF0Nug+LC8WY6apR5OYcFAly0xCUCGwMF CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8WY6apR5OYfZBwf+LGeEA0zJlzdC WGuZ3lRJoeLRaLgUNy6ZatJMudggE5u2yO0omIlaQooLmsqtnNwi5y8W5BzrdYPe yzkdyZqmfW8IgxlW8n7lngkkVJ44xUI2aMsDRMDH+09Q3bHXihgaDbgwLyXwJe8f bHByeLD0penL/GscR0vlmp4ZcoxwB6elsJdamhDQgbg2BD/zeomAPwLymsvDZL+5 Q4KpX3iyD7jV0CzM9ApEbhwDJ7RaBaFryz0p0LuZOHKC4f2thPxZ6Q53Qi/k11Er m+rG35qIG+IfKASCUHzhhz0pVKGzhg3n2YmzupVHFfN8ARA/L3kNDrIuvsQhVHqq OPq4WPgBY50BJgRctMQlAQgAoA1nDFyGJp63D/WvYurZxovqEjL5fGBD8JOXMiUN 9m8V8NhSFwDHl/p52ZQp/OAA67uuj7UScrsGAVwotTXMyGMnuoEQDE9nRBRbc3zX XEfXDmpnEv5NqqyBVe0mbkLwN3mbdV/JcQDZo+5TMqWWnboB+kBa3JPJbKydJYjH 2XTzUFGlLAL28ArXCmoBCO1IyCLDJzUUZWuuyTCeTVF5IB3aJ25G3y7I07bK9EyC smaddDueHoDFv2hrs3vcTW5cVkbzeYil7i8H84Fxsn9InAKBrAdEtN2FEWBripS+ Y7dSGgKpOxFgf6tDB6EbW9UDWebWLrhUgY43WP/A8i15/wARAQAB/wBlAEdOVQIQ 0nYAASQBAgF2FQAAABkAAIkCbAQYAQoAIBYhBPRKbqZeghdDboPiwvFmOmqUeTmH BQJctMQlAhsuAUAJEPFmOmqUeTmHwHQgBBkBCgAdFiEE63Vmygf/nE+U7ZJGtFWa qgYkqc8FAly0xCUACgkQtFWaqgYkqc9RkAgAlrFqM69D1a8gm/xYyRGAy/cU3NGr P8peoA0WpA0xnJCy+ZZdLD33fHrAC0CNjlpkXD2k8KLPCzTrrGwcbjIeR3Rnw5rJ xkQyDkZmA6qrpFxDopf8oopP6s38bXErHdWhFPn9YLeWTNc8hVLOrHck2OvbXw2G PQc4ULtmGv7FaSaijV7DuC6yZ20k+Kx40V4QyprYlClN++WdaWXban3BxwFMiuhp Q/TadscHzHzbvEi8XTjYQlhLbvI4IIJTA7K8JbhrUZaniKnPC1gTqSLD320gwpnX 9ZrQPmexzxtkk97ZOWhUmrcK6ZQ767U6umN2tQLnkPmHSkIyfOu4nyfj33i+B/wP 3iwWNOM+CX0vB1FhixeJ4TjuhmLe3rZq264lnC2UuJbiGM/gwJegtR86xAwvcR/l zuK/kxbAhQko8yNgB2qAjxQNO4DiSgsyWGKbCGcNC6vs9zSiLfe4f+AhfvUyXQ3+ yGmm+mhQgc097TkijMmZMJn/zg/WFVPJb45LRlA15Pg7n5769H1//7QLDZEnBfOx PAUDGv+S8vZZRE+WE7X4VTnLDWZzCS03iUgHd4YMbcbmijLDwiqK31wqitJBNcDN em3oWz1wfTioaISSWyxy03SK2Kjj+6zxA/mbZWr4L9pXBRwCVS6QQ3Bgie0kuZSP NQSlYESEFuIGA3+WuBy2 =V4D1 -----END PGP PRIVATE KEY BLOCK-----關鍵清單
gpg --edit-key F1663A6A94793987Secret key is available. sec rsa2048/F1663A6A94793987 created: 2019-04-15 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa2048/B4559AAA0624A9CF created: 2019-04-15 expires: never usage: SEA [ultimate] (1). demo card (DeleteMe) <demo.card@domain.tld>將公鑰線上放置在某處
gpg -a --export F1663A6A94793987https://pastebin.com/raw/y8gCBFmH
將密鑰和 URL 添加到卡片
gpg --edit-cardgpg/card> url URL to retrieve public key: https://pastebin.com/raw/y8gCBFmH
gpg --edit-key F1663A6A94793987gpg> keytocard Really move the primary key? (y/N) y Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg> key 1 sec rsa2048/F1663A6A94793987 created: 2019-04-15 expires: never usage: SC trust: ultimate validity: ultimate ssb* rsa2048/B4559AAA0624A9CF created: 2019-04-15 expires: never usage: SEA [ultimate] (1). demo card (DeleteMe) <demo.card@domain.tld> gpg> keytocard Please select where to store the key: (1) Signature key (2) Encryption key (3) Authentication key Your selection? 2 gpg> save從密鑰環中刪除密鑰
gpg --delete-secret-keys F1663A6A94793987sec rsa2048/F1663A6A94793987 2019-04-15 demo card (DeleteMe) <demo.card@domain.tld> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
gpg --delete-keys F1663A6A94793987pub rsa2048/F1663A6A94793987 2019-04-15 demo card (DeleteMe) <demo.card@domain.tld> Delete this key from the keyring? (y/N) y與 OP 類似的狀態
gpg --edit-cardReader ...........: 04E6:xx:0 Application ID ...: D27600xxxx0190000 Version ..........: 2.1 Manufacturer .....: unknown Serial number ....: 00000019 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : https://pastebin.com/raw/y8gCBFmH Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: F44A 6EA6 5E82 1743 6E83 E2C2 F166 3A6A 9479 3987 created ....: 2019-04-15 17:49:25 Encryption key....: EB75 66CA 07FF 9C4F 94ED 9246 B455 9AAA 0624 A9CF created ....: 2019-04-15 17:49:25 Authentication key: [none] General key info..: [none]使用卡片上的鑰匙
檢索公鑰
gpg/card> fetch gpg: requesting key from 'https://pastebin.com/raw/y8gCBFmH' gpg: key F1663A6A94793987: public key "demo card (DeleteMe) <demo.card@domain.tld>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg/card> list Reader ...........: 04E6:xx:0 Application ID ...: D27600xxxx0190000 Version ..........: 2.1 Manufacturer .....: unknown Serial number ....: 00000019 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : https://pastebin.com/raw/y8gCBFmH Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: F44A 6EA6 5E82 1743 6E83 E2C2 F166 3A6A 9479 3987 created ....: 2019-04-15 17:49:25 Encryption key....: EB75 66CA 07FF 9C4F 94ED 9246 B455 9AAA 0624 A9CF created ....: 2019-04-15 17:49:25 Authentication key: [none] General key info..: pub rsa2048/F1663A6A94793987 2019-04-15 demo card (DeleteMe) <demo.card@domain.tld> sec> rsa2048/F1663A6A94793987 created: 2019-04-15 expires: never card-no: 7615 00000019 ssb> rsa2048/B4559AAA0624A9CF created: 2019-04-15 expires: never card-no: 7615 00000019幾乎可以使用
gpg --edit-key F1663A6A94793987Secret key is available. sec rsa2048/F1663A6A94793987 created: 2019-04-15 expires: never usage: SC card-no: 7615 00000019 trust: unknown validity: unknown ssb rsa2048/B4559AAA0624A9CF created: 2019-04-15 expires: never usage: SEA card-no: 7615 00000019 [ unknown] (1). demo card (DeleteMe) <demo.card@domain.tld>密鑰的信任發生了什麼?
GPG 將信任與密鑰材料分開儲存。此信任設置是啟用Web of Trust 的原因。因此,當將給定密鑰導入本地密鑰環時,不會為該密鑰分配信任級別。但是,這很容易以互動方式更改。
gpg --edit-key F1663A6A94793987gpg> trust sec rsa2048/F1663A6A94793987 created: 2019-04-15 expires: never usage: SC card-no: 7615 00000019 trust: unknown validity: unknown ssb rsa2048/B4559AAA0624A9CF created: 2019-04-15 expires: never usage: SEA card-no: 7615 00000019 [ unknown] (1). demo card (DeleteMe) <demo.card@domain.tld> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y現在鑰匙已經準備好了
gpg --list-key F1663A6A94793987pub rsa2048 2019-04-15 [SC] F44A6EA65E8217436E83E2C2F1663A6A94793987 uid [ultimate] demo card (DeleteMe) <demo.card@domain.tld> sub rsa2048 2019-04-15 [SEA]讓我們試試看
gpg -ear F1663A6A94793987Hello there! -----BEGIN PGP MESSAGE----- hQEMA7RVmqoGJKnPAQf/V5CAzRCQ8gmAczy5i66e6w93CRYDiJ/1fNfL6ey2lYx2 cu/I3I12455Z8YjnLk3q66LW0gkhaxVX1uhtBXgjglz2RX6wMAYSDMvVs4cfIgq4 VLbW8T2y8ThdXvpGfwtgBgfFV5M2QS46RipXeF5rOCOnGeI8IUuzAC2147/qjcHG +/wWDaker7NfY8GSgJ8OXd6kTmpZ//1zOTYvJVsE80viByv2Hx42Zu0r6e3KqgeR qQlNA/zevYYjm4S0tkmxYoDb42gTPClNiHkJa3IXYlwYPzLCSszBsaTfHZdHl7yx 8PshF7fmE/NOO0dhHq2cV+fqPq8uT/VlNcPm3TYNxtJIAfnuTuHcorOuQNh0koML 8WWTIlLbj9OfBsZVsy5cp5ggpSLrCdPYd1g7RzEwRxu8QrWNO+pj2VRTtEZMafXq XsKGJIgxsbJQ =nwdE -----END PGP MESSAGE-----
gpg -dPlease unlock the card Number: 7615 00000019 Holder: PIN: gpg: encrypted with 2048-bit RSA key, ID B4559AAA0624A9CF, created 2019-04-15 "demo card (DeleteMe) <demo.card@domain.tld>" Hello there!與
pass
pass init F1663A6A94793987mkdir: created directory '/home/user/.password-store/' Password store initialized for F1663A6A94793987
pass insert password1Enter password for password1: <qwerty> Retype password for password1: <qwerty>
pass show password1Please unlock the card Number: 7615 00000019 Holder: PIN: qwerty使用說明
如果使用不在卡上的密鑰初始化給定的密碼儲存。如果隨後將密鑰移動到智能卡,則通過腳本將無法找到密鑰。