gedankensplitter/gnuk.md

---
keywords:
  - IT
  - Security
  - Hardware token
---
## gpg usage
```bash
add to gpg.conf: keyserver hkps://keys.openpgp.org
gpg --refresh-keys
```
### IMHO
I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s.
PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place.

However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html)
with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off.

The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain.
- the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code
- the encasement is for STLinkV2 clones acceptable
- due fake STM32 firmware updates fails
- original one about 50€ 
    - https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator
    - https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html
    - https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html
    - https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html
    - https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/

You could however use a Masterkey deployment, which adds overhead to your key handling. 
 - secure storage place for the decrypted OS
 - a proper hardware system to keep it locked away
 - a proper air-gap OS update process
 - multiple hardware tokens
 - mostly terminal based work to renew all of that
 - currently no UIX to respect KISS

alternative is:
- File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432
- File signing: https://github.com/jedisct1/minisign/
- Mail encryption: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider
- git commit sign https://github.com/git/git/pull/1041
- linux login: pam-poldi --> pam-u2f
- full disk encryption Luks2: --> TPM2 + PIN (for device bundled storage) or FIDO2 based
- SSH:FIDO2 openssh native support
## Gnuk
offical Repo: https://salsa.debian.org/gnuk-team

The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold. 
It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start:
https://github.com/Nitrokey/nitrokey-start-firmware
https://github.com/Nitrokey/nitrokey-start-hardware

GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ).

Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport)
Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png


https://hackaday.io/project/162597/logs
the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs. 
However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition. 

Black Pill change for LED, maybe backport to gnuk
[https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs)
schematics
https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca
[new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79

----------mailgroup questions----------------
get random data from gnuk more than 32byte?
https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service
https://github.com/vletoux/OpenPGP-CSP/issues
https://incenp.org/dvlpt/scdtools.html

```
echo scd random 32 | gpg-connect-agent | xxd
```
--------------—
### best practise
Nutzer PIN erst mit Zertifikat
adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN

#### regnual firmware upgrade
```bash
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
Admin password: 
../regnual/regnual.bin: 4432
../src/build/gnuk.bin: 111616
CRC32: b548ca7b

Device: 
Configuration: 1
Interface: 0
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
  main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
20002a00:20005000
Downloading flash upgrade program...
start 20002a00
end   20003b00
Run flash upgrade program...
Waiting for device to appear:
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
  Wait 1 second...
Device: 
08001000:0bfffc00
Downloading the program
start 08001000
end   0801b400
Protecting device
Finish flashing
Resetting device
Update procedure finished

koelner ~/src/gnuk/tool $./usb_strings.py 
    Vendor: Free Software Initiative of Japan
   Product: Gnuk Token
    Serial: FSIJ-1.2.13-87123119
  Revision: release/1.2.13-1-g3d06051-modified
    Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
       Sys: 3.0
```

#### openocd firmware flash
```
Make Gnuk
cm@system-legacy:~/src/gnuk/src$ ./configure --vidpid=234b:0000 --target=BLUE_PILL --enable-factory-reset --enable-certdo
./configure --vidpid=234b:0000 --target=ST_DONGLE --enable-factory-reset --enable-certdo --disable-sys1-compat
cm@system-legacy:~/src/gnuk/src$ make -j4
cm@system-legacy:~/src/gnuk/src$ make build/gnuk-vidpid.elf


Flash Gnuk
0. build it like descibed in the offical documentation.
1. connect STLink and then the blue pill itself (GND, 3.3V SWDCLK, SWDIO)
2. use openocd 

$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg  -OR-
$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg

3. telnet to openocd server
cm@system-legacy:~/src$ telnet 127.0.0.1 4444
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open On-Chip Debugger
> stm32f1x unlock 0
device id = 0x20036410
flash size = 64kbytes
Target not halted
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
> stm32f1x unlock 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x unlocked.
INFO: a reset or power cycle is required for the new settings to take effect.
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
flash write algorithm aborted by target
flash write failed at address 0x8000002
flash memory not erased before writing
error writing to flash at address 0x08000000 at offset 0x00000000
> stm32f1x mass_erase 0
stm32f1x mass erase complete
> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
wrote 114688 bytes from file /home/cm/src/gnuk/src/build/gnuk-vidpid.bin to flash bank 0 at offset 0x00000000 in 3.447206s (32.490 KiB/s)
> reset halt
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x08003264 msp: 0x20005000
> stm32f1x lock 0
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x locked
> reset
> shutdown
shutdown command invoked
Connection closed by foreign host.
```
one liner
```
openocd -f interface/stlink.cfg \
-c 'transport select hla_swd' \
-f target/stm32f1x.cfg \
-c 'adapter_speed 400' \
-c init \
-c 'reset halt' \
-c 'stm32f1x unlock 0' \
-c 'reset halt' \
-c 'stm32f1x mass_erase 0' \
-c 'flash write_bank 0 /home/koelner/Downloads/gnuk.bin 0' \
-c 'stm32f1x lock 0' \
-c reset \
-c shutdown
```

#### links
https://github.com/gl-sergei/u2f-token
https://riseup.net/en/security/message-security/openpgp/best-practices
https://blog.josefsson.org/tag/openpgp/

## gnuk root key station 

rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons
Optional hardware: NeuG as TRNG, keyboard, RTC

OS: DietPi
additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]

activate timedatectl 4
register i2c-rtc and usb-serial, login with dietpi:dietpi

```
root@gnupg-root:~# cat hwmon-ds3231.sh 
#!/usr/bin/env bash
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
rtctemp=$(bc -l <<< "$rtctemp / 1000")
echo "RTC temp = $rtctemp"
```
```
root@gnupg-root:~# cat hwmon-ds3231.sh 
#!/usr/bin/env bash
rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)
echo  "$rtctemp / 1000" | bc
echo "RTC temp = $rtctemp"
```

First run
Check for RNG pool
create encrypted storage for the gpg folder [on a removable device]
	-with long passphrase
	-with the master key and PIN (afterwards)
init gpg settings
create master key
	-export as QR-Code for printing (on a SDcard, USB Stick)
	-copy it to GNUK token
	-N-of-M sharing
	-USB-Stick
create hash over gpg folder and sign it
remount as read-only 

regulary base
Unmount encrypted storage before update
update only via terminal/(ssh)


--------------
[GUI] Main task are:
-unlock encrypted storage
-copy revocation certificate to unencrypted storage
-renew the sub key
-copy subkey to GNUK
-lock encrypted storage
-renew disable date
[GUI DEBUG]
-upgrade GNUK firmware
	-git update
	-git verify
	-configure
	-make
	-upgrade via publickey
-reinit GNUK token with saved openpgp data
tags 2022-02-01 20:34:39 +00:00			`---`
			`keywords:`
			`- IT`
minor writeups 2022-02-26 16:32:15 +00:00			`- Security`
gnuk token 2022-09-02 08:23:52 +00:00			`- Hardware token`
tags 2022-02-01 20:34:39 +00:00			`---`
unknown 2022-06-09 19:50:05 +00:00			`## gpg usage`
			```bash
			`add to gpg.conf: keyserver hkps://keys.openpgp.org`
			`gpg --refresh-keys`
			```
gnuk token 2022-09-02 08:23:52 +00:00			`### IMHO`
			`I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s.`
			`PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place.`

			`However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html)`
			`with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off.`

			`The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain.`
			`- the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code`
			`- the encasement is for STLinkV2 clones acceptable`
			`- due fake STM32 firmware updates fails`
			`- original one about 50€`
			`- https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator`
			`- https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html`
			`- https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html`
			`- https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html`
			`- https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/`

			`You could however use a Masterkey deployment, which adds overhead to your key handling.`
			`- secure storage place for the decrypted OS`
			`- a proper hardware system to keep it locked away`
			`- a proper air-gap OS update process`
			`- multiple hardware tokens`
			`- mostly terminal based work to renew all of that`
			`- currently no UIX to respect KISS`

			`alternative is:`
			`- File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432`
			`- File signing: https://github.com/jedisct1/minisign/`
minor 2023-01-14 15:54:44 +00:00			`- Mail encryption: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider`
gnuk token 2022-09-02 08:23:52 +00:00			`- git commit sign https://github.com/git/git/pull/1041`
minor 2023-01-14 15:54:44 +00:00			`- linux login: pam-poldi --> pam-u2f`
			`- full disk encryption Luks2: --> TPM2 + PIN (for device bundled storage) or FIDO2 based`
gnuk token 2022-09-02 08:23:52 +00:00			`- SSH:FIDO2 openssh native support`
tags 2022-02-01 20:34:39 +00:00			`## Gnuk`
gnuk token 2022-09-02 08:23:52 +00:00			`offical Repo: https://salsa.debian.org/gnuk-team`

			`The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold.`
			`It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start:`
			`https://github.com/Nitrokey/nitrokey-start-firmware`
			`https://github.com/Nitrokey/nitrokey-start-hardware`

			`GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ).`

migration progress 2022-01-29 19:41:03 +00:00			`Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport)`
migration process 2022-01-17 18:43:45 +00:00			`Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png`
migration progress 2022-01-29 19:41:03 +00:00
migration process 2022-01-17 18:43:45 +00:00
			`https://hackaday.io/project/162597/logs`
			`the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs.`
			`However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.`

			`Black Pill change for LED, maybe backport to gnuk`
migration progress 2022-01-29 19:41:03 +00:00			`[https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs)`
migration process 2022-01-17 18:43:45 +00:00			`schematics`
			`https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca`
			`[new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79`

			`----------mailgroup questions----------------`
			`get random data from gnuk more than 32byte?`
			`https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service`
			`https://github.com/vletoux/OpenPGP-CSP/issues`
			`https://incenp.org/dvlpt/scdtools.html`

minor push 2022-05-31 16:50:11 +00:00			```
migration process 2022-01-17 18:43:45 +00:00			`echo scd random 32 \| gpg-connect-agent \| xxd`
minor push 2022-05-31 16:50:11 +00:00			```
minor 2023-01-14 15:54:44 +00:00			`--------------—`
			`### best practise`
migration process 2022-01-17 18:43:45 +00:00			`Nutzer PIN erst mit Zertifikat`
			`adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN`

minor 2023-01-14 15:54:44 +00:00			`#### regnual firmware upgrade`
migration progress 2022-01-29 19:41:03 +00:00			```bash
migration process 2022-01-17 18:43:45 +00:00			`koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin`
			`Admin password:`
			`../regnual/regnual.bin: 4432`
			`../src/build/gnuk.bin: 111616`
			`CRC32: b548ca7b`

			`Device:`
			`Configuration: 1`
			`Interface: 0`
			`./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.`
			`main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])`
			`20002a00:20005000`
			`Downloading flash upgrade program...`
			`start 20002a00`
			`end 20003b00`
			`Run flash upgrade program...`
			`Waiting for device to appear:`
			`Wait 1 second...`
			`Wait 1 second...`
			`Wait 1 second...`
			`Wait 1 second...`
			`Wait 1 second...`
			`Device:`
			`08001000:0bfffc00`
			`Downloading the program`
			`start 08001000`
			`end 0801b400`
			`Protecting device`
			`Finish flashing`
			`Resetting device`
			`Update procedure finished`

			`koelner ~/src/gnuk/tool $./usb_strings.py`
			`Vendor: Free Software Initiative of Japan`
			`Product: Gnuk Token`
			`Serial: FSIJ-1.2.13-87123119`
			`Revision: release/1.2.13-1-g3d06051-modified`
			`Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes`
			`Sys: 3.0`
migration progress 2022-01-29 19:41:03 +00:00			```
migration process 2022-01-17 18:43:45 +00:00
minor 2023-01-14 15:54:44 +00:00			`#### openocd firmware flash`
			```
			`Make Gnuk`
			`cm@system-legacy:~/src/gnuk/src$ ./configure --vidpid=234b:0000 --target=BLUE_PILL --enable-factory-reset --enable-certdo`
			`./configure --vidpid=234b:0000 --target=ST_DONGLE --enable-factory-reset --enable-certdo --disable-sys1-compat`
			`cm@system-legacy:~/src/gnuk/src$ make -j4`
			`cm@system-legacy:~/src/gnuk/src$ make build/gnuk-vidpid.elf`


			`Flash Gnuk`
			`0. build it like descibed in the offical documentation.`
			`1. connect STLink and then the blue pill itself (GND, 3.3V SWDCLK, SWDIO)`
			`2. use openocd`

			`$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg -OR-`
			`$ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg`

			`3. telnet to openocd server`
			`cm@system-legacy:~/src$ telnet 127.0.0.1 4444`
			`Trying 127.0.0.1...`
			`Connected to 127.0.0.1.`
			`Escape character is '^]'.`
			`Open On-Chip Debugger`
			`> stm32f1x unlock 0`
			`device id = 0x20036410`
			`flash size = 64kbytes`
			`Target not halted`
			`> reset halt`
			`target halted due to debug-request, current mode: Thread`
			`xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000`
			`> stm32f1x unlock 0`
			`target halted due to breakpoint, current mode: Thread`
			`xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000`
			`stm32x unlocked.`
			`INFO: a reset or power cycle is required for the new settings to take effect.`
			`> reset halt`
			`target halted due to debug-request, current mode: Thread`
			`xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000`
			`> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0`
			`flash write algorithm aborted by target`
			`flash write failed at address 0x8000002`
			`flash memory not erased before writing`
			`error writing to flash at address 0x08000000 at offset 0x00000000`
			`> stm32f1x mass_erase 0`
			`stm32f1x mass erase complete`
			`> flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0`
			`target halted due to breakpoint, current mode: Thread`
			`xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000`
			`wrote 114688 bytes from file /home/cm/src/gnuk/src/build/gnuk-vidpid.bin to flash bank 0 at offset 0x00000000 in 3.447206s (32.490 KiB/s)`
			`> reset halt`
			`target halted due to debug-request, current mode: Thread`
			`xPSR: 0x01000000 pc: 0x08003264 msp: 0x20005000`
			`> stm32f1x lock 0`
			`target halted due to breakpoint, current mode: Thread`
			`xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000`
			`stm32x locked`
			`> reset`
			`> shutdown`
			`shutdown command invoked`
			`Connection closed by foreign host.`
			```
			`one liner`
			```
			`openocd -f interface/stlink.cfg \`
			`-c 'transport select hla_swd' \`
			`-f target/stm32f1x.cfg \`
			`-c 'adapter_speed 400' \`
			`-c init \`
			`-c 'reset halt' \`
			`-c 'stm32f1x unlock 0' \`
			`-c 'reset halt' \`
			`-c 'stm32f1x mass_erase 0' \`
			`-c 'flash write_bank 0 /home/koelner/Downloads/gnuk.bin 0' \`
			`-c 'stm32f1x lock 0' \`
			`-c reset \`
			`-c shutdown`
			```

			`#### links`
migration process 2022-01-17 18:43:45 +00:00			`https://github.com/gl-sergei/u2f-token`
			`https://riseup.net/en/security/message-security/openpgp/best-practices`
minor 2023-01-14 15:54:44 +00:00			`https://blog.josefsson.org/tag/openpgp/`

gnuk token 2022-09-02 08:23:52 +00:00			`## gnuk root key station`
migration process 2022-01-17 18:43:45 +00:00
			`rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons`
			`Optional hardware: NeuG as TRNG, keyboard, RTC`

			`OS: DietPi`
			`additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]`

			`activate timedatectl 4`
			`register i2c-rtc and usb-serial, login with dietpi:dietpi`

minor 2023-01-14 15:54:44 +00:00			```
migration process 2022-01-17 18:43:45 +00:00			`root@gnupg-root:~# cat hwmon-ds3231.sh`
			`#!/usr/bin/env bash`
			`rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)`
			`rtctemp=$(bc -l <<< "$rtctemp / 1000")`
minor 2023-01-14 15:54:44 +00:00			`echo "RTC temp = $rtctemp"`
			```
			```
			`root@gnupg-root:~# cat hwmon-ds3231.sh`
			`#!/usr/bin/env bash`
			`rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input)`
			`echo "$rtctemp / 1000" \| bc`
			`echo "RTC temp = $rtctemp"`
			```

migration process 2022-01-17 18:43:45 +00:00			`First run`
			`Check for RNG pool`
			`create encrypted storage for the gpg folder [on a removable device]`
			`-with long passphrase`
			`-with the master key and PIN (afterwards)`
			`init gpg settings`
			`create master key`
			`-export as QR-Code for printing (on a SDcard, USB Stick)`
			`-copy it to GNUK token`
			`-N-of-M sharing`
			`-USB-Stick`
			`create hash over gpg folder and sign it`
			`remount as read-only`

			`regulary base`
			`Unmount encrypted storage before update`
			`update only via terminal/(ssh)`


			`--------------`
			`[GUI] Main task are:`
			`-unlock encrypted storage`
			`-copy revocation certificate to unencrypted storage`
			`-renew the sub key`
			`-copy subkey to GNUK`
			`-lock encrypted storage`
			`-renew disable date`
			`[GUI DEBUG]`
			`-upgrade GNUK firmware`
			`-git update`
			`-git verify`
			`-configure`
			`-make`
			`-upgrade via publickey`
			`-reinit GNUK token with saved openpgp data`