--- keywords: - IT - Security - Hardware token --- ## gpg usage ```bash add to gpg.conf: keyserver hkps://keys.openpgp.org gpg --refresh-keys ``` ### IMHO I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s. PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place. However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html) with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off. The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain. - the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code - the encasement is for STLinkV2 clones acceptable - due fake STM32 firmware updates fails - original one about 50€ - https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator - https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html - https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html - https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html - https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/ You could however use a Masterkey deployment, which adds overhead to your key handling. - secure storage place for the decrypted OS - a proper hardware system to keep it locked away - a proper air-gap OS update process - multiple hardware tokens - mostly terminal based work to renew all of that - currently no UIX to respect KISS alternative is: - File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432 - File signing: https://github.com/jedisct1/minisign/ - Mail encryption: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider - git commit sign https://github.com/git/git/pull/1041 - linux login: pam-poldi --> pam-u2f - full disk encryption Luks2: --> TPM2 + PIN (for device bundled storage) or FIDO2 based - SSH:FIDO2 openssh native support ## Gnuk offical Repo: https://salsa.debian.org/gnuk-team The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold. It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start: https://github.com/Nitrokey/nitrokey-start-firmware https://github.com/Nitrokey/nitrokey-start-hardware GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ). Passport-opensc:[ https://javacardos.com/tools/passport]( https://javacardos.com/tools/passport) Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png https://hackaday.io/project/162597/logs the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs. However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition. Black Pill change for LED, maybe backport to gnuk [https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987](https://hackaday.io/project/162597/logs) schematics https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca [new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79 ----------mailgroup questions---------------- get random data from gnuk more than 32byte? https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service https://github.com/vletoux/OpenPGP-CSP/issues https://incenp.org/dvlpt/scdtools.html ``` echo scd random 32 | gpg-connect-agent | xxd ``` --------------— ### best practise Nutzer PIN erst mit Zertifikat adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN #### regnual firmware upgrade ```bash koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin Admin password: ../regnual/regnual.bin: 4432 ../src/build/gnuk.bin: 111616 CRC32: b548ca7b Device: Configuration: 1 Interface: 0 ./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead. main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:]) 20002a00:20005000 Downloading flash upgrade program... start 20002a00 end 20003b00 Run flash upgrade program... Waiting for device to appear: Wait 1 second... Wait 1 second... Wait 1 second... Wait 1 second... Wait 1 second... Device: 08001000:0bfffc00 Downloading the program start 08001000 end 0801b400 Protecting device Finish flashing Resetting device Update procedure finished koelner ~/src/gnuk/tool $./usb_strings.py Vendor: Free Software Initiative of Japan Product: Gnuk Token Serial: FSIJ-1.2.13-87123119 Revision: release/1.2.13-1-g3d06051-modified Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes Sys: 3.0 ``` #### openocd firmware flash ``` Make Gnuk cm@system-legacy:~/src/gnuk/src$ ./configure --vidpid=234b:0000 --target=BLUE_PILL --enable-factory-reset --enable-certdo ./configure --vidpid=234b:0000 --target=ST_DONGLE --enable-factory-reset --enable-certdo --disable-sys1-compat cm@system-legacy:~/src/gnuk/src$ make -j4 cm@system-legacy:~/src/gnuk/src$ make build/gnuk-vidpid.elf Flash Gnuk 0. build it like descibed in the offical documentation. 1. connect STLink and then the blue pill itself (GND, 3.3V SWDCLK, SWDIO) 2. use openocd $ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg -OR- $ openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg 3. telnet to openocd server cm@system-legacy:~/src$ telnet 127.0.0.1 4444 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Open On-Chip Debugger > stm32f1x unlock 0 device id = 0x20036410 flash size = 64kbytes Target not halted > reset halt target halted due to debug-request, current mode: Thread xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000 > stm32f1x unlock 0 target halted due to breakpoint, current mode: Thread xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000 stm32x unlocked. INFO: a reset or power cycle is required for the new settings to take effect. > reset halt target halted due to debug-request, current mode: Thread xPSR: 0x01000000 pc: 0x08000250 msp: 0x20005000 > flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0 flash write algorithm aborted by target flash write failed at address 0x8000002 flash memory not erased before writing error writing to flash at address 0x08000000 at offset 0x00000000 > stm32f1x mass_erase 0 stm32f1x mass erase complete > flash write_bank 0 /home/cm/src/gnuk/src/build/gnuk-vidpid.bin 0 target halted due to breakpoint, current mode: Thread xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000 wrote 114688 bytes from file /home/cm/src/gnuk/src/build/gnuk-vidpid.bin to flash bank 0 at offset 0x00000000 in 3.447206s (32.490 KiB/s) > reset halt target halted due to debug-request, current mode: Thread xPSR: 0x01000000 pc: 0x08003264 msp: 0x20005000 > stm32f1x lock 0 target halted due to breakpoint, current mode: Thread xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000 stm32x locked > reset > shutdown shutdown command invoked Connection closed by foreign host. ``` one liner ``` openocd -f interface/stlink.cfg \ -c 'transport select hla_swd' \ -f target/stm32f1x.cfg \ -c 'adapter_speed 400' \ -c init \ -c 'reset halt' \ -c 'stm32f1x unlock 0' \ -c 'reset halt' \ -c 'stm32f1x mass_erase 0' \ -c 'flash write_bank 0 /home/koelner/Downloads/gnuk.bin 0' \ -c 'stm32f1x lock 0' \ -c reset \ -c shutdown ``` #### links https://github.com/gl-sergei/u2f-token https://riseup.net/en/security/message-security/openpgp/best-practices https://blog.josefsson.org/tag/openpgp/ ## gnuk root key station rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons Optional hardware: NeuG as TRNG, keyboard, RTC OS: DietPi additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe] activate timedatectl 4 register i2c-rtc and usb-serial, login with dietpi:dietpi ``` root@gnupg-root:~# cat hwmon-ds3231.sh #!/usr/bin/env bash rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input) rtctemp=$(bc -l <<< "$rtctemp / 1000") echo "RTC temp = $rtctemp" ``` ``` root@gnupg-root:~# cat hwmon-ds3231.sh #!/usr/bin/env bash rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input) echo "$rtctemp / 1000" | bc echo "RTC temp = $rtctemp" ``` First run Check for RNG pool create encrypted storage for the gpg folder [on a removable device] -with long passphrase -with the master key and PIN (afterwards) init gpg settings create master key -export as QR-Code for printing (on a SDcard, USB Stick) -copy it to GNUK token -N-of-M sharing -USB-Stick create hash over gpg folder and sign it remount as read-only regulary base Unmount encrypted storage before update update only via terminal/(ssh) -------------- [GUI] Main task are: -unlock encrypted storage -copy revocation certificate to unencrypted storage -renew the sub key -copy subkey to GNUK -lock encrypted storage -renew disable date [GUI DEBUG] -upgrade GNUK firmware -git update -git verify -configure -make -upgrade via publickey -reinit GNUK token with saved openpgp data