7.3 KiB
| keywords | |||
|---|---|---|---|
|
gpg usage
add to gpg.conf: keyserver hkps://keys.openpgp.org
gpg --refresh-keys
IMHO
I think this is more or less dead. GnuPG does have a bad stand because of its bad implementation (Debian tries to omit it, git(hub) allows to sign with a ssh key instead of gpg) It is a dinosaur, familiar, powerful but ancient. Like IPsec, it is based on the understanding of security of the 90s. PGP is the idea, that a person has a digital identity to protect the personal data. And at that time the smartcard was the safest place.
However, it is allowed for VS-NfD and it is the successor for Chiasmus, so it will live longer. ( https://gnupg.com/gnupg-desktop.de.html) with the rise of wireguard and the sake of simplicity and therefore some missing comforts, it is clear that we should limit security solutions to a proper, but yet simple cipher suite. There is no option to weaken or disable the suite, it is just on or off.
The hardware itself is not safe at all. It is just a microcontroller which even can't protect successfully the no-readout flag. If you loose your GNUK you need to revoke the key, which is a pain.
- the user interaction button is not easy to implement to different 'plue pill' schematics, STM32 clones, unclear firmware code
- the encasement is for STLinkV2 clones acceptable
- due fake STM32 firmware updates fails
- original one about 50€
- https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator
- https://www.gniibe.org/memo/development/fst-01/distributing-fst-01sz.html
- https://www.gniibe.org/memo/development/fst-01/fst-01-revision-sz.html
- https://www.gniibe.org/memo/development/read-out-protection/flash-rop.html
- https://blog.thestaticturtle.fr/lets-make-a-diy-gpg-usb-key/
You could however use a Masterkey deployment, which adds overhead to your key handling.
- secure storage place for the decrypted OS
- a proper hardware system to keep it locked away
- a proper air-gap OS update process
- multiple hardware tokens
- mostly terminal based work to renew all of that
- currently no UIX to respect KISS
alternative is:
- File encryption: https://github.com/FiloSottile/age https://github.com/FiloSottile/age/discussions/432
- File signing: https://github.com/jedisct1/minisign/
- Mail Verschlüsselung: as intermediate solution: p≡p and a workaround: https://de.wikipedia.org/wiki/Autocrypt and DKIM by the mail provider
- git commit sign https://github.com/git/git/pull/1041
- linux login: pam-poldi -> pam-u2f
- full disk encryption Luks2: -> TPM2 + PIN (for device bundled storage) or FIDO2 based
- SSH:FIDO2 openssh native support
Gnuk
offical Repo: https://salsa.debian.org/gnuk-team
The GNUK is a STM32 based hardware token which implements the openpgp specification. The reference hardware is the FST-01, which is no longer sold. It is possible to buy the hardware, common hardware is the STLink V2 adapter or the 'blue pill' development board. For the german market it is easier to use the nitrokey start: https://github.com/Nitrokey/nitrokey-start-firmware https://github.com/Nitrokey/nitrokey-start-hardware
GNUK is based on chopstx (µC OS) and this is related to neuG (STM32 ADC rng ).
Passport-opensc: https://javacardos.com/tools/passport Black pill pin : https://user-images.githubusercontent.com/13839872/43411278-5f35afd8-9432-11e8-9385-cdd8d3db298d.png
https://hackaday.io/project/162597/logs the page mentioning a single free PA pin, the PA5. All other Pins seems to be PBs. However, chopstx defines the boards and the ack-button. That leads to two places where to patch things. Within the boards definition where is a comments segment, afterwards somehow a pin definition.
Black Pill change for LED, maybe backport to gnuk https://github.com/gl-sergei/u2f-token/issues/9#issuecomment-408945987 schematics https://s14-eu5.startpage.com/cgi-bin/serveimage?url=https:%2F%2Fembdev.net%2Fwikifiles_en%2Fthumb%2F0%2F09%2FStlink-clone-pinout.JPG%2F800px-Stlink-clone-pinout.JPG&sp=d29ef3816d5c329afdec6221d7c4c7ca [new] https://gist.github.com/rot42/cd6ff46be45f0b7d7cd461a7bcc14d79
----------mailgroup questions---------------- firmware upgrade with public RSA --> lost of all data? upgrade manual? get random data from gnuk more than 32byte? https://raw.githubusercontent.com/comio/comio-overlay/master/app-crypt/scdtools/files/scdrand.service https://github.com/vletoux/OpenPGP-CSP/issues https://incenp.org/dvlpt/scdtools.html
echo scd random 32 | gpg-connect-agent | xxd
Nutzer PIN erst mit Zertifikat adminless Modus mit PIN über 8 Zeichen, User Pin min 6 Zeichen PIN
---------UPGRADE----------—
koelner ~/src/gnuk/tool $./upgrade_by_passwd.py ../regnual/regnual.bin ../src/build/gnuk.bin
Admin password:
../regnual/regnual.bin: 4432
../src/build/gnuk.bin: 111616
CRC32: b548ca7b
Device:
Configuration: 1
Interface: 0
./upgrade_by_passwd.py:160: DeprecationWarning: tostring() is deprecated. Use tobytes() instead.
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
20002a00:20005000
Downloading flash upgrade program...
start 20002a00
end 20003b00
Run flash upgrade program...
Waiting for device to appear:
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Wait 1 second...
Device:
08001000:0bfffc00
Downloading the program
start 08001000
end 0801b400
Protecting device
Finish flashing
Resetting device
Update procedure finished
koelner ~/src/gnuk/tool $./usb_strings.py
Vendor: Free Software Initiative of Japan
Product: Gnuk Token
Serial: FSIJ-1.2.13-87123119
Revision: release/1.2.13-1-g3d06051-modified
Config: ST_DONGLE:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
Sys: 3.0
https://github.com/gl-sergei/u2f-token https://riseup.net/en/security/message-security/openpgp/best-practices
gnuk root key station
rpi zero WH 1.1, CPU-Kühler, USB-A Mod, USB Hub Hat, 1.44 LCD with Buttons Optional hardware: NeuG as TRNG, keyboard, RTC
OS: DietPi additional installed software: vim.tiny, vim, stress, gnupg, libccid, opensc, scdaemon, pinentry-tty, rng-tools [http://webhome.phy.duke.edu/~rgb/General/dieharder.php, pam-poldi, keysafe]
activate timedatectl 4 register i2c-rtc and usb-serial, login with dietpi:dietpi
root@gnupg-root:~# cat hwmon-ds3231.sh #!/usr/bin/env bash rtctemp=$(cat /sys/class/i2c-adapter/i2c-1/1-0068/hwmon/hwmon0/temp1_input) rtctemp=$(bc -l <<< "$rtctemp / 1000") echo "RTC temp = $rtctemp"
First run Check for RNG pool create encrypted storage for the gpg folder [on a removable device] -with long passphrase -with the master key and PIN (afterwards) init gpg settings create master key -export as QR-Code for printing (on a SDcard, USB Stick) -copy it to GNUK token -N-of-M sharing -USB-Stick create hash over gpg folder and sign it remount as read-only
regulary base Unmount encrypted storage before update update only via terminal/(ssh)
[GUI] Main task are: -unlock encrypted storage -copy revocation certificate to unencrypted storage -renew the sub key -copy subkey to GNUK -lock encrypted storage -renew disable date [GUI DEBUG] -upgrade GNUK firmware -git update -git verify -configure -make -upgrade via publickey -reinit GNUK token with saved openpgp data