As I mentioned in my previous blog post, OMAP4 netboot images were available, but non-functional. I'm pleased to announce that these bugs have now been resolved and it is possible to have a functional install on OMAP4. This also has the added advantage of allowing one special partitioning layouts such as RAID, LVM, or simply having a non-SD based root device. The images are available here: http://ports.ubuntu.com/ubuntu-ports/dists/oneiric/main/installer-armel/current/images/omap4/netboot/
To use, simply dd boot.img-serial or boot.img-fb to an SD card, pop it in, and run, and the installer will pop up.
There is still a known bug that partman will not properly create the necessary boot partition. During the partitioning step, you must select manual partitioning, then create a 72 MiB FAT32 partition, with no mount point, and the Bootable flag must be set to 'on'. This partition must be the first partition on the device. flash-kernel-installer will be able to find the partition on its own.
Friday, July 1, 2011
Thursday, June 30, 2011
On porting the installer (Part 1)...
So as Alpha 2 approaches, I find myself working towards porting the alternate installer/d-i to the pandaboard to support the netboot installer. There's not a lot of documentation that describes the internals of d-i, nor what bits are platform specific.
This is especially true when working towards creating a new subarchitecture since lots of little places have to be touched, kernels usually have to be tweaked, and all other sorts of odds and ins. This post isn't a comprehensive guide to what's necessary, but just little tidbits of what I did, just some random odds and ends.
The first step of any enablement is to have something you can run and boot. The netboot images, as well as the alternate kernel and ramdisk are built out of the debian-installer package. In the debian-installer package, several config files for driving the process are located in build/config/$arch/$subarch. For omap4, we have the following files:
boot/arm/generate-partitioned-filesystem
build/config/armel.cfg
build/config/armel/omap4.cfg
build/config/armel/omap4/cdrom.cfg
build/config/armel/omap4/netboot.cfg
boot/arm/generate-partitioned-filesystem is a shell script that takes a VFAT blob, and spits out a proper MBR and partition table.
build/config/armel.cfg simply is a list subarchitectures to build, and some sane-ish kernel defaults for armel.
build/config/armel/omap4.cfg is also a simple config file which specifies the type of images we're building, and the kernel to use in d-i. This file looks like this:
As a point of clarification, 'cdrom' is a bit of a misdemeanor; it refers to the alternate installer kernel and ramdisk used by alternate images, and not the type of media. Other types of images exist such as 'floppy' and 'hd-install', but these are specialized images, and out of scope for this blog post.
Each file in build/config/armel/omap4/* is a makefile thats called in turn for each image that created. The most interesting of this is the netboot.cfg
The vast majority of this is fairly straightforward. TARGET represents the targets called by make. There are tasks for creating a vmlinuz and initrd that must be included. The omap4 target then handles specialized handling for the omap4/netboot image.
omap4 requires a VFAT boot partition on the SD card with a proper filesystem and MBR. The contents of the filesystem are straightforward:
MLO - also known as x-loader, a first stage bootloader
u-boot.bin - u-boot binary, second stage bootloader, used to book the kernel
uImage - linux kernel with special uboot header (created with mkimage)
uInitrd - d-i ramdisk with special uboot header
boot.scr - special boot script for u-boot for commands to execute at startup.
MLO and u-boot.bin are copied in from x-loader-omap4-panda and u-boot-linaro-omap4-panda which are listed as build-deps in the control file for d-i. boot.scr is generated from a plain-text file:
These are u-boot commands that simply load the uImage/uInitrd into RAM, set the command line, and then boot into it.
When porting the installer, it is mostly a task of putting your subarchitecture name in the right places, then adding the necessary logic in places to spit out an image that boots. This provides a sane base to start working on porting other bits of the installer. When d-i is uploaded to Launchpad, these files end up in http://ports.ubuntu.com/ubuntu-ports/dists/oneiric/main/installer-armel/current/images/
My next blog post will go a bit into udebs, and understanding how d-i does architecture detection, and introducing flash-kernel.
This is especially true when working towards creating a new subarchitecture since lots of little places have to be touched, kernels usually have to be tweaked, and all other sorts of odds and ins. This post isn't a comprehensive guide to what's necessary, but just little tidbits of what I did, just some random odds and ends.
The first step of any enablement is to have something you can run and boot. The netboot images, as well as the alternate kernel and ramdisk are built out of the debian-installer package. In the debian-installer package, several config files for driving the process are located in build/config/$arch/$subarch. For omap4, we have the following files:
boot/arm/generate-partitioned-filesystem
build/config/armel.cfg
build/config/armel/omap4.cfg
build/config/armel/omap4/cdrom.cfg
build/config/armel/omap4/netboot.cfg
boot/arm/generate-partitioned-filesystem is a shell script that takes a VFAT blob, and spits out a proper MBR and partition table.
build/config/armel.cfg simply is a list subarchitectures to build, and some sane-ish kernel defaults for armel.
build/config/armel/omap4.cfg is also a simple config file which specifies the type of images we're building, and the kernel to use in d-i. This file looks like this:
MEDIUM_SUPPORTED = netboot cdrom # The version of the kernel to use. KERNELVERSION := 2.6.38-1309-omap4 # we use non-versioned filenames in the omap kernel udeb KERNELNAME = vmlinuz VERSIONED_SYSTEM_MAP =
As a point of clarification, 'cdrom' is a bit of a misdemeanor; it refers to the alternate installer kernel and ramdisk used by alternate images, and not the type of media. Other types of images exist such as 'floppy' and 'hd-install', but these are specialized images, and out of scope for this blog post.
Each file in build/config/armel/omap4/* is a makefile thats called in turn for each image that created. The most interesting of this is the netboot.cfg
MEDIA_TYPE = netboot image SUBARCH = omap4 TARGET = $(TEMP_INITRD) $(TEMP_KERNEL) omap4 EXTRANAME = $(MEDIUM) INITRD_FS = initramfs MANIFEST-INITRD = "netboot initrd" MANIFEST-KERNEL = "kernel image to netboot" INSTALL_PATH = $(SOME_DEST)/$(EXTRANAME) omap4: # Make sure our build envrionment is clean rm -rf $(INSTALL_PATH) mkdir -p $(INSTALL_PATH) # Generate uImage/uInitrd mkimage -A arm -O linux -T kernel -C none -a 0x80008000 -e 0x80008000 -n "Ubuntu kernel" -d $(TEMP_KERNEL) $(INSTALL_PATH)/uImage mkimage -A arm -O linux -T ramdisk -C none -a 0x0 -e 0x0 -n "debian-installer ramdisk" -d $(TEMP_INITRD) $(INSTALL_PATH)/uInitrd # Generate boot.scrs mkimage -A arm -T script -C none -n "Ubuntu boot script (serial)" -d boot/arm/boot.script-omap4-serial $(INSTALL_PATH)/boot.scr-serial mkimage -A arm -T script -C none -n "Ubuntu boot script (framebuffer)" -d boot/arm/boot.script-omap4-fb $(INSTALL_PATH)/boot.scr-fb # Create DD'able filesystems mkdosfs -C $(INSTALL_PATH)/boot.img-fat-serial 10240 mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/uImage ::uImage mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/uInitrd ::uInitrd mcopy -i $(INSTALL_PATH)/boot.img-fat-serial /usr/lib/x-loader/omap4430panda/MLO ::MLO mcopy -i $(INSTALL_PATH)/boot.img-fat-serial /usr/lib/u-boot/omap4_panda/u-boot.bin ::u-boot.bin cp $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.img-fat-fb mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.scr-serial ::boot.scr mcopy -i $(INSTALL_PATH)/boot.img-fat-fb $(INSTALL_PATH)/boot.scr-fb ::boot.scr boot/arm/generate-partitioned-filesystem $(INSTALL_PATH)/boot.img-fat-fb $(INSTALL_PATH)/boot.img-fb boot/arm/generate-partitioned-filesystem $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.img-serial # Generate manifests update-manifest $(INSTALL_PATH)/uImage "Linux kernel for OMAP Boards" update-manifest $(INSTALL_PATH)/uInitrd "initrd for OMAP Boards" update-manifest $(INSTALL_PATH)/boot.scr-fb "Boot script for booting OMAP netinstall initrd and kernel from SD card. Uses framebuffer display" update-manifest $(INSTALL_PATH)/boot.scr-serial "Boot script for booting OMAP netinstall initrd and kernel from SD card. Uses serial output" update-manifest $(INSTALL_PATH)/boot.img-serial "Boot image for booting OMAP netinstall. Uses serial output" update-manifest $(INSTALL_PATH)/boot.img-fb "Boot image for booting OMAP netinstall. Uses framebuffer output"
The vast majority of this is fairly straightforward. TARGET represents the targets called by make. There are tasks for creating a vmlinuz and initrd that must be included. The omap4 target then handles specialized handling for the omap4/netboot image.
omap4 requires a VFAT boot partition on the SD card with a proper filesystem and MBR. The contents of the filesystem are straightforward:
MLO - also known as x-loader, a first stage bootloader
u-boot.bin - u-boot binary, second stage bootloader, used to book the kernel
uImage - linux kernel with special uboot header (created with mkimage)
uInitrd - d-i ramdisk with special uboot header
boot.scr - special boot script for u-boot for commands to execute at startup.
MLO and u-boot.bin are copied in from x-loader-omap4-panda and u-boot-linaro-omap4-panda which are listed as build-deps in the control file for d-i. boot.scr is generated from a plain-text file:
fatload mmc 0:1 0x80000000 uImage fatload mmc 0:1 0x81600000 uInitrd setenv bootargs vram=32M mem=456M@0x80000000 mem=512M@0xA0000000 fixrtc quiet debian-installer/framebuffer=false console=ttyO2,115200n8 bootm 0x80000000 0x81600000
These are u-boot commands that simply load the uImage/uInitrd into RAM, set the command line, and then boot into it.
When porting the installer, it is mostly a task of putting your subarchitecture name in the right places, then adding the necessary logic in places to spit out an image that boots. This provides a sane base to start working on porting other bits of the installer. When d-i is uploaded to Launchpad, these files end up in http://ports.ubuntu.com/ubuntu-ports/dists/oneiric/main/installer-armel/current/images/
My next blog post will go a bit into udebs, and understanding how d-i does architecture detection, and introducing flash-kernel.
Thursday, November 11, 2010
On Achieving Goals ...
*blows the dust off his blog*
It's been quite awhile since I last wrote anything in this thing, so I guess its a good time as any, off the tails of UDS-N, to finally sit down and write something down. Since my last blog posting in May, I've been travelling around the world, attending conferences, and trying to represent both Ubuntu and Debian itself, and Canonical in all my travels. I was recently posted to China for a full month where I lived and worked out of an office, made friends with fellow Ubuntu users, and tech enthusiasts, had a wonderful time meeting with people with the Beijing Linux User's Group, and worked hard within my team at Canonical, and the legions of Ubuntu Developers to help make one of the best releases we've ever had.
As I was writing specs and drafting work items, I came to the point that I was reflecting on my own personal goals and growth in life. Two years and change ago, I was a struggling junior at Rochester Institute of Technology, a little less than two years ago, I started working full time with Canonical, and this year, I've gone and traveled to many places I've only dreamed about; Anchorage & Barrow, Alaska; Tampere, Finland; Prague, Czech Republic; and Brussels, Belgium, just to name a few. I packed up and lived in China for a month (an amazing experience, and I look forward to going back and visiting again sometime in the near future). Had you told the me of two years ago what I would be doing now, I'd probably think you were smoking something good.
One thing I've discovered in my life is that if you want to do something, you need to get out there and just ****ing do it. This may seem simple, but I think of the dreams a lot of people have that never seem to come to fruition. When I have an opportunity, I take it; going to Alaska was a dream I harbored for many years, especially entering the arctic circle, and heading to Barrow. That entire trip was booked on roughly four days notice, and the side trip to Barrow was planned the day before it actually happen. I don't regret any of it; it was one of the best things I ever done.
It brings me to what I consider the flux of this blog posting. For those who know me, I've had a goal of visiting every state within the United States. At this time last year, this map looked like this
As of two weeks ago today, this map looked like this:
Now, by the end of the day today, it will look like this:
The point I'm trying to make is if you want to do something, do it the first chance you get, or just don't do it; I say this because you never know when you will be able to do it again.
As for completing a life goal, well, it feels pretty amazing :-). I may write about that in a future blog posting ...
It's been quite awhile since I last wrote anything in this thing, so I guess its a good time as any, off the tails of UDS-N, to finally sit down and write something down. Since my last blog posting in May, I've been travelling around the world, attending conferences, and trying to represent both Ubuntu and Debian itself, and Canonical in all my travels. I was recently posted to China for a full month where I lived and worked out of an office, made friends with fellow Ubuntu users, and tech enthusiasts, had a wonderful time meeting with people with the Beijing Linux User's Group, and worked hard within my team at Canonical, and the legions of Ubuntu Developers to help make one of the best releases we've ever had.
As I was writing specs and drafting work items, I came to the point that I was reflecting on my own personal goals and growth in life. Two years and change ago, I was a struggling junior at Rochester Institute of Technology, a little less than two years ago, I started working full time with Canonical, and this year, I've gone and traveled to many places I've only dreamed about; Anchorage & Barrow, Alaska; Tampere, Finland; Prague, Czech Republic; and Brussels, Belgium, just to name a few. I packed up and lived in China for a month (an amazing experience, and I look forward to going back and visiting again sometime in the near future). Had you told the me of two years ago what I would be doing now, I'd probably think you were smoking something good.
One thing I've discovered in my life is that if you want to do something, you need to get out there and just ****ing do it. This may seem simple, but I think of the dreams a lot of people have that never seem to come to fruition. When I have an opportunity, I take it; going to Alaska was a dream I harbored for many years, especially entering the arctic circle, and heading to Barrow. That entire trip was booked on roughly four days notice, and the side trip to Barrow was planned the day before it actually happen. I don't regret any of it; it was one of the best things I ever done.
It brings me to what I consider the flux of this blog posting. For those who know me, I've had a goal of visiting every state within the United States. At this time last year, this map looked like this
As of two weeks ago today, this map looked like this:
Now, by the end of the day today, it will look like this:
The point I'm trying to make is if you want to do something, do it the first chance you get, or just don't do it; I say this because you never know when you will be able to do it again.
As for completing a life goal, well, it feels pretty amazing :-). I may write about that in a future blog posting ...
Sunday, May 16, 2010
Mailing Lists and Newsreaders ....
So for awhile, I've been questioning on why very few FOSS programs use newsgroups (or USENET on moderated groups) as their primary means of communication between developers. I personally find email to be a clunky way dealing with mass-mailings, and while switching to alpine and mutt have helped, I feel newsgroups would work better in place of mailing lists.
In this spirit, I'm going to try to replace reading most of my public facing mailing lists with Gmane and see if my opinion actually holds true; if newsgroups are superior to bog-standard mailing lists, and post back in some time. I'm currently looking at various GUI and console based newsreaders to see which works best to meet my needs.
I also need to blow the dust off the memories and remember how to setup leafnode so I can mimic OfflineIMAP. Any suggestions are welcome.
In this spirit, I'm going to try to replace reading most of my public facing mailing lists with Gmane and see if my opinion actually holds true; if newsgroups are superior to bog-standard mailing lists, and post back in some time. I'm currently looking at various GUI and console based newsreaders to see which works best to meet my needs.
I also need to blow the dust off the memories and remember how to setup leafnode so I can mimic OfflineIMAP. Any suggestions are welcome.
Thursday, February 4, 2010
1984
It's been awhile since I last posted, but I felt the need to do so after my recent flight through ATL. While I was waiting for my connection the loudspeakers announced that we were at threat level "Orange" and that we, the people, had to be on guard for threats to our country.
Does this remind anyone of anything? If your answer is 1984, then you win. When did we get to this point that our government is feeling more and more like the Party; I am just waiting for the day when we have telescreens constantly watching for terrorism and other threats ...
I hope this day never comes but given the path we have been on since 9/11, I fear for the future ...
Does this remind anyone of anything? If your answer is 1984, then you win. When did we get to this point that our government is feeling more and more like the Party; I am just waiting for the day when we have telescreens constantly watching for terrorism and other threats ...
I hope this day never comes but given the path we have been on since 9/11, I fear for the future ...
Tuesday, August 25, 2009
Setting up a GPG smartcard ...
So after having my trusty Sony VAIO do a bunk on me, its replacement, a Lenovo Thinkpad T400 has just arrived, and I'm now working through the process of getting it setup and ready to work as my main x86/amd64 machine, (for those wondering, my desktop machine, titan is an SMP ia64 that was donated to me to help improve the Ubuntu/ia64 port). I'm still getting things settled on it, but one of the nicest things about is it has a built in smartcard slot for me to use my GPG smartcard with, and figured now is a good time to write up howto get started with it.
If your using a smartcard that can handle larger than 1024-bit keys, make sure you use gpg2 in place of gpg, as gpg can't handle moving large keys to the card. The primary key in all cases can and should be as large as possible, since only the subkeys will be moved to the GPG smartcard. gpg-agent MUST be running to access the smartcard.
The first step is to install the correct packages for your smartcard; for me gpg2 and gpgsm did the trick. pcscd and gnupg-agent are also needed. If successful, you should be able to query your card:
If you got this far, so far so good. The next step is to set your personal information on the card itself, and to generate new GPG keys for it. The first step can be done by typing the following commands:
Couple of important safety notes: The card will accept up to three wrong PINs and then block, making it impossible to unblock without the admin PIN. Three wrong admin PINs and your card fries itself (like a SIM card with too many wrong PUK codes entered) so be VERY VERY careful!
Now there are a few choices to make here. You can generate a key on the card itself (the generate command) and then use it by itself, move your private key to the card, and use it as above, or add a subkey, and then use that. I'm going to choose the later.
For those of you who are not familiar, GPG subkeys as essentially private keys to be used while the primary key remains safe and sound. Subkeys can sign files, and encrypt/decrypt email as normal, but they can't be signed, nor can they sign other keys. They are trusted through signatures on the primary key.
As an additional step, since my GPG key is in the somewhat old and dated DSA 1024 format, I feel the time has come to replace it with a newer 4096 bit RSA key (for my rationale, take a look at: http://74.125.93.132/search?q=cache:wA6b7rbT0p0J:www.debian-administration.org/users/dkg/weblog/48+http://www.debian-administration.org/users/dkg/weblog/48&hl=en&client=firefox-a&gl=us&strip=1 (the link is a google cache link as of writing debian-administration.org is down)
So lets do that first. I'm generating my keyring onto an external device which will contain the primary key, and the subkeys on file. The primary key is the only one which can be used to sign other keys:
I *really* need a hardware entropy generator for when I generate keys. I recommend setting the preferences for generating signatures and the like with: setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Add any uids you need to your key. This can be done with the adduid command after issuing the edit-keys command
Now lets add an encryption and signing subkey for this keyring so you can send and receive encrypted emails. Make sure the size is small enough to fit on your card (my card can take 3072 per key*, your millage may vary); this step and the next use gpg2 due to incompatbilities with my card (see below for full story). In addition, I'm going to set these subkeys to expire after a year, partially because I intend to replace the subkey with a 3072-bit or 4092-bit subkey later (depending on smartcard support), and partially incase my smartcard is ever lost, the keys will expire themselves should I loose the private subkey (which is possible by accident due to gnupg moving keys to smartcards).
* - for those of us with g10code 2.0 smartcards, there seems to be an issue with using 3072-bit encryption keys. I'm not sure if the problem with the card, the cardreader, or gnupg, but for now, I'll use 2048 subkeys, and replace them with 3072-bit keys later on.
*phew*
This step is optional, but if you want an authetication key, this is how you create one. A signing key can be used as an authetication key, but the reverse is not true. You need to use expert mode to create an authenication key.
Ok. Now is a good time to export your keys, make backups of your .gnupg folder, generate revocation certificates and such. Once your done doing that, lets copy those keys to the card. What will happen specifically is the key will be moved to the card, and a stub key will be left in its place, which will require the card in place to be used. The backup you make here will be the full key, ready incase something ever happens to your card.
As a second note this is just a guideline on how I generated keys, some people might want to make their keys expire as an additional method of protection just in-case normal revocation becomes impossible. Finally, I know people will question why I generated an authentication key, but my goal with this key is to use it to make smartcard SSH possible, allowing me to replace my .ssh folder with the smartcard.
Anyway, take a drink, breath, and get ready to copy things to the card. We're going to take the secret subkeys, export them, then import them into the normal keyring, then move them to the card:
Couple of important safety notes:
1. A signing key CAN be used as an authetication key. If you generated a separate authentication key, make sure you put that in the right spot, and the signing key in the signing key spot, or else you will have to back up and do it again
2. Once you toggle, you can't see the purpose of the keys, so make sure you refer to it before doing anything
3. The admin pin is needed to move the keys
4. You need to deslect each key after you move it and select the new one
5. You can't delete a key off the card once its there (as far as I can tell), but you can replace it.
6. NEVER use your primary copy of your keyring to move keys!
Unmount your pendrive or secure media with your private keys, and have it go be guarded by orcs. Now its time to import the subkeys into GPG, and then move them to the card. Since your not moving the trustdb, you'll also have to manually reset the trust of your private key once its imported.
At this point, all the secret subkeys have been removed, and only exist on your pendrive (along with the primary key), or on your smartcard. The secret keys on this machine have been replaced with stubs that tell gnupg to look at the smartcard for the secert key. If you export the secret keys now, you'll only export the stub, and not the secret key.
If done correctly, any operations requiring your private key will now require you to put in the smartcard as that's the only copy of the subkeys available. You'll want to make sure both signing and encryption/decrption works:
Decryption:
Signing with smartcard:
Your done! I hope you've found this guide helpful. I currently haven't released this GPG key into the wild JUST yet, but I likely will within this week once I make sure I've done everything correctly. Please leave comments if you see any mistakes or want to make any recommendations. Thanks for reading!
If your using a smartcard that can handle larger than 1024-bit keys, make sure you use gpg2 in place of gpg, as gpg can't handle moving large keys to the card. The primary key in all cases can and should be as large as possible, since only the subkeys will be moved to the GPG smartcard. gpg-agent MUST be running to access the smartcard.
The first step is to install the correct packages for your smartcard; for me gpg2 and gpgsm did the trick. pcscd and gnupg-agent are also needed. If successful, you should be able to query your card:
mcasadevall@daybreak:~$ gpg --card-status
gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
Application ID ...: D27600012401020000050000005D0000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0000005D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
If you got this far, so far so good. The next step is to set your personal information on the card itself, and to generate new GPG keys for it. The first step can be done by typing the following commands:
Couple of important safety notes: The card will accept up to three wrong PINs and then block, making it impossible to unblock without the admin PIN. Three wrong admin PINs and your card fries itself (like a SIM card with too many wrong PUK codes entered) so be VERY VERY careful!
mcasadevall@daybreak:~$ gpg --card-edit
gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
Application ID ...: D27600012401020000050000005D0000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 0000005D
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Command> admin
Admin commands are allowed
Command> name
Cardholder's surname: Casadevall
Cardholder's given name: Michael
gpg: 3 Admin PIN attempts remaining before card is permanently locked
Admin PIN
gpg: gpg-agent is not available in this session
Command> lang
Language preferences: en
Command> sex
Sex ((M)ale, (F)emale or space): m
Command> quit
mcasadevall@daybreak:~$
Now there are a few choices to make here. You can generate a key on the card itself (the generate command) and then use it by itself, move your private key to the card, and use it as above, or add a subkey, and then use that. I'm going to choose the later.
For those of you who are not familiar, GPG subkeys as essentially private keys to be used while the primary key remains safe and sound. Subkeys can sign files, and encrypt/decrypt email as normal, but they can't be signed, nor can they sign other keys. They are trusted through signatures on the primary key.
As an additional step, since my GPG key is in the somewhat old and dated DSA 1024 format, I feel the time has come to replace it with a newer 4096 bit RSA key (for my rationale, take a look at: http://74.125.93.132/search?q=cache:wA6b7rbT0p0J:www.debian-administration.org/users/dkg/weblog/48+http://www.debian-administration.org/users/dkg/weblog/48&hl=en&client=firefox-a&gl=us&strip=1 (the link is a google cache link as of writing debian-administration.org is down)
So lets do that first. I'm generating my keyring onto an external device which will contain the primary key, and the subkeys on file. The primary key is the only one which can be used to sign other keys:
mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --gen-key
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/media/disk/gpg_keys/secring.gpg' created
gpg: keyring `/media/disk/gpg_keys/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 07:57:17 PM EDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Michael Casadevall
Email address: mcasadevall@ubuntu.com
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@ubuntu.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /media/disk/gpg_keys/trustdb.gpg: trustdb created
gpg: key 7B8E6A47 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 2009-08-25 [expires: 2010-08-25]
Key fingerprint = C7A5 543F 2D33 3791 4EF0 C915 7B4D 847C 7B8E 6A47
uid Michael Casadevall <mcasadevall@ubuntu.com>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
I *really* need a hardware entropy generator for when I generate keys. I recommend setting the preferences for generating signatures and the like with: setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com>
Command> uid 1
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com>
Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences for the selected user IDs? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com>
Command> save
mcasadevall@daybreak:~$
Add any uids you need to your key. This can be done with the adduid command after issuing the edit-keys command
mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com>
Command> adduid
Real name: Michael Casadevall
Email address: michael.casadevall@canonical.com
Comment:
You selected this USER-ID:
"Michael Casadevall <michael.casadevall@canonical.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2). Michael Casadevall <michael.casadevall@canonical.com>
Command> adduid
Real name: Michael Casadevall
Email address: mcasadevall@debian.org
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@debian.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (3). Michael Casadevall <mcasadevall@debian.org>
Command> adduid
Real name: Michael Casadevall
Email address: mcasadevall@kubuntu.org
Comment:
You selected this USER-ID:
"Michael Casadevall <mcasadevall@kubuntu.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@ubuntu.com>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (3) Michael Casadevall <mcasadevall@debian.org>
[ unknown] (4). Michael Casadevall <mcasadevall@kubuntu.org>
Command> save
mcasadevall@daybreak:~$
Now lets add an encryption and signing subkey for this keyring so you can send and receive encrypted emails. Make sure the size is small enough to fit on your card (my card can take 3072 per key*, your millage may vary); this step and the next use gpg2 due to incompatbilities with my card (see below for full story). In addition, I'm going to set these subkeys to expire after a year, partially because I intend to replace the subkey with a 3072-bit or 4092-bit subkey later (depending on smartcard support), and partially incase my smartcard is ever lost, the keys will expire themselves should I loose the private subkey (which is possible by accident due to gnupg moving keys to smartcards).
* - for those of us with g10code 2.0 smartcards, there seems to be an issue with using 3072-bit encryption keys. I'm not sure if the problem with the card, the cardreader, or gnupg, but for now, I'll use 2048 subkeys, and replace them with 3072-bit keys later on.
mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:12:37 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:12:51 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> save
*phew*
This step is optional, but if you want an authetication key, this is how you create one. A signing key can be used as an authetication key, but the reverse is not true. You need to use expert mode to create an authenication key.
mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --expert --edit-key mcasadevall@ubuntu.com
gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
4096-bit RSA key, ID 7B8E6A47, created 2009-08-25
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? a
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 25 Aug 2010 08:15:34 PM EDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> save
Ok. Now is a good time to export your keys, make backups of your .gnupg folder, generate revocation certificates and such. Once your done doing that, lets copy those keys to the card. What will happen specifically is the key will be moved to the card, and a stub key will be left in its place, which will require the card in place to be used. The backup you make here will be the full key, ready incase something ever happens to your card.
As a second note this is just a guideline on how I generated keys, some people might want to make their keys expire as an additional method of protection just in-case normal revocation becomes impossible. Finally, I know people will question why I generated an authentication key, but my goal with this key is to use it to make smartcard SSH possible, allowing me to replace my .ssh folder with the smartcard.
Anyway, take a drink, breath, and get ready to copy things to the card. We're going to take the secret subkeys, export them, then import them into the normal keyring, then move them to the card:
Couple of important safety notes:
1. A signing key CAN be used as an authetication key. If you generated a separate authentication key, make sure you put that in the right spot, and the signing key in the signing key spot, or else you will have to back up and do it again
2. Once you toggle, you can't see the purpose of the keys, so make sure you refer to it before doing anything
3. The admin pin is needed to move the keys
4. You need to deslect each key after you move it and select the new one
5. You can't delete a key off the card once its there (as far as I can tell), but you can replace it.
6. NEVER use your primary copy of your keyring to move keys!
mcasadevall@daybreak:/media/disk$ chmod a-w gpg_keys/*
mcasadevall@daybreak:~$ gpg --homedir /media/disk/gpg_keys/ --export-secret-subkeys > ~/tmp.key
Unmount your pendrive or secure media with your private keys, and have it go be guarded by orcs. Now its time to import the subkeys into GPG, and then move them to the card. Since your not moving the trustdb, you'll also have to manually reset the trust of your private key once its imported.
mcasadevall@daybreak:~$ gpg --import tmp.key
gpg: key 7B8E6A47: secret key imported
gpg: /home/mcasadevall/.gnupg/trustdb.gpg: trustdb created
gpg: key 7B8E6A47: public key "Michael Casadevall <mcasadevall@kubuntu.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys imported: 1
mcasadevall@daybreak:~$ shred tmp.key
mcasadevall@daybreak:~$ rm tmp.key
mcasadevall@daybreak:~$ gpg --edit-key mcasadevall@ubuntu.com
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: unknown validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>
Command> trust
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: unknown validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: unknown
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ unknown] (4) Michael Casadevall <mcasadevall@debian.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> quit
mcasadevall@daybreak:~$ gpg2 --edit-key mcasadevall@ubuntu.com
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-08-25
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> toggle
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> key 1
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> keytocard
Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498
Encryption key....: 114E 692C D22F 89C1 F0EA 4AE8 83AA F05E A383 3408
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID 1E2110C3, created 2009-08-26
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> key 1
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> key 2
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/C511F667 created: 2009-08-26 expires: never
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> keytocard
Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498
Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID C511F667, created 2009-08-26
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> key 2
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> key 4
No subkey with index 4
Command> key 3
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> keytocard
Signature key ....: 60C1 8447 B8B5 619A AD0B DE9E 9DDA 9A07 C511 F667
Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3
Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08
Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Casadevall <mcasadevall@kubuntu.org>"
2048-bit RSA key, ID AF3D8E0C, created 2009-08-26
sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25
ssb 2048R/1E2110C3 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb 2048R/C511F667 created: 2009-08-26 expires: never
card-no: 0005 0000005D
ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never
card-no: 0005 0000005D
(1) Michael Casadevall <mcasadevall@ubuntu.com>
(2) Michael Casadevall <michael.casadevall@canonical.com>
(3) Michael Casadevall <mcasadevall@debian.org>
(4) Michael Casadevall <mcasadevall@kubuntu.org>
Command> toggle
pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E
sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S
sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A
[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org>
[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com>
[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com>
[ultimate] (4) Michael Casadevall <mcasadevall@debian.org>
Command> save
At this point, all the secret subkeys have been removed, and only exist on your pendrive (along with the primary key), or on your smartcard. The secret keys on this machine have been replaced with stubs that tell gnupg to look at the smartcard for the secert key. If you export the secret keys now, you'll only export the stub, and not the secret key.
If done correctly, any operations requiring your private key will now require you to put in the smartcard as that's the only copy of the subkeys available. You'll want to make sure both signing and encryption/decrption works:
Decryption:
mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg
gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26
"Michael Casadevall <mcasadevall@kubuntu.org>"
gpg: public key decryption failed: Card not present
gpg: decryption failed: No secret key
*card is inserted*
mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg
gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26
"Michael Casadevall <mcasadevall@kubuntu.org>"
[Desktop Entry]
Version=1.0
Type=Link
Name=Examples
Name[es]=Ejemplos
Name[fi]=Esimerkkejä
Name[fr]=Exemples
Comment=Example content for Ubuntu
Comment[es]=Contenido del ejemplo para Ubuntu
Comment[fi]=Esimerkkisisältöjä Ubuntulle
Comment[fr]=Contenu d'exemple pour Ubuntu
URL=file:///usr/share/example-content/
X-Ubuntu-Gettext-Domain=example-content
mcasadevall@daybreak:~$
Signing with smartcard:
mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes
signfile hello_2.4-1.dsc 7B8E6A47
gpg: selecting openpgp failed: ec=6.112
gpg: signing failed: general error
gpg: /tmp/debsign.voIxh9WX/hello_2.4-1.dsc: clearsign failed: general error
debsign: gpg error occurred! Aborting....
mcasadevall@daybreak:~/src$
*insert the card*
mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes
signfile hello_2.4-1.dsc 7B8E6A47
signfile hello_2.4-1_source.changes 7B8E6A47
Your done! I hope you've found this guide helpful. I currently haven't released this GPG key into the wild JUST yet, but I likely will within this week once I make sure I've done everything correctly. Please leave comments if you see any mistakes or want to make any recommendations. Thanks for reading!
Saturday, August 1, 2009
On the topic of being prepared ...
Disaster can strike at any time. Such as 00:00, in Ireland, thousands of miles away from home. I'm pleased to report my /usr/lib folder did a bunk, and simply vanished, leaving my system in an unusable state. I managed to check dmesg before my system crashed, seems my laptop's HDD reported a load of error messages before my system went and did a bunk. I'm not sure if this is failed hardware, a kernel issue, or something else.
Fortunately, I'm prepared for such a disaster. I have a Kubuntu livecd which has been living in my bag since UDS, a spare netbook (with an SATA drive I can poach if I can confirm this one has actually failed or I can use it as a full blown replacement if need-be, although its slow), a USB HDD which I'm now backing up what remains of my data (the irreplaceables, that is, my GPG, SSH keys, and most of my writing are already safely backed up at home on my file server), and so forth.
SMART status on the internal HDD is as follows:
ubuntu@ubuntu:/$ sudo smartctl -H /dev/sda
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
Please note the following marginal Attributes:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
190 Airflow_Temperature_Cel 0x0022 054 031 045 Old_age Always In_the_past 46 (0 48 46 39)
Looks like the drive probably overheated in the distant past, but SMART did pass so I dunno ... Anyway, given the state of things, I'll run badblocks on the drive once I finish backing up, and hope for the best. Its got to make it to the end of this week ...
Fortunately, I'm prepared for such a disaster. I have a Kubuntu livecd which has been living in my bag since UDS, a spare netbook (with an SATA drive I can poach if I can confirm this one has actually failed or I can use it as a full blown replacement if need-be, although its slow), a USB HDD which I'm now backing up what remains of my data (the irreplaceables, that is, my GPG, SSH keys, and most of my writing are already safely backed up at home on my file server), and so forth.
SMART status on the internal HDD is as follows:
ubuntu@ubuntu:/$ sudo smartctl -H /dev/sda
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
Please note the following marginal Attributes:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
190 Airflow_Temperature_Cel 0x0022 054 031 045 Old_age Always In_the_past 46 (0 48 46 39)
Looks like the drive probably overheated in the distant past, but SMART did pass so I dunno ... Anyway, given the state of things, I'll run badblocks on the drive once I finish backing up, and hope for the best. Its got to make it to the end of this week ...
Subscribe to:
Posts (Atom)