Yubikey 重建手册

Published: at 00:36

前言

如果你是一位潜在的 Yubikey/硬件密钥用户,我的建议是尽早做好硬件密钥丢失的处理预案;如果你是一位现任的 Yubikey/硬件密钥用户,我的建议是,赶紧买一个 Airtag 保护一下自己的 Key(

嘛,废话不多说了。这篇文章是我在常用 Yubikey 丢失之后痛定思痛总结出的经验。如果你对硬件密钥的物理安全性存在或存在过或多或少的担忧的话,可以参考这篇文章了解一下重建一枚 Key 所需的成本。

ToC

-1. 吊销旧密钥

安全起见,我们需要做的第负一件事就是立即更新 GitHub 中绑定的 GPG 公钥,并且解绑这把 Key 在所有已绑定网站上的 FIDO2 两步验证 如果没有记录列表这时候已经汗流浃背了。如果你配置了基于 GPGSSH 登录,也应该立即将更新所有配置了这一 SSH Key 作为 authorized_keyVPS 配置。

Terminal window
1
  ~ gpg --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
2
gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH
3
This is free software: you are free to change and redistribute it.
4
There is NO WARRANTY, to the extent permitted by law.
5


6
Secret key is available.
7


23 collapsed lines
8
sec  ed25519/3CB3DFA9524C0B90
9
     created: 2023-03-09  expires: never       usage: SC
10
     card-no: 0006 18139415
11
     trust: ultimate      validity: ultimate
12
ssb  cv25519/B81202E9ACA8A99B
13
     created: 2023-03-09  expires: never       usage: E
14
     card-no: 0006 18139415
15
ssb  ed25519/298CFCC6EE0BB2AE
16
     created: 2023-03-09  expires: never       usage: A
17
     card-no: 0006 18139415
18
ssb  ed25519/2BC2249D2C2CF85D
19
     created: 2023-03-09  expires: 2025-03-10  usage: S
20
     card-no: 0006 20817858
21
ssb  ed25519/FB024359F49B5025
22
     created: 2023-03-11  expires: 2025-03-10  usage: S
23
     card-no: 0006 20489903
24
ssb  rsa2048/3A9967ACE891FA13
25
     created: 2023-08-17  expires: 2024-08-16  usage: A
26
     card-no: 0006 20817858
27
ssb  rsa2048/1B29C1D42B01797D
28
     created: 2023-08-17  expires: 2024-08-16  usage: A
29
     card-no: 0006 20489903
30
[ultimate] (1). Yesterday17 <[email protected]>
31


32
gpg> key 4
33


23 collapsed lines
34
sec  ed25519/3CB3DFA9524C0B90
35
     created: 2023-03-09  expires: never       usage: SC
36
     card-no: 0006 18139415
37
     trust: ultimate      validity: ultimate
38
ssb  cv25519/B81202E9ACA8A99B
39
     created: 2023-03-09  expires: never       usage: E
40
     card-no: 0006 18139415
41
ssb  ed25519/298CFCC6EE0BB2AE
42
     created: 2023-03-09  expires: never       usage: A
43
     card-no: 0006 18139415
44
ssb  ed25519/2BC2249D2C2CF85D
45
     created: 2023-03-09  expires: 2025-03-10  usage: S
46
     card-no: 0006 20817858
47
ssb* ed25519/FB024359F49B5025
48
     created: 2023-03-11  expires: 2025-03-10  usage: S
49
     card-no: 0006 20489903
50
ssb  rsa2048/3A9967ACE891FA13
51
     created: 2023-08-17  expires: 2024-08-16  usage: A
52
     card-no: 0006 20817858
53
ssb  rsa2048/1B29C1D42B01797D
54
     created: 2023-08-17  expires: 2024-08-16  usage: A
55
     card-no: 0006 20489903
56
[ultimate] (1). Yesterday17 <[email protected]>
57


58
gpg> key 6
59


23 collapsed lines
60
sec  ed25519/3CB3DFA9524C0B90
61
     created: 2023-03-09  expires: never       usage: SC
62
     card-no: 0006 18139415
63
     trust: ultimate      validity: ultimate
64
ssb  cv25519/B81202E9ACA8A99B
65
     created: 2023-03-09  expires: never       usage: E
66
     card-no: 0006 18139415
67
ssb  ed25519/298CFCC6EE0BB2AE
68
     created: 2023-03-09  expires: never       usage: A
69
     card-no: 0006 18139415
70
ssb  ed25519/2BC2249D2C2CF85D
71
     created: 2023-03-09  expires: 2025-03-10  usage: S
72
     card-no: 0006 20817858
73
ssb* ed25519/FB024359F49B5025
74
     created: 2023-03-11  expires: 2025-03-10  usage: S
75
     card-no: 0006 20489903
76
ssb  rsa2048/3A9967ACE891FA13
77
     created: 2023-08-17  expires: 2024-08-16  usage: A
78
     card-no: 0006 20817858
79
ssb* rsa2048/1B29C1D42B01797D
80
     created: 2023-08-17  expires: 2024-08-16  usage: A
81
     card-no: 0006 20489903
82
[ultimate] (1). Yesterday17 <[email protected]>
83


84
gpg> revkey
85
Do you really want to revoke the selected subkeys? (y/N) y
86
Please select the reason for the revocation:
87
  0 = No reason specified
88
  1 = Key has been compromised
89
  2 = Key is superseded
90
  3 = Key is no longer used
91
  Q = Cancel
92
Your decision? 1
93
Enter an optional description; end it with an empty line:
94
> The smartkey which stores this key was lost.
95
>
96
Reason for revocation: Key has been compromised
97
The smartkey which stores this key was lost.
98
Is this okay? (y/N) y
99


25 collapsed lines
100
sec  ed25519/3CB3DFA9524C0B90
101
     created: 2023-03-09  expires: never       usage: SC
102
     card-no: 0006 18139415
103
     trust: ultimate      validity: ultimate
104
ssb  cv25519/B81202E9ACA8A99B
105
     created: 2023-03-09  expires: never       usage: E
106
     card-no: 0006 18139415
107
ssb  ed25519/298CFCC6EE0BB2AE
108
     created: 2023-03-09  expires: never       usage: A
109
     card-no: 0006 18139415
110
ssb  ed25519/2BC2249D2C2CF85D
111
     created: 2023-03-09  expires: 2025-03-10  usage: S
112
     card-no: 0006 20817858
113
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
114
ssb  ed25519/FB024359F49B5025
115
     created: 2023-03-11  revoked: 2024-05-27  usage: S
116
     card-no: 0006 20489903
117
ssb  rsa2048/3A9967ACE891FA13
118
     created: 2023-08-17  expires: 2024-08-16  usage: A
119
     card-no: 0006 20817858
120
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
121
ssb  rsa2048/1B29C1D42B01797D
122
     created: 2023-08-17  revoked: 2024-05-27  usage: A
123
     card-no: 0006 20489903
124
[ultimate] (1). Yesterday17 <[email protected]>
125


126
gpg> save

这时候你机器上的版本就已经吊销了。然后把公钥导出一下:

Terminal window
1
gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90

0. 购买

然后当然是购买了。由于 Cloudflare 的车车已经开走两年了,目前廉价获取 Yubikey 的手段或许只有闲鱼和py了。你需要首先获得一把全新的 Yubikey 以继续以下的步骤。

1. 初始化

拿到新 Key 首先需要做的是初始化。

修改 OpenPGP Pin

首先启用一下 KDF,这样 Key 上就不会存储明文 Pin 了,然后再修改一下 Pin 的内容:

Terminal window
1
  ~ gpg --edit-card
2
gpg/card> admin
3
Admin commands are allowed
4


5
gpg/card> kdf-setup
6


7
gpg/card> passwd
8
gpg: OpenPGP card no. D2760001240100000006267887010000 detected
9


10
1 - change PIN
11
2 - unblock PIN
12
3 - change Admin PIN
13
4 - set the Reset Code
14
Q - quit
15


16
Your selection? 1
17
Error changing the PIN: Bad PIN
18


19
1 - change PIN
20
2 - unblock PIN
21
3 - change Admin PIN
22
4 - set the Reset Code
23
Q - quit
24


25
Your selection? 3
26
Error changing the PIN: Bad PIN
27


28
1 - change PIN
29
2 - unblock PIN
30
3 - change Admin PIN
31
4 - set the Reset Code
32
Q - quit
33


34
Your selection? Q
35


36
gpg/card>

修改 Pin 重试次数

然后稍微调大一点 Pin 的重试次数,毕竟锁掉也挺烦人的……当然如果你足够相信你的记忆力和输入准确度,也可以保留默认的 3 次锁(

Terminal window
1
ykman openpgp access set-retries 8 1 8

Pin

Yubikey 总共有三种 Pin [1]:

我们最常用的应该是 OpenPGP 的 Pin,它通常的输入时机是在 Git 提交、Push、SSH 登录的时候,通过 pinentry 输入。

拿到新 Yubikey 之后,我们首先需要默认将这些 Key 都设置上:

2. 生成 Subkey

准备完毕,接下来就是生成新子密钥的时间了。如果你是像我一样,将 Master Key 通过另一把 Yubikey 存储的话,这个时候就可以把合适的密钥插入,开始生成🚢新的子密钥了——

(所有用户操作均已高亮)

我们这次生成的 Key 都是 ED25519 算法的 ECC 密钥。其中一把是 Signature Key,负责给我们的 Git 操作签名;另一把是 Authentication Key,负责处理 SSH 相关的内容。我们选择给 Sign 密钥附上 1 year 的过期时间,这样我们可以更加灵活地管理 Git GPG 签名相关的事务;而 Auth 不设有效期的原因在于即时你配置了,SSH 也不会自动根据有效期拒绝过期的 Key(悲)

Terminal window
1
  ~ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
2
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
3
This is free software: you are free to change and redistribute it.
4
There is NO WARRANTY, to the extent permitted by law.
5


6
Secret key is available.
7


25 collapsed lines
8
sec  ed25519/3CB3DFA9524C0B90
9
     created: 2023-03-09  expires: never       usage: SC
10
     card-no: 0006 18139415
11
     trust: ultimate      validity: ultimate
12
ssb  cv25519/B81202E9ACA8A99B
13
     created: 2023-03-09  expires: never       usage: E
14
     card-no: 0006 18139415
15
ssb  ed25519/298CFCC6EE0BB2AE
16
     created: 2023-03-09  expires: never       usage: A
17
     card-no: 0006 18139415
18
ssb  ed25519/2BC2249D2C2CF85D
19
     created: 2023-03-09  expires: 2025-03-10  usage: S
20
     card-no: 0006 20817858
21
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
22
ssb  ed25519/FB024359F49B5025
23
     created: 2023-03-11  revoked: 2024-05-27  usage: S
24
     card-no: 0006 20489903
25
ssb  rsa2048/3A9967ACE891FA13
26
     created: 2023-08-17  expires: 2024-08-16  usage: A
27
     card-no: 0006 20817858
28
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
29
ssb  rsa2048/1B29C1D42B01797D
30
     created: 2023-08-17  revoked: 2024-05-27  usage: A
31
     card-no: 0006 20489903
32
[ultimate] (1). Yesterday17 <[email protected]>
33


34
gpg> addkey
35
Secret parts of primary key are stored on-card.
36
Please select what kind of key you want:
37
   (3) DSA (sign only)
38
   (4) RSA (sign only)
39
   (5) Elgamal (encrypt only)
40
   (6) RSA (encrypt only)
41
   (7) DSA (set your own capabilities)
42
   (8) RSA (set your own capabilities)
43
  (10) ECC (sign only)
44
  (11) ECC (set your own capabilities)
45
  (12) ECC (encrypt only)
46
  (13) Existing key
47
  (14) Existing key from card
48
Your selection? 10
49
Please select which elliptic curve you want:
50
   (1) Curve 25519 *default*
51
   (2) Curve 448
52
   (3) NIST P-256
53
   (4) NIST P-384
54
   (5) NIST P-521
55
   (6) Brainpool P-256
56
   (7) Brainpool P-384
57
   (8) Brainpool P-512
58
   (9) secp256k1
59
Your selection? 1
60
Please specify how long the key should be valid.
61
         0 = key does not expire
62
      <n>  = key expires in n days
63
      <n>w = key expires in n weeks
64
      <n>m = key expires in n months
65
      <n>y = key expires in n years
66
Key is valid for? (0) 1y
67
Key expires at   5/28 00:04:29 2025 CST
68
Is this correct? (y/N) y
69
Really create? (y/N) y
70
We need to generate a lot of random bytes. It is a good idea to perform
71
some other action (type on the keyboard, move the mouse, utilize the
72
disks) during the prime generation; this gives the random number
73
generator a better chance to gain enough entropy.
74


27 collapsed lines
75
sec  ed25519/3CB3DFA9524C0B90
76
     created: 2023-03-09  expires: never       usage: SC
77
     card-no: 0006 18139415
78
     trust: ultimate      validity: ultimate
79
ssb  cv25519/B81202E9ACA8A99B
80
     created: 2023-03-09  expires: never       usage: E
81
     card-no: 0006 18139415
82
ssb  ed25519/298CFCC6EE0BB2AE
83
     created: 2023-03-09  expires: never       usage: A
84
     card-no: 0006 18139415
85
ssb  ed25519/2BC2249D2C2CF85D
86
     created: 2023-03-09  expires: 2025-03-10  usage: S
87
     card-no: 0006 20817858
88
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
89
ssb  ed25519/FB024359F49B5025
90
     created: 2023-03-11  revoked: 2024-05-27  usage: S
91
     card-no: 0006 20489903
92
ssb  rsa2048/3A9967ACE891FA13
93
     created: 2023-08-17  expires: 2024-08-16  usage: A
94
     card-no: 0006 20817858
95
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
96
ssb  rsa2048/1B29C1D42B01797D
97
     created: 2023-08-17  revoked: 2024-05-27  usage: A
98
     card-no: 0006 20489903
99
ssb  ed25519/9DE5B4BEB4284E4F
100
     created: 2024-05-27  expires: 2025-05-27  usage: S
101
[ultimate] (1). Yesterday17 <[email protected]>
102


103
gpg> addkey
104
Secret parts of primary key are stored on-card.
105
Please select what kind of key you want:
106
   (3) DSA (sign only)
107
   (4) RSA (sign only)
108
   (5) Elgamal (encrypt only)
109
   (6) RSA (encrypt only)
110
   (7) DSA (set your own capabilities)
111
   (8) RSA (set your own capabilities)
112
  (10) ECC (sign only)
113
  (11) ECC (set your own capabilities)
114
  (12) ECC (encrypt only)
115
  (13) Existing key
116
  (14) Existing key from card
117
Your selection? 11
118


119
Possible actions for this ECC key: Sign Authenticate
120
Current allowed actions: Sign
121


122
   (S) Toggle the sign capability
123
   (A) Toggle the authenticate capability
124
   (Q) Finished
125


126
Your selection? s
127


128
Possible actions for this ECC key: Sign Authenticate
129
Current allowed actions:
130


131
   (S) Toggle the sign capability
132
   (A) Toggle the authenticate capability
133
   (Q) Finished
134


135
Your selection? a
136


137
Possible actions for this ECC key: Sign Authenticate
138
Current allowed actions: Authenticate
139


140
   (S) Toggle the sign capability
141
   (A) Toggle the authenticate capability
142
   (Q) Finished
143


144
Your selection? q
145
Please select which elliptic curve you want:
146
   (1) Curve 25519 *default*
147
   (2) Curve 448
148
   (3) NIST P-256
149
   (4) NIST P-384
150
   (5) NIST P-521
151
   (6) Brainpool P-256
152
   (7) Brainpool P-384
153
   (8) Brainpool P-512
154
   (9) secp256k1
155
Your selection? 1
156
Please specify how long the key should be valid.
157
         0 = key does not expire
158
      <n>  = key expires in n days
159
      <n>w = key expires in n weeks
160
      <n>m = key expires in n months
161
      <n>y = key expires in n years
162
Key is valid for? (0) 0
163
Key does not expire at all
164
Is this correct? (y/N) y
165
Really create? (y/N) y
166
We need to generate a lot of random bytes. It is a good idea to perform
167
some other action (type on the keyboard, move the mouse, utilize the
168
disks) during the prime generation; this gives the random number
169
generator a better chance to gain enough entropy.
170


29 collapsed lines
171
sec  ed25519/3CB3DFA9524C0B90
172
     created: 2023-03-09  expires: never       usage: SC
173
     card-no: 0006 18139415
174
     trust: ultimate      validity: ultimate
175
ssb  cv25519/B81202E9ACA8A99B
176
     created: 2023-03-09  expires: never       usage: E
177
     card-no: 0006 18139415
178
ssb  ed25519/298CFCC6EE0BB2AE
179
     created: 2023-03-09  expires: never       usage: A
180
     card-no: 0006 18139415
181
ssb  ed25519/2BC2249D2C2CF85D
182
     created: 2023-03-09  expires: 2025-03-10  usage: S
183
     card-no: 0006 20817858
184
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
185
ssb  ed25519/FB024359F49B5025
186
     created: 2023-03-11  revoked: 2024-05-27  usage: S
187
     card-no: 0006 20489903
188
ssb  rsa2048/3A9967ACE891FA13
189
     created: 2023-08-17  expires: 2024-08-16  usage: A
190
     card-no: 0006 20817858
191
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
192
ssb  rsa2048/1B29C1D42B01797D
193
     created: 2023-08-17  revoked: 2024-05-27  usage: A
194
     card-no: 0006 20489903
195
ssb  ed25519/9DE5B4BEB4284E4F
196
     created: 2024-05-27  expires: 2025-05-27  usage: S
197
ssb  ed25519/F2C2EA61718A9DBC
198
     created: 2024-05-27  expires: never       usage: A
199
[ultimate] (1). Yesterday17 <[email protected]>
200


201
gpg> save

3. 导出 Subkey

生成完毕,接下来就是导出了。让我们拔出 Master Key,换上崭新的日用 Key:

Terminal window
1
 gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
2
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
3
This is free software: you are free to change and redistribute it.
4
There is NO WARRANTY, to the extent permitted by law.
5


6
Secret key is available.
7


29 collapsed lines
8
sec  ed25519/3CB3DFA9524C0B90
9
     created: 2023-03-09  expires: never       usage: SC
10
     card-no: 0006 18139415
11
     trust: ultimate      validity: ultimate
12
ssb  cv25519/B81202E9ACA8A99B
13
     created: 2023-03-09  expires: never       usage: E
14
     card-no: 0006 18139415
15
ssb  ed25519/298CFCC6EE0BB2AE
16
     created: 2023-03-09  expires: never       usage: A
17
     card-no: 0006 18139415
18
ssb  ed25519/2BC2249D2C2CF85D
19
     created: 2023-03-09  expires: 2025-03-10  usage: S
20
     card-no: 0006 20817858
21
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
22
ssb  ed25519/FB024359F49B5025
23
     created: 2023-03-11  revoked: 2024-05-27  usage: S
24
     card-no: 0006 20489903
25
ssb  rsa2048/3A9967ACE891FA13
26
     created: 2023-08-17  expires: 2024-08-16  usage: A
27
     card-no: 0006 20817858
28
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
29
ssb  rsa2048/1B29C1D42B01797D
30
     created: 2023-08-17  revoked: 2024-05-27  usage: A
31
     card-no: 0006 20489903
32
ssb  ed25519/9DE5B4BEB4284E4F
33
     created: 2024-05-27  expires: 2025-05-27  usage: S
34
ssb  ed25519/F2C2EA61718A9DBC
35
     created: 2024-05-27  expires: never       usage: A
36
[ultimate] (1). Yesterday17 <[email protected]>
37


38
gpg> key 7
39


29 collapsed lines
40
sec  ed25519/3CB3DFA9524C0B90
41
     created: 2023-03-09  expires: never       usage: SC
42
     card-no: 0006 18139415
43
     trust: ultimate      validity: ultimate
44
ssb  cv25519/B81202E9ACA8A99B
45
     created: 2023-03-09  expires: never       usage: E
46
     card-no: 0006 18139415
47
ssb  ed25519/298CFCC6EE0BB2AE
48
     created: 2023-03-09  expires: never       usage: A
49
     card-no: 0006 18139415
50
ssb  ed25519/2BC2249D2C2CF85D
51
     created: 2023-03-09  expires: 2025-03-10  usage: S
52
     card-no: 0006 20817858
53
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
54
ssb  ed25519/FB024359F49B5025
55
     created: 2023-03-11  revoked: 2024-05-27  usage: S
56
     card-no: 0006 20489903
57
ssb  rsa2048/3A9967ACE891FA13
58
     created: 2023-08-17  expires: 2024-08-16  usage: A
59
     card-no: 0006 20817858
60
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
61
ssb  rsa2048/1B29C1D42B01797D
62
     created: 2023-08-17  revoked: 2024-05-27  usage: A
63
     card-no: 0006 20489903
64
ssb* ed25519/9DE5B4BEB4284E4F
65
     created: 2024-05-27  expires: 2025-05-27  usage: S
66
ssb  ed25519/F2C2EA61718A9DBC
67
     created: 2024-05-27  expires: never       usage: A
68
[ultimate] (1). Yesterday17 <[email protected]>
69


70
gpg> keytocard
71
Please select where to store the key:
72
   (1) Signature key
73
   (3) Authentication key
74
Your selection? 1
75


29 collapsed lines
76
sec  ed25519/3CB3DFA9524C0B90
77
     created: 2023-03-09  expires: never       usage: SC
78
     card-no: 0006 18139415
79
     trust: ultimate      validity: ultimate
80
ssb  cv25519/B81202E9ACA8A99B
81
     created: 2023-03-09  expires: never       usage: E
82
     card-no: 0006 18139415
83
ssb  ed25519/298CFCC6EE0BB2AE
84
     created: 2023-03-09  expires: never       usage: A
85
     card-no: 0006 18139415
86
ssb  ed25519/2BC2249D2C2CF85D
87
     created: 2023-03-09  expires: 2025-03-10  usage: S
88
     card-no: 0006 20817858
89
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
90
ssb  ed25519/FB024359F49B5025
91
     created: 2023-03-11  revoked: 2024-05-27  usage: S
92
     card-no: 0006 20489903
93
ssb  rsa2048/3A9967ACE891FA13
94
     created: 2023-08-17  expires: 2024-08-16  usage: A
95
     card-no: 0006 20817858
96
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
97
ssb  rsa2048/1B29C1D42B01797D
98
     created: 2023-08-17  revoked: 2024-05-27  usage: A
99
     card-no: 0006 20489903
100
ssb* ed25519/9DE5B4BEB4284E4F
101
     created: 2024-05-27  expires: 2025-05-27  usage: S
102
ssb  ed25519/F2C2EA61718A9DBC
103
     created: 2024-05-27  expires: never       usage: A
104
[ultimate] (1). Yesterday17 <[email protected]>
105


106
Note: the local copy of the secret key will only be deleted with "save".
107
gpg> key 7
108


29 collapsed lines
109
sec  ed25519/3CB3DFA9524C0B90
110
     created: 2023-03-09  expires: never       usage: SC
111
     card-no: 0006 18139415
112
     trust: ultimate      validity: ultimate
113
ssb  cv25519/B81202E9ACA8A99B
114
     created: 2023-03-09  expires: never       usage: E
115
     card-no: 0006 18139415
116
ssb  ed25519/298CFCC6EE0BB2AE
117
     created: 2023-03-09  expires: never       usage: A
118
     card-no: 0006 18139415
119
ssb  ed25519/2BC2249D2C2CF85D
120
     created: 2023-03-09  expires: 2025-03-10  usage: S
121
     card-no: 0006 20817858
122
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
123
ssb  ed25519/FB024359F49B5025
124
     created: 2023-03-11  revoked: 2024-05-27  usage: S
125
     card-no: 0006 20489903
126
ssb  rsa2048/3A9967ACE891FA13
127
     created: 2023-08-17  expires: 2024-08-16  usage: A
128
     card-no: 0006 20817858
129
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
130
ssb  rsa2048/1B29C1D42B01797D
131
     created: 2023-08-17  revoked: 2024-05-27  usage: A
132
     card-no: 0006 20489903
133
ssb  ed25519/9DE5B4BEB4284E4F
134
     created: 2024-05-27  expires: 2025-05-27  usage: S
135
ssb  ed25519/F2C2EA61718A9DBC
136
     created: 2024-05-27  expires: never       usage: A
137
[ultimate] (1). Yesterday17 <[email protected]>
138


139
gpg> key 8
140


29 collapsed lines
141
sec  ed25519/3CB3DFA9524C0B90
142
     created: 2023-03-09  expires: never       usage: SC
143
     card-no: 0006 18139415
144
     trust: ultimate      validity: ultimate
145
ssb  cv25519/B81202E9ACA8A99B
146
     created: 2023-03-09  expires: never       usage: E
147
     card-no: 0006 18139415
148
ssb  ed25519/298CFCC6EE0BB2AE
149
     created: 2023-03-09  expires: never       usage: A
150
     card-no: 0006 18139415
151
ssb  ed25519/2BC2249D2C2CF85D
152
     created: 2023-03-09  expires: 2025-03-10  usage: S
153
     card-no: 0006 20817858
154
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
155
ssb  ed25519/FB024359F49B5025
156
     created: 2023-03-11  revoked: 2024-05-27  usage: S
157
     card-no: 0006 20489903
158
ssb  rsa2048/3A9967ACE891FA13
159
     created: 2023-08-17  expires: 2024-08-16  usage: A
160
     card-no: 0006 20817858
161
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
162
ssb  rsa2048/1B29C1D42B01797D
163
     created: 2023-08-17  revoked: 2024-05-27  usage: A
164
     card-no: 0006 20489903
165
ssb  ed25519/9DE5B4BEB4284E4F
166
     created: 2024-05-27  expires: 2025-05-27  usage: S
167
ssb* ed25519/F2C2EA61718A9DBC
168
     created: 2024-05-27  expires: never       usage: A
169
[ultimate] (1). Yesterday17 <[email protected]>
170


171
gpg> keytocard
172
Please select where to store the key:
173
   (3) Authentication key
174
Your selection? 3
175


29 collapsed lines
176
sec  ed25519/3CB3DFA9524C0B90
177
     created: 2023-03-09  expires: never       usage: SC
178
     card-no: 0006 18139415
179
     trust: ultimate      validity: ultimate
180
ssb  cv25519/B81202E9ACA8A99B
181
     created: 2023-03-09  expires: never       usage: E
182
     card-no: 0006 18139415
183
ssb  ed25519/298CFCC6EE0BB2AE
184
     created: 2023-03-09  expires: never       usage: A
185
     card-no: 0006 18139415
186
ssb  ed25519/2BC2249D2C2CF85D
187
     created: 2023-03-09  expires: 2025-03-10  usage: S
188
     card-no: 0006 20817858
189
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
190
ssb  ed25519/FB024359F49B5025
191
     created: 2023-03-11  revoked: 2024-05-27  usage: S
192
     card-no: 0006 20489903
193
ssb  rsa2048/3A9967ACE891FA13
194
     created: 2023-08-17  expires: 2024-08-16  usage: A
195
     card-no: 0006 20817858
196
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
197
ssb  rsa2048/1B29C1D42B01797D
198
     created: 2023-08-17  revoked: 2024-05-27  usage: A
199
     card-no: 0006 20489903
200
ssb  ed25519/9DE5B4BEB4284E4F
201
     created: 2024-05-27  expires: 2025-05-27  usage: S
202
ssb* ed25519/F2C2EA61718A9DBC
203
     created: 2024-05-27  expires: never       usage: A
204
[ultimate] (1). Yesterday17 <[email protected]>
205


206
Note: the local copy of the secret key will only be deleted with "save".
207
gpg> save

4. 导出公钥

这时候导出的就是崭新的可以用的公钥啦(

Terminal window
1
gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90

5. 准备丢失预案

再来一次肯定不能再重蹈覆辙了——基于这样简单的想法,我们需要整理一下之后的对策。

首先,在密钥遗失的情况下,我们首先需要做的就是把和这把密钥相关的所有服务彻底解绑。为此,我们需要:

  1. 记录使用了 FIDO 绑定的网站列表。只有知道了到底绑定了哪些网站,才能一个一个去解)
  2. 增加 VPS 的 SSH Key 自动更新机制。因为手动一个个更新 SSH Key 可能也不大现实,最好是可以自动化地去跑这个事情。从另一个角度想,如果这个自动化做好了的话,那么之后 Auth Key 也可以设置过期时间了(确信)

而从另一个角度来看,我们希望在密钥丢失之后最大限度地找回。所以——

最后,最应该做的应该是尽可能不要遗失,所以——

我警告你们!出门携带 Yubikey 千万不要直接放口袋里!!!尤其不要在放口袋里之后就以为口袋是好的!!!!!!!!!!!!!!!!!!老子要升天了!!!!!!!!!!日妈批!!!!!

这次是运气好直接漏车上了,但不能有下次了!