前言
如果你是一位潜在的 Yubikey/硬件密钥用户,我的建议是尽早做好硬件密钥丢失的处理预案;如果你是一位现任的 Yubikey/硬件密钥用户,我的建议是,赶紧买一个 Airtag 保护一下自己的 Key(
嘛,废话不多说了。这篇文章是我在常用 Yubikey 丢失之后
ToC
-1. 吊销旧密钥
安全起见,我们需要做的第负一件事就是立即更新 GitHub
中绑定的 GPG
公钥,并且解绑这把 Key 在所有已绑定网站上的 FIDO2
两步验证 GPG
的 SSH
登录,也应该立即将更新所有配置了这一 SSH Key
作为 authorized_key
的 VPS
配置。
1➜ ~ gpg --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B902gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH3This is free software: you are free to change and redistribute it.4There is NO WARRANTY, to the extent permitted by law.5
6Secret key is available.7
23 collapsed lines
8sec ed25519/3CB3DFA9524C0B909 created: 2023-03-09 expires: never usage: SC10 card-no: 0006 1813941511 trust: ultimate validity: ultimate12ssb cv25519/B81202E9ACA8A99B13 created: 2023-03-09 expires: never usage: E14 card-no: 0006 1813941515ssb ed25519/298CFCC6EE0BB2AE16 created: 2023-03-09 expires: never usage: A17 card-no: 0006 1813941518ssb ed25519/2BC2249D2C2CF85D19 created: 2023-03-09 expires: 2025-03-10 usage: S20 card-no: 0006 2081785821ssb ed25519/FB024359F49B502522 created: 2023-03-11 expires: 2025-03-10 usage: S23 card-no: 0006 2048990324ssb rsa2048/3A9967ACE891FA1325 created: 2023-08-17 expires: 2024-08-16 usage: A26 card-no: 0006 2081785827ssb rsa2048/1B29C1D42B01797D28 created: 2023-08-17 expires: 2024-08-16 usage: A29 card-no: 0006 204899033031
32gpg> key 433
23 collapsed lines
34sec ed25519/3CB3DFA9524C0B9035 created: 2023-03-09 expires: never usage: SC36 card-no: 0006 1813941537 trust: ultimate validity: ultimate38ssb cv25519/B81202E9ACA8A99B39 created: 2023-03-09 expires: never usage: E40 card-no: 0006 1813941541ssb ed25519/298CFCC6EE0BB2AE42 created: 2023-03-09 expires: never usage: A43 card-no: 0006 1813941544ssb ed25519/2BC2249D2C2CF85D45 created: 2023-03-09 expires: 2025-03-10 usage: S46 card-no: 0006 2081785847ssb* ed25519/FB024359F49B502548 created: 2023-03-11 expires: 2025-03-10 usage: S49 card-no: 0006 2048990350ssb rsa2048/3A9967ACE891FA1351 created: 2023-08-17 expires: 2024-08-16 usage: A52 card-no: 0006 2081785853ssb rsa2048/1B29C1D42B01797D54 created: 2023-08-17 expires: 2024-08-16 usage: A55 card-no: 0006 204899035657
58gpg> key 659
23 collapsed lines
60sec ed25519/3CB3DFA9524C0B9061 created: 2023-03-09 expires: never usage: SC62 card-no: 0006 1813941563 trust: ultimate validity: ultimate64ssb cv25519/B81202E9ACA8A99B65 created: 2023-03-09 expires: never usage: E66 card-no: 0006 1813941567ssb ed25519/298CFCC6EE0BB2AE68 created: 2023-03-09 expires: never usage: A69 card-no: 0006 1813941570ssb ed25519/2BC2249D2C2CF85D71 created: 2023-03-09 expires: 2025-03-10 usage: S72 card-no: 0006 2081785873ssb* ed25519/FB024359F49B502574 created: 2023-03-11 expires: 2025-03-10 usage: S75 card-no: 0006 2048990376ssb rsa2048/3A9967ACE891FA1377 created: 2023-08-17 expires: 2024-08-16 usage: A78 card-no: 0006 2081785879ssb* rsa2048/1B29C1D42B01797D80 created: 2023-08-17 expires: 2024-08-16 usage: A81 card-no: 0006 204899038283
84gpg> revkey85Do you really want to revoke the selected subkeys? (y/N) y86Please select the reason for the revocation:87 0 = No reason specified88 1 = Key has been compromised89 2 = Key is superseded90 3 = Key is no longer used91 Q = Cancel92Your decision? 193Enter an optional description; end it with an empty line:94> The smartkey which stores this key was lost.95>96Reason for revocation: Key has been compromised97The smartkey which stores this key was lost.98Is this okay? (y/N) y99
25 collapsed lines
100sec ed25519/3CB3DFA9524C0B90101 created: 2023-03-09 expires: never usage: SC102 card-no: 0006 18139415103 trust: ultimate validity: ultimate104ssb cv25519/B81202E9ACA8A99B105 created: 2023-03-09 expires: never usage: E106 card-no: 0006 18139415107ssb ed25519/298CFCC6EE0BB2AE108 created: 2023-03-09 expires: never usage: A109 card-no: 0006 18139415110ssb ed25519/2BC2249D2C2CF85D111 created: 2023-03-09 expires: 2025-03-10 usage: S112 card-no: 0006 20817858113The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>114ssb ed25519/FB024359F49B5025115 created: 2023-03-11 revoked: 2024-05-27 usage: S116 card-no: 0006 20489903117ssb rsa2048/3A9967ACE891FA13118 created: 2023-08-17 expires: 2024-08-16 usage: A119 card-no: 0006 20817858120The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>121ssb rsa2048/1B29C1D42B01797D122 created: 2023-08-17 revoked: 2024-05-27 usage: A123 card-no: 0006 20489903124125
126gpg> save
这时候你机器上的版本就已经吊销了。然后把公钥导出一下:
1gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90
0. 购买
然后当然是购买了。由于 Cloudflare 的车车已经开走两年了,目前廉价获取 Yubikey 的手段或许只有闲鱼
1. 初始化
拿到新 Key 首先需要做的是初始化。
修改 OpenPGP Pin
首先启用一下 KDF
,这样 Key
上就不会存储明文 Pin
了,然后再修改一下 Pin
的内容:
1➜ ~ gpg --edit-card2gpg/card> admin3Admin commands are allowed4
5gpg/card> kdf-setup6
7gpg/card> passwd8gpg: OpenPGP card no. D2760001240100000006267887010000 detected9
101 - change PIN112 - unblock PIN123 - change Admin PIN134 - set the Reset Code14Q - quit15
16Your selection? 117Error changing the PIN: Bad PIN18
191 - change PIN202 - unblock PIN213 - change Admin PIN224 - set the Reset Code23Q - quit24
25Your selection? 326Error changing the PIN: Bad PIN27
281 - change PIN292 - unblock PIN303 - change Admin PIN314 - set the Reset Code32Q - quit33
34Your selection? Q35
36gpg/card>
修改 Pin 重试次数
然后稍微调大一点 Pin 的重试次数,毕竟锁掉也挺烦人的……当然如果你足够相信你的记忆力和输入准确度,也可以保留默认的 3 次锁(
1ykman openpgp access set-retries 8 1 8
Pin
Yubikey 总共有三种 Pin [1]:
- FIDO2
- PIV (smart card)
- OpenPGP
我们最常用的应该是 OpenPGP 的 Pin,它通常的输入时机是在 Git 提交、Push、SSH 登录的时候,通过 pinentry 输入。
拿到新 Yubikey 之后,我们首先需要默认将这些 Key 都设置上:
2. 生成 Subkey
准备完毕,接下来就是生成新子密钥的时间了。如果你是像我一样,将 Master Key 通过另一把 Yubikey 存储的话,这个时候就可以把合适的密钥插入,开始生成🚢新的子密钥了——
(所有用户操作均已高亮)
我们这次生成的 Key
都是 ED25519
算法的 ECC
密钥。其中一把是 Signature Key
,负责给我们的 Git
操作签名;另一把是 Authentication Key
,负责处理 SSH
相关的内容。我们选择给 Sign
密钥附上 1 year
的过期时间,这样我们可以更加灵活地管理 Git
GPG
签名相关的事务;而 Auth
不设有效期的原因在于即时你配置了,SSH
也不会自动根据有效期拒绝过期的 Key
(悲)
1➜ ~ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B902gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH3This is free software: you are free to change and redistribute it.4There is NO WARRANTY, to the extent permitted by law.5
6Secret key is available.7
25 collapsed lines
8sec ed25519/3CB3DFA9524C0B909 created: 2023-03-09 expires: never usage: SC10 card-no: 0006 1813941511 trust: ultimate validity: ultimate12ssb cv25519/B81202E9ACA8A99B13 created: 2023-03-09 expires: never usage: E14 card-no: 0006 1813941515ssb ed25519/298CFCC6EE0BB2AE16 created: 2023-03-09 expires: never usage: A17 card-no: 0006 1813941518ssb ed25519/2BC2249D2C2CF85D19 created: 2023-03-09 expires: 2025-03-10 usage: S20 card-no: 0006 2081785821The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>22ssb ed25519/FB024359F49B502523 created: 2023-03-11 revoked: 2024-05-27 usage: S24 card-no: 0006 2048990325ssb rsa2048/3A9967ACE891FA1326 created: 2023-08-17 expires: 2024-08-16 usage: A27 card-no: 0006 2081785828The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>29ssb rsa2048/1B29C1D42B01797D30 created: 2023-08-17 revoked: 2024-05-27 usage: A31 card-no: 0006 204899033233
34gpg> addkey35Secret parts of primary key are stored on-card.36Please select what kind of key you want:37 (3) DSA (sign only)38 (4) RSA (sign only)39 (5) Elgamal (encrypt only)40 (6) RSA (encrypt only)41 (7) DSA (set your own capabilities)42 (8) RSA (set your own capabilities)43 (10) ECC (sign only)44 (11) ECC (set your own capabilities)45 (12) ECC (encrypt only)46 (13) Existing key47 (14) Existing key from card48Your selection? 1049Please select which elliptic curve you want:50 (1) Curve 25519 *default*51 (2) Curve 44852 (3) NIST P-25653 (4) NIST P-38454 (5) NIST P-52155 (6) Brainpool P-25656 (7) Brainpool P-38457 (8) Brainpool P-51258 (9) secp256k159Your selection? 160Please specify how long the key should be valid.61 0 = key does not expire62 <n> = key expires in n days63 <n>w = key expires in n weeks64 <n>m = key expires in n months65 <n>y = key expires in n years66Key is valid for? (0) 1y67Key expires at 水 5/28 00:04:29 2025 CST68Is this correct? (y/N) y69Really create? (y/N) y70We need to generate a lot of random bytes. It is a good idea to perform71some other action (type on the keyboard, move the mouse, utilize the72disks) during the prime generation; this gives the random number73generator a better chance to gain enough entropy.74
27 collapsed lines
75sec ed25519/3CB3DFA9524C0B9076 created: 2023-03-09 expires: never usage: SC77 card-no: 0006 1813941578 trust: ultimate validity: ultimate79ssb cv25519/B81202E9ACA8A99B80 created: 2023-03-09 expires: never usage: E81 card-no: 0006 1813941582ssb ed25519/298CFCC6EE0BB2AE83 created: 2023-03-09 expires: never usage: A84 card-no: 0006 1813941585ssb ed25519/2BC2249D2C2CF85D86 created: 2023-03-09 expires: 2025-03-10 usage: S87 card-no: 0006 2081785888The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>89ssb ed25519/FB024359F49B502590 created: 2023-03-11 revoked: 2024-05-27 usage: S91 card-no: 0006 2048990392ssb rsa2048/3A9967ACE891FA1393 created: 2023-08-17 expires: 2024-08-16 usage: A94 card-no: 0006 2081785895The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>96ssb rsa2048/1B29C1D42B01797D97 created: 2023-08-17 revoked: 2024-05-27 usage: A98 card-no: 0006 2048990399ssb ed25519/9DE5B4BEB4284E4F100 created: 2024-05-27 expires: 2025-05-27 usage: S101102
103gpg> addkey104Secret parts of primary key are stored on-card.105Please select what kind of key you want:106 (3) DSA (sign only)107 (4) RSA (sign only)108 (5) Elgamal (encrypt only)109 (6) RSA (encrypt only)110 (7) DSA (set your own capabilities)111 (8) RSA (set your own capabilities)112 (10) ECC (sign only)113 (11) ECC (set your own capabilities)114 (12) ECC (encrypt only)115 (13) Existing key116 (14) Existing key from card117Your selection? 11118
119Possible actions for this ECC key: Sign Authenticate120Current allowed actions: Sign121
122 (S) Toggle the sign capability123 (A) Toggle the authenticate capability124 (Q) Finished125
126Your selection? s127
128Possible actions for this ECC key: Sign Authenticate129Current allowed actions:130
131 (S) Toggle the sign capability132 (A) Toggle the authenticate capability133 (Q) Finished134
135Your selection? a136
137Possible actions for this ECC key: Sign Authenticate138Current allowed actions: Authenticate139
140 (S) Toggle the sign capability141 (A) Toggle the authenticate capability142 (Q) Finished143
144Your selection? q145Please select which elliptic curve you want:146 (1) Curve 25519 *default*147 (2) Curve 448148 (3) NIST P-256149 (4) NIST P-384150 (5) NIST P-521151 (6) Brainpool P-256152 (7) Brainpool P-384153 (8) Brainpool P-512154 (9) secp256k1155Your selection? 1156Please specify how long the key should be valid.157 0 = key does not expire158 <n> = key expires in n days159 <n>w = key expires in n weeks160 <n>m = key expires in n months161 <n>y = key expires in n years162Key is valid for? (0) 0163Key does not expire at all164Is this correct? (y/N) y165Really create? (y/N) y166We need to generate a lot of random bytes. It is a good idea to perform167some other action (type on the keyboard, move the mouse, utilize the168disks) during the prime generation; this gives the random number169generator a better chance to gain enough entropy.170
29 collapsed lines
171sec ed25519/3CB3DFA9524C0B90172 created: 2023-03-09 expires: never usage: SC173 card-no: 0006 18139415174 trust: ultimate validity: ultimate175ssb cv25519/B81202E9ACA8A99B176 created: 2023-03-09 expires: never usage: E177 card-no: 0006 18139415178ssb ed25519/298CFCC6EE0BB2AE179 created: 2023-03-09 expires: never usage: A180 card-no: 0006 18139415181ssb ed25519/2BC2249D2C2CF85D182 created: 2023-03-09 expires: 2025-03-10 usage: S183 card-no: 0006 20817858184The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>185ssb ed25519/FB024359F49B5025186 created: 2023-03-11 revoked: 2024-05-27 usage: S187 card-no: 0006 20489903188ssb rsa2048/3A9967ACE891FA13189 created: 2023-08-17 expires: 2024-08-16 usage: A190 card-no: 0006 20817858191The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>192ssb rsa2048/1B29C1D42B01797D193 created: 2023-08-17 revoked: 2024-05-27 usage: A194 card-no: 0006 20489903195ssb ed25519/9DE5B4BEB4284E4F196 created: 2024-05-27 expires: 2025-05-27 usage: S197ssb ed25519/F2C2EA61718A9DBC198 created: 2024-05-27 expires: never usage: A199200
201gpg> save
3. 导出 Subkey
生成完毕,接下来就是导出了。让我们拔出 Master Key
,换上崭新的日用 Key:
1➜ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B902gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH3This is free software: you are free to change and redistribute it.4There is NO WARRANTY, to the extent permitted by law.5
6Secret key is available.7
29 collapsed lines
8sec ed25519/3CB3DFA9524C0B909 created: 2023-03-09 expires: never usage: SC10 card-no: 0006 1813941511 trust: ultimate validity: ultimate12ssb cv25519/B81202E9ACA8A99B13 created: 2023-03-09 expires: never usage: E14 card-no: 0006 1813941515ssb ed25519/298CFCC6EE0BB2AE16 created: 2023-03-09 expires: never usage: A17 card-no: 0006 1813941518ssb ed25519/2BC2249D2C2CF85D19 created: 2023-03-09 expires: 2025-03-10 usage: S20 card-no: 0006 2081785821The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>22ssb ed25519/FB024359F49B502523 created: 2023-03-11 revoked: 2024-05-27 usage: S24 card-no: 0006 2048990325ssb rsa2048/3A9967ACE891FA1326 created: 2023-08-17 expires: 2024-08-16 usage: A27 card-no: 0006 2081785828The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>29ssb rsa2048/1B29C1D42B01797D30 created: 2023-08-17 revoked: 2024-05-27 usage: A31 card-no: 0006 2048990332ssb ed25519/9DE5B4BEB4284E4F33 created: 2024-05-27 expires: 2025-05-27 usage: S34ssb ed25519/F2C2EA61718A9DBC35 created: 2024-05-27 expires: never usage: A3637
38gpg> key 739
29 collapsed lines
40sec ed25519/3CB3DFA9524C0B9041 created: 2023-03-09 expires: never usage: SC42 card-no: 0006 1813941543 trust: ultimate validity: ultimate44ssb cv25519/B81202E9ACA8A99B45 created: 2023-03-09 expires: never usage: E46 card-no: 0006 1813941547ssb ed25519/298CFCC6EE0BB2AE48 created: 2023-03-09 expires: never usage: A49 card-no: 0006 1813941550ssb ed25519/2BC2249D2C2CF85D51 created: 2023-03-09 expires: 2025-03-10 usage: S52 card-no: 0006 2081785853The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>54ssb ed25519/FB024359F49B502555 created: 2023-03-11 revoked: 2024-05-27 usage: S56 card-no: 0006 2048990357ssb rsa2048/3A9967ACE891FA1358 created: 2023-08-17 expires: 2024-08-16 usage: A59 card-no: 0006 2081785860The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>61ssb rsa2048/1B29C1D42B01797D62 created: 2023-08-17 revoked: 2024-05-27 usage: A63 card-no: 0006 2048990364ssb* ed25519/9DE5B4BEB4284E4F65 created: 2024-05-27 expires: 2025-05-27 usage: S66ssb ed25519/F2C2EA61718A9DBC67 created: 2024-05-27 expires: never usage: A6869
70gpg> keytocard71Please select where to store the key:72 (1) Signature key73 (3) Authentication key74Your selection? 175
29 collapsed lines
76sec ed25519/3CB3DFA9524C0B9077 created: 2023-03-09 expires: never usage: SC78 card-no: 0006 1813941579 trust: ultimate validity: ultimate80ssb cv25519/B81202E9ACA8A99B81 created: 2023-03-09 expires: never usage: E82 card-no: 0006 1813941583ssb ed25519/298CFCC6EE0BB2AE84 created: 2023-03-09 expires: never usage: A85 card-no: 0006 1813941586ssb ed25519/2BC2249D2C2CF85D87 created: 2023-03-09 expires: 2025-03-10 usage: S88 card-no: 0006 2081785889The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>90ssb ed25519/FB024359F49B502591 created: 2023-03-11 revoked: 2024-05-27 usage: S92 card-no: 0006 2048990393ssb rsa2048/3A9967ACE891FA1394 created: 2023-08-17 expires: 2024-08-16 usage: A95 card-no: 0006 2081785896The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>97ssb rsa2048/1B29C1D42B01797D98 created: 2023-08-17 revoked: 2024-05-27 usage: A99 card-no: 0006 20489903100ssb* ed25519/9DE5B4BEB4284E4F101 created: 2024-05-27 expires: 2025-05-27 usage: S102ssb ed25519/F2C2EA61718A9DBC103 created: 2024-05-27 expires: never usage: A104105
106Note: the local copy of the secret key will only be deleted with "save".107gpg> key 7108
29 collapsed lines
109sec ed25519/3CB3DFA9524C0B90110 created: 2023-03-09 expires: never usage: SC111 card-no: 0006 18139415112 trust: ultimate validity: ultimate113ssb cv25519/B81202E9ACA8A99B114 created: 2023-03-09 expires: never usage: E115 card-no: 0006 18139415116ssb ed25519/298CFCC6EE0BB2AE117 created: 2023-03-09 expires: never usage: A118 card-no: 0006 18139415119ssb ed25519/2BC2249D2C2CF85D120 created: 2023-03-09 expires: 2025-03-10 usage: S121 card-no: 0006 20817858122The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>123ssb ed25519/FB024359F49B5025124 created: 2023-03-11 revoked: 2024-05-27 usage: S125 card-no: 0006 20489903126ssb rsa2048/3A9967ACE891FA13127 created: 2023-08-17 expires: 2024-08-16 usage: A128 card-no: 0006 20817858129The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>130ssb rsa2048/1B29C1D42B01797D131 created: 2023-08-17 revoked: 2024-05-27 usage: A132 card-no: 0006 20489903133ssb ed25519/9DE5B4BEB4284E4F134 created: 2024-05-27 expires: 2025-05-27 usage: S135ssb ed25519/F2C2EA61718A9DBC136 created: 2024-05-27 expires: never usage: A137138
139gpg> key 8140
29 collapsed lines
141sec ed25519/3CB3DFA9524C0B90142 created: 2023-03-09 expires: never usage: SC143 card-no: 0006 18139415144 trust: ultimate validity: ultimate145ssb cv25519/B81202E9ACA8A99B146 created: 2023-03-09 expires: never usage: E147 card-no: 0006 18139415148ssb ed25519/298CFCC6EE0BB2AE149 created: 2023-03-09 expires: never usage: A150 card-no: 0006 18139415151ssb ed25519/2BC2249D2C2CF85D152 created: 2023-03-09 expires: 2025-03-10 usage: S153 card-no: 0006 20817858154The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>155ssb ed25519/FB024359F49B5025156 created: 2023-03-11 revoked: 2024-05-27 usage: S157 card-no: 0006 20489903158ssb rsa2048/3A9967ACE891FA13159 created: 2023-08-17 expires: 2024-08-16 usage: A160 card-no: 0006 20817858161The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>162ssb rsa2048/1B29C1D42B01797D163 created: 2023-08-17 revoked: 2024-05-27 usage: A164 card-no: 0006 20489903165ssb ed25519/9DE5B4BEB4284E4F166 created: 2024-05-27 expires: 2025-05-27 usage: S167ssb* ed25519/F2C2EA61718A9DBC168 created: 2024-05-27 expires: never usage: A169170
171gpg> keytocard172Please select where to store the key:173 (3) Authentication key174Your selection? 3175
29 collapsed lines
176sec ed25519/3CB3DFA9524C0B90177 created: 2023-03-09 expires: never usage: SC178 card-no: 0006 18139415179 trust: ultimate validity: ultimate180ssb cv25519/B81202E9ACA8A99B181 created: 2023-03-09 expires: never usage: E182 card-no: 0006 18139415183ssb ed25519/298CFCC6EE0BB2AE184 created: 2023-03-09 expires: never usage: A185 card-no: 0006 18139415186ssb ed25519/2BC2249D2C2CF85D187 created: 2023-03-09 expires: 2025-03-10 usage: S188 card-no: 0006 20817858189The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>190ssb ed25519/FB024359F49B5025191 created: 2023-03-11 revoked: 2024-05-27 usage: S192 card-no: 0006 20489903193ssb rsa2048/3A9967ACE891FA13194 created: 2023-08-17 expires: 2024-08-16 usage: A195 card-no: 0006 20817858196The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>197ssb rsa2048/1B29C1D42B01797D198 created: 2023-08-17 revoked: 2024-05-27 usage: A199 card-no: 0006 20489903200ssb ed25519/9DE5B4BEB4284E4F201 created: 2024-05-27 expires: 2025-05-27 usage: S202ssb* ed25519/F2C2EA61718A9DBC203 created: 2024-05-27 expires: never usage: A204205
206Note: the local copy of the secret key will only be deleted with "save".207gpg> save
4. 导出公钥
这时候导出的就是崭新的可以用的公钥啦(
1gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90
5. 准备丢失预案
再来一次肯定不能再重蹈覆辙了——基于这样简单的想法,我们需要整理一下之后的对策。
首先,在密钥遗失的情况下,我们首先需要做的就是把和这把密钥相关的所有服务彻底解绑。为此,我们需要:
- 记录使用了 FIDO 绑定的网站列表。只有知道了到底绑定了哪些网站,才能一个一个去解)
- 增加 VPS 的 SSH Key 自动更新机制。因为手动一个个更新 SSH Key 可能也不大现实,最好是可以自动化地去跑这个事情。从另一个角度想,如果这个自动化做好了的话,那么之后 Auth Key 也可以设置过期时间了(确信)
而从另一个角度来看,我们希望在密钥丢失之后最大限度地找回。所以——
- 买些 Airtag 还是有必要的)
最后,最应该做的应该是尽可能不要遗失,所以——
我警告你们!出门携带 Yubikey 千万不要直接放口袋里!!!尤其不要在放口袋里之后就以为口袋是好的!!!!!!!!!!!!!!!!!!老子要升天了!!!!!!!!!!日妈批!!!!!