Project:Infrastructure/Nitrokey Pro 2 guide for Gentoo developers

= DRAFT: Don't use yet! =

Nitrokey Pro Guide for Gentoo Developers
Developers can get a Nitrokey Pro 2, sponsored by the Gentoo Foundation. This guide is to help developers set it up.

Overview
Your Gentoo keys should have 3 parts:
 * 1) A primary key
 * 2) A signing key, for signing content. In Gentoo this is used for signing git commits (and maybe emails).
 * 3) An encrypting key, for encrypting content. In Gentoo this is used for sending encrypted content to other developers.

What is a Nitrokey and why use one?
In layperson terms, the Nitrokey protects your Gentoo keys from being stolen. If your dev box is compromised, attackers cannot *steal* keys in the Nitrokey. The attackers can still use the keys on the nitrokey to sign or encrypt things. This is strictly better than theft, because the attacker needs access to your development machine to do these activities. If they stole the keys, they could do these actions whenever they wanted.

To enable this type of protection, we are going to move the signing key to the Nitrokey.

What you need to begin
You should be on your development machine. You need your GPG fingerprint: it should look something like "F3FD581D6163E66F60A86B44E18ECB5117055ED6".

Make backups to start!
Some of the steps in this guide are non-reversible, so we should begin by taking a backup.

FINGERPRINT="PUT_YOUR_GPG_FINGERPRINT_HERE" gpg --export-secret-keys "${FINGERPRINT}" > key-backup

Setup NitroKey
TODO: Download and install nitrokey-app

Run "nitrokey-app -a" Setup User Pin Setup Admin Pin
 * 1) CLI for these?

Copy Gentoo keys to nitrokey
gpg --edit-key "${FINGERPRINT}" key 1 keytocard 2 key 2 keytocard 1