Project:Infrastructure/Nitrokey Pro 2 guide for Gentoo developers

= DRAFT: Don't use yet! =

Nitrokey Pro Guide for Gentoo Developers
Gentoo Developers can get a Nitrokey Pro 2, sponsored by the Gentoo Foundation in partnership with Nitrokey. This guide is primarily help developers set it up.

OpenPGP Overview
Your Gentoo OpenPGP keys should have 3 parts:
 * 1) A primary key, this is the key that identifies you as you, lets call it the 'trust' key.
 * 2) A signing key, for signing content. In Gentoo this is used for signing git commits (and maybe emails).
 * 3) An encrypting key, for encrypting content. In Gentoo this is used for sending encrypted content to other developers.

What is a Nitrokey and why use one?
In layperson terms, the Nitrokey protects your Gentoo keys from being stolen. If your dev box is compromised, attackers cannot *steal* keys in the Nitrokey. The attackers can still use the keys on the nitrokey to sign or encrypt things. This is strictly better than theft, because the attacker needs access to your development machine to do these activities. If they stole the keys, they could do these actions whenever they wanted.

To enable this type of protection, we are going to move the signing key to the Nitrokey.

How to I get my Nitrokey?

 * 1) Please visit the Gentoo Nitrokey ordering portal, and input your   email address.
 * 2) The email address will be validated and you will receive a one-time use ordering link.
 * 3) Visit the ordering link, input your shipping details and submit.
 * 4) (wait for postal services)
 * 5) Receive your Nitrokey Pro 2 device!

What you need to begin
You should be on your development machine. You need your GPG fingerprint: it should look something like.

Make backups to start!
Some of the steps in this guide are non-reversible, so we should begin by taking a backup.

Setup NitroKey
TODO: Download and install nitrokey-app

Run Setup User Pin Setup Admin Pin
 * 1) CLI for these?

Using the key
Normally your Gentoo keys use GPG and should have a passphrase. Typically when doing operations (like git commits) git might prompt you for your passphrase from time to time. This passphrase is keeping your key on disk secure. Nitrokey isn't on disk (and the keys on Nitrokey cannot be read.) However, there is a protection around using the keys. Instead of a passphrase, a pin is used. You set this pin in the setup Nitrokey steps, and you should be prompted from time to time to enter the pin to perform signing operations.

Can I get more than one Nitrokey Pro 2 device? or something else from Nitrokey?
The Foundation did explore the possibility of developers being able to buy further products from Nitrokey at regular price, and have them bundled in a single shipment, however it was not an option at this time.

What is the nature of the arrangement between Gentoo & Nitrokey?
Based on the earlier success of Nitrokey's partnership with the Linux Foundation, Gentoo Foundation approached Nitrokey as part of a trustees motion to equip developers with OpenPGP key hardware. Nitrokey is giving the Gentoo Foundation a unit discount, handling direct shipping, and consolidated billing.

What do I do if my Nitrokey unit breaks/fails
TODO (For some developers, it might be cheaper just to ship a new unit direct rather than do warranty replacement)