Nitrokey Guide

From Gentoo Wiki
Jump to: navigation, search

DRAFT: Don't use yet!

Nitrokey Pro Guide for Gentoo Developers

Developers can get a Nitrokey Pro 2, sponsored by the Gentoo Foundation. This guide is to help developers set it up.

Overview

Your Gentoo keys should have 3 parts:

  1. A primary key, this is the key that identifies you as you, lets call it the 'trust' key.
  2. A signing key, for signing content. In Gentoo this is used for signing git commits (and maybe emails).
  3. An encrypting key, for encrypting content. In Gentoo this is used for sending encrypted content to other developers.

What is a Nitrokey and why use one?

In layperson terms, the Nitrokey protects your Gentoo keys from being stolen. If your dev box is compromised, attackers cannot *steal* keys in the Nitrokey. The attackers can still use the keys on the nitrokey to sign or encrypt things. This is strictly better than theft, because the attacker needs access to your development machine to do these activities. If they stole the keys, they could do these actions whenever they wanted.

To enable this type of protection, we are going to move the signing key to the Nitrokey.

What you need to begin

You should be on your development machine. You need your GPG fingerprint: it should look something like "F3FD581D6163E66F60A86B44E18ECB5117055ED6".

Make backups to start!

Some of the steps in this guide are non-reversible, so we should begin by taking a backup.

user $FINGERPRINT="PUT_YOUR_GPG_FINGERPRINT_HERE" gpg --export-secret-keys "${FINGERPRINT}" > key-backup

Setup NitroKey

TODO: Download and install nitrokey-app

  1. CLI for these?

Run nitrokey-app -a Setup User Pin Setup Admin Pin

Copy Gentoo keys to nitrokey

user $gpg --edit-key "${FINGERPRINT}"
key 1
keytocard
2
key 2
keytocard
1

Using the key

Normally your Gentoo keys use GPG and should have a passphrase. Typically when doing operations (like git commits) git might prompt you for your passphrase from time to time. This passphrase is keeping your key on disk secure. Nitrokey isn't on disk (and the keys on Nitrokey cannot be read.) However, there is a protection around using the keys. Instead of a passphrase, a pin is used. You set this pin in the setup Nitrokey steps, and you should be prompted from time to time to enter the pin to perform signing operations.