Subkey Generation / SmartCard

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Subkey Generation / SmartCard

Christoph J
I am trying to batch provision yubikeys.

Using the --batch, I can generate the initial key, but I am unable to add more than a single subkey.

Is there a way to batch provision subkeys, specifying the usage (signing, encryption, auth) without having to go into --edit-key / interactive mode?

On the same topic, is there a way to do 'keytocard', again without having to do --edit-key --> toggle --> keytocard interactively?

Any insight on this would be most helpful. Thanks!

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Subkey Generation / SmartCard

GnuPG - User mailing list
Hello Christoph,


with new gpg version version (>2.15) you can more easily generates sub keys


* Herafter are add subkeys to main keyring $key_id each with RSA1024 and
1 for Sign, 1 for Encrypt, 1 for Auth

 echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 sign 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 encrypt 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 auth 1y

the " echo $var_pass_poem | " trick allow you to enter the pass poem as
variable and then to not have any keyboard interaction


* Here is the automated keytocard (with keyboard interaction) check that
the exported keys are the good ones ...

  local cmd="key 2\nkeytocard\n1\ny\nkey 2\nkey 3\nkeytocard\n2\ny\nkey
3\nkey 4\nkeytocard\n3\ny\nsave\nY\n"

  echo -e $cmd | gpg2 --no-verbose --command-fd 0 --status-fd 2
--edit-key $key_id



* btw: here is how I generate main keyring:
echo "
    Key-Type:         $var_key_type
    Key-Usage:        sign cert
    Key-Length:       $var_key_lenght
    Subkey-Type:      $var_key_type
    Subkey-Usage:     encrypt
    Subkey-Length:    $var_key_lenght
    Name-Real:        $var_name
    Name-Comment:     $var_comment
    Name-Email:       $var_mail
    Keyserver:        $var_web_path
    Expire-Date:      $var_expiracy
    Passphrase:       $var_pass_poem
    Preferences:      $var_pref
  " > gen_key_script  # creating SC and E keys
gpg2 --batch --full-gen-key gen_key_script


I am also trying to make gpg card ready to go in a automated way
https://github.com/bourinus/gpg_SmartCard_generation


Hope this helps,
Best rgds,
david


On 14/04/2017 20:47, Christoph J wrote:
> I am trying to batch provision yubikeys.
>
> Using the --batch, I can generate the initial key, but I am unable to
> add more than a single subkey.
>
> Is there a way to batch provision subkeys, specifying the usage
> (signing, encryption, auth) without havi

ng to go into --edit-key /

> interactive mode?
>
> On the same topic, is there a way to do 'keytocard', again without
> having to do --edit-key --> toggle --> keytocard interactively?
>
> Any insight on this would be most helpful. Thanks!
>
>
> _______________________________________________
> Gnupg-users mailing list
> [hidden email]
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...