These are collected notes of the steps we've done during preparation of Nitrokey 3A Mini (nk3) key for use during build artifacts signing.
This guide was written using following environment:
python3.10 -m venv venv source venv/bin/activate pip install -U pip pip install pipx pipx install nitropy pipx list ... pynitrokey 0.4.36, installed using Python 3.10.6
nitropy nk3 update --version v1.4.0
nitropy nk3 status
...
Firmware version: v1.4.0
Factory default admin PIN is 12345678 and PIN is 123456
gpg --card-edit gpg/card> admin gpg/card> factory-reset gpg/card> kdf-setup
and double check, that KDF is on:
gpg/card> list ... KDF setting ......: on
Gather some entropy from nk3
nitropy nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C
Generate keys:
export PASSPHRASE=$(gpg --gen-random --armor 0 60) export GNUPGHOME=$(mktemp -d -t gnupg_openwrt_nk3_$(date +%Y%m%d%H%M)_XXX) cat > $GNUPGHOME/gpg.conf << EOF personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint require-cross-certification no-symkey-cache use-agent throw-keyids EOF cat > $GNUPGHOME/gpg-generate-nk3-keys.txt << EOF %echo Generating a Openwrt Build System signing key for Nitrokey3 Key-Type: eddsa Key-Curve: ed25519 Key-Usage: cert SubKey-Type: eddsa SubKey-Curve: ed25519 SubKey-Usage: sign Name-Real: OpenWrt Build System Name-Comment: Nitrokey3 Name-Email: contact@openwrt.org Expire-Date: 10y Passphrase: $PASSPHRASE %commit %echo done EOF gpg --batch --generate-key $GNUPGHOME/gpg-generate-nk3-keys.txt gpg: Generating a Openwrt Build System signing key for Nitrokey3 gpg: /tmp/gnupg_openwrt_nk3_202305130941_eoc/trustdb.gpg: trustdb created gpg: directory '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d' created gpg: revocation certificate stored as '/tmp/gnupg_openwrt_nk3_202305130941_eoc/openpgp-revocs.d/E9025ED843D0FDC7866F7064CAE438715492B555.rev' gpg: done
Export public key
export KEYID=$(gpg --list-signatures --with-colons | grep sig: | cut -d: -f 5 | head -1) gpg --export --armor | tee $GNUPGHOME/gnupg-openwrt-nk3-$KEYID.asc
gpg --card-edit gpg/card> admin gpg/card> key-attr ECC / Curve 25519 gpg/card> forcesig gpg/card> name Cardholder's surname: Build System Key 3. Cardholder's given name: OpenWrt gpg/card> url URL to retrieve public key: https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD
Gather some entropy from nk3
nk3 rng --length 4096 | sudo tee /dev/random | hexdump -C
Generate nk3 PIN, Admin PIN and Reset PIN
$ for k in $(seq 1 3); do gpg --gen-random --armor 0 60; sleep 60; done
Write down the keys and set the keys on the nk3 key
gpg/card> passwd 1 - change PIN 4 - set the Reset Code 3 - change Admin PIN
Verify correct settings
gpg/card> list Name of cardholder: OpenWrt Build System Key 3. URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519
gpg --edit-key $KEYID gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc. Secret key is available. sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
Select signing key
gpg> key 1 sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb* ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
Move signing key to card
Transferring keys to nk3 using keytocard is a destructive, one-way operation only. Make sure you've made a backup before proceeding: keytocard converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent security key devices or mint additional keys.
gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 sec ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 usage: C trust: ultimate validity: ultimate ssb* ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 usage: S [ultimate] (1). OpenWrt Build System (Nitrokey3) <contact@openwrt.org> gpg> save
Check the keyring content
$ gpg -K /tmp/gnupg_openwrt_nk3_202305130941_eoc/pubring.kbx --------------------------------------------------- sec ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10] Key fingerprint = E902 5ED8 43D0 FDC7 866F 7064 CAE4 3871 5492 B555 uid [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org> ssb> ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10]
Check nk3 card content, secret key sec# and sub-key ssb> means, that key move went fine.
$ gpg --card-status Name of cardholder: OpenWrt Build System Key 3. URL of public key : https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CAE438715492B555.asc;hb=HEAD Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 KDF setting ......: off Signature key ....: 6079 C3B2 0643 36C9 59E7 B37D 78BB EC94 A894 C992 created ....: 2023-05-13 08:08:40 Encryption key....: [none] Authentication key: [none] General key info..: sub ed25519/0x78BBEC94A894C992 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sec# ed25519/0xCAE438715492B555 created: 2023-05-13 expires: 2033-05-10 ssb> ed25519/0x78BBEC94A894C992 created: 2023-05-13 expires: 2033-05-10 card-no: 000F XXXXXXXX
http://lists.openwrt.org/pipermail/openwrt-devel/2018-December/020856.html
$ gpg --list-signatures $KEYID pub ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10] Key fingerprint = E902 5ED8 43D0 FDC7 866F 7064 CAE4 3871 5492 B555 uid [ultimate] OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sig 3 0xCAE438715492B555 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org> sig 0xCD84BCED626471F1 2023-05-13 OpenWrt Build System (PGP key for unattended snapshot builds) <pgpsign-snapshots@openwrt.org> sig 0xCD54E82DADB3684D 2023-05-13 OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03@openwrt.org> sig 0x88CA59E88F681580 2023-05-13 OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org> sub ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10] sig 0xCAE438715492B555 2023-05-13 OpenWrt Build System (Nitrokey3) <contact@openwrt.org>
gpg --send-key $KEYID gpg --keyserver pgp.mit.edu --send-key $KEYID gpg --keyserver keys.gnupg.net --send-key $KEYID gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID