惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Heimdal Security Blog
S
Security @ Cisco Blogs
N
News | PayPal Newsroom
J
Java Code Geeks
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
N
News and Events Feed by Topic
V
V2EX
WordPress大学
WordPress大学
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
AI
AI
小众软件
小众软件
The GitHub Blog
The GitHub Blog
MongoDB | Blog
MongoDB | Blog
A
Arctic Wolf
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
美团技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
S
Schneier on Security
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
B
Blog RSS Feed
Forbes - Security
Forbes - Security
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
Jina AI
Jina AI
Cisco Talos Blog
Cisco Talos Blog
U
Unit 42
Project Zero
Project Zero
H
Hacker News: Front Page
Y
Y Combinator Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The Cloudflare Blog
大猫的无限游戏
大猫的无限游戏
S
Secure Thoughts
The Hacker News
The Hacker News
Microsoft Azure Blog
Microsoft Azure Blog

Yesterday17's Blog

2026 新年解密红包 / Melody Flag | Yesterday17's Blog 谈谈 Iori 的设计思路(二):如何实现一个 Showroom 录制工具? | Yesterday17's Blog 谈谈 Iori 的设计思路(一):从 Nico Timeshift 说起 | Yesterday17's Blog Iori Minyami 0.1.0 发布 | Yesterday17's Blog 2025 新年解密红包 / Melody Flag | Yesterday17's Blog 使用 Cloudflare Warp 解决罗森票务的海外登录问题 | Yesterday17's Blog How To Blog 04: The Astro v5 Era | Yesterday17's Blog 谈谈 tokio::select! 的公平性 | Yesterday17's Blog Learning Pingora 05 - Connect with TLS | Yesterday17's Blog Leaving Bytedance | Yesterday17's Blog 大橋彩香 AsiaTour「Reflection」上海公演 个人向记录 & Repo | Yesterday17's Blog Recoving from burnout - What happened? | Yesterday17 How To Blog 03: Heimus | Yesterday17's Blog 🪧 Blog Migration Accouncement | Yesterday17's Blog Learn Your IDE - VSCode 是如何仅重启插件的? | Yesterday17's Blog How To Blog 02: Astro❤️Password | Yesterday17's Blog How To Blog 01: Why, How, and the Future | Yesterday17's Blog Learning Pingora 04 - Establish L4 Connection | Yesterday17's Blog Learning Pingora 03 - Upstreams and Peers | Yesterday17's Blog Learning Pingora 02 - A Simple HTTP Server | Yesterday17's Blog Learning Pingora 01 - Getting Started | Yesterday17's Blog 2024 新年解密红包 / Melody Flag | Yesterday17's Blog 向新的一年飞驰——记录 2023 | Yesterday17's Blog 「サクラノ刻」对话选摘(2) | Yesterday17's Blog PGP Key Revocation 注销声明 | Yesterday17's Blog 「サクラノ刻」对话选摘(1) | Yesterday17's Blog 2023 新年解密红包 / Melody Flag | Yesterday17's Blog 『蒼の彼方のフォーリズム』通关感想 | Yesterday17's Blog 单显卡直通教程 | Yesterday17's Blog 对博客与笔记的思考 | Yesterday17's Blog Project Anni 之旅(3)自动化 Flutter 应用 CI/CD 上架流程 | Yesterday17's Blog AsobiStage 直接播放链接 | Yesterday17 如何在后分P时代进行投稿——sswa使用详解 | Yesterday17's Blog JSON RPC 与 LSP 协议基础 | Yesterday17's Blog Grajapa Shueisha / BookEnd 加密方式调查 | Yesterday17's Blog 【2022篇+WriteUp】如何再收一个新年红包? | Yesterday17's Blog 如何将良心云的良心功能清理干净 | Yesterday17's Blog 【油猴脚本】bilibili 投稿页面返回旧版+旧版页面强制允许分P上传 | Yesterday17's Blog Cloudr1v1 授权方式分析 | Yesterday17 Typora 1.0.2 逆向实录 | Yesterday17's Blog Project Anni 之旅(2)ValueAfterTable——toml-rs的实现与限制 | Yesterday17's Blog IPv4透明代理+IPv6 Passthrough——树莓派单臂软路由折腾记 | Yesterday17's Blog Chaos; Child 汉化补丁 神秘编码探索 | Yesterday17's Blog 镣铐与舞蹈——个性与共性之迷思 | Yesterday17's Blog Go 学习笔记 02 - 找准 io 之道 | Yesterday17's Blog NAT Slipstreaming v1 原理浅析 | Yesterday17's Blog 绕过「9-nine-」的 CDKEY 验证——KrkrPlugin 正(?)向实录 | Yesterday17's Blog 静流的青春纪念册——「サクラノ刻 -櫻の森の下を歩む-」体验版感言 | Yesterday17's Blog Project Anni 之旅 01 - 从 clap-builder 到 derive | Yesterday17's Blog [Google CTF 2021] CPP WriteUp | Yesterday17's Blog 获取 アソビステージ 的实际播放链接 | Yesterday17's Blog 90 行 Rust 代码实现 AsyncTeeReader | Yesterday17's Blog 或许还算有价值一读的文章列表 | Yesterday17's Blog 从零开始的 Seedbox 之旅 | Yesterday17's Blog [随笔]技术型博客行文迷思(1) | Yesterday17's Blog 浅谈 git fetch 的工作方式 | Yesterday17's Blog 『ソーサレス*アライヴ! ~the World's End Fallen Star~』通关感想" | Yesterday17's Blog Rust std::fmt 格式语法简述 | Yesterday17's Blog 日亚修改居住国的解决方案 | Yesterday17's Blog [Windows/Linux] GC553 的 Switch 完美采集之路 | Yesterday17's Blog 【翻译】Subtyping and Variance / 子类型与变型 | Yesterday17's Blog Berd's Red Envelope 2021 WriteUp | Yesterday17's Blog 【中英对照】ALSA 音频 API 使用教程/A Tutorial on Using the ALSA Audio API | Yesterday17's Blog 从 cue_scanner.l 看 CUE Sheet 的词法单元 | Yesterday17's Blog Postman 历史记录导出的解决方案 | Yesterday17's Blog 《恋爱绮谭 不存在的夏天》通关感想 | Yesterday17's Blog [微机实验/TD-PITE] 微机接口综合实验 | Yesterday17's Blog [微机实验/TD-PITE] 键盘扫描及数码管显示实验 | Yesterday17's Blog [微机实验/TD-PITE] 数码管显示实验 | Yesterday17's Blog Airsonic Advanced+Google Drive+Caddy 部署纪实 | Yesterday17's Blog X-NUCA 2020 - hellowasm 题解 | Yesterday17's Blog [微机实验/TD-PITE] 8251 串行接口实验 | Yesterday17's Blog Node.js child_process.fork 与 env 污染 RCE | Yesterday17's Blog EP.01 「夜の向日葵」 | Yesterday17's Blog [微机实验/TD-PITE] 8254 定时/计数器实验+选做实验 | Yesterday17's Blog [JLU CTF/2020] babywasm WriteUp | Yesterday17's Blog PHP 反序列化与经典利用 | Yesterday17's Blog WebAssembly 逆向简述 | Yesterday17's Blog 『彼女、お借りします』一期完结点评 | Yesterday17's Blog [微机实验/TD-PITE] D/A 转换实验+选做实验 | Yesterday17's Blog [微机实验/TD-PITE] A/D 转换实验+选做实验 | Yesterday17's Blog 开源项目申请 JetBrains Open Source License 简单流程 | Yesterday17's Blog 微软拼音与 JetBrains 搜索快捷键冲突的解决方案 | Yesterday17's Blog [微机实验/TD-PITE] 8259 中断优先级实验+选做实验 | Yesterday17's Blog IFTTT 测试(续) | Yesterday17 IFTTT 测试 | Yesterday17's Blog [微机实验/TD-PITE] 存储器扩展实验+选做实验 | Yesterday17's Blog 新版 GCC 针对 -fdump-translation-unit 的替代方案 | Yesterday17's Blog 一次 HSTS 策略配置的排错之旅 | Yesterday17's Blog YukiNative 踩坑记——Windows 的消息队列 | Yesterday17's Blog 我是我自己——论获取 HTTPS 证书时的验证步骤 | Yesterday17's Blog 【设计文档】对 PUG 的大规模设计修订(1.1) | Yesterday17's Blog GS65 折腾记(2)加装固态,分区,Grub2 引导 Manjaro LiveCD | Yesterday17's Blog 「さくら、もゆ。」的空白字体列表——一次逆向问题定位过程实录 | Yesterday17's Blog GSuite 探索篇(1)使用 Service Account 向 Google Drive 传输文件 | Yesterday17's Blog 『サクラノ詩 -櫻の森の上を舞う-』通关感想 | Yesterday17's Blog 《ATRI -My Dear Moments-》通关感想 | Yesterday17's Blog [工具][VSCode 扩展] AegiKit——方便 Aegisub 使用的工具箱 | Yesterday17's Blog 贝塞尔曲线、字体矢量化与曲线运算 | Yesterday17's Blog NAT 类型初探 | Yesterday17's Blog
Yubikey 重建手册 | Yesterday17's Blog
Yesterday17 · 2024-05-29 · via Yesterday17's Blog

前言

如果你是一位潜在的 Yubikey/硬件密钥用户,我的建议是尽早做好硬件密钥丢失的处理预案;如果你是一位现任的 Yubikey/硬件密钥用户,我的建议是,赶紧买一个 Airtag 保护一下自己的 Key(

嘛,废话不多说了。这篇文章是我在常用 Yubikey 丢失之后痛定思痛总结出的经验。如果你对硬件密钥的物理安全性存在或存在过或多或少的担忧的话,可以参考这篇文章了解一下重建一枚 Key 所需的成本。

ToC

  • -1. 吊销旧密钥
  • 0. 购买
  • 1. 初始化
    • 修改 OpenPGP Pin
    • 修改 Pin 重试次数
    • Pin
  • 2. 生成 Subkey
  • 3. 导出 Subkey
  • 4. 导出公钥
  • 5. 准备丢失预案

-1. 吊销旧密钥

安全起见,我们需要做的第负一件事就是立即更新 GitHub 中绑定的 GPG 公钥,并且解绑这把 Key 在所有已绑定网站上的 FIDO2 两步验证 如果没有记录列表这时候已经汗流浃背了。如果你配置了基于 GPGSSH 登录,也应该立即将更新所有配置了这一 SSH Key 作为 authorized_keyVPS 配置。

~ gpg --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90

gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

23 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

ssb ed25519/FB024359F49B5025

created: 2023-03-11 expires: 2025-03-10 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20489903

[ultimate] (1). Yesterday17 <[email protected]>

gpg> key 4

23 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

ssb* ed25519/FB024359F49B5025

created: 2023-03-11 expires: 2025-03-10 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20489903

[ultimate] (1). Yesterday17 <[email protected]>

gpg> key 6

23 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

ssb* ed25519/FB024359F49B5025

created: 2023-03-11 expires: 2025-03-10 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

ssb* rsa2048/1B29C1D42B01797D

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20489903

[ultimate] (1). Yesterday17 <[email protected]>

gpg> revkey

Do you really want to revoke the selected subkeys? (y/N) y

Please select the reason for the revocation:

0 = No reason specified

1 = Key has been compromised

2 = Key is superseded

3 = Key is no longer used

Q = Cancel

Your decision? 1

Enter an optional description; end it with an empty line:

> The smartkey which stores this key was lost.

>

Reason for revocation: Key has been compromised

The smartkey which stores this key was lost.

Is this okay? (y/N) y

25 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

[ultimate] (1). Yesterday17 <[email protected]>

gpg> save

这时候你机器上的版本就已经吊销了。然后把公钥导出一下:

gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90

0. 购买

然后当然是购买了。由于 Cloudflare 的车车已经开走两年了,目前廉价获取 Yubikey 的手段或许只有闲鱼和py了。你需要首先获得一把全新的 Yubikey 以继续以下的步骤。

1. 初始化

拿到新 Key 首先需要做的是初始化。

修改 OpenPGP Pin

首先启用一下 KDF,这样 Key 上就不会存储明文 Pin 了,然后再修改一下 Pin 的内容:

~ gpg --edit-card

gpg/card> admin

Admin commands are allowed

gpg/card> kdf-setup

gpg/card> passwd

gpg: OpenPGP card no. D2760001240100000006267887010000 detected

1 - change PIN

2 - unblock PIN

3 - change Admin PIN

4 - set the Reset Code

Q - quit

Your selection? 1

Error changing the PIN: Bad PIN

1 - change PIN

2 - unblock PIN

3 - change Admin PIN

4 - set the Reset Code

Q - quit

Your selection? 3

Error changing the PIN: Bad PIN

1 - change PIN

2 - unblock PIN

3 - change Admin PIN

4 - set the Reset Code

Q - quit

Your selection? Q

gpg/card>

修改 Pin 重试次数

然后稍微调大一点 Pin 的重试次数,毕竟锁掉也挺烦人的……当然如果你足够相信你的记忆力和输入准确度,也可以保留默认的 3 次锁(

ykman openpgp access set-retries 8 1 8

Pin

Yubikey 总共有三种 Pin [1]:

  • FIDO2
  • PIV (smart card)
  • OpenPGP

我们最常用的应该是 OpenPGP 的 Pin,它通常的输入时机是在 Git 提交、Push、SSH 登录的时候,通过 pinentry 输入。

拿到新 Yubikey 之后,我们首先需要默认将这些 Key 都设置上:

2. 生成 Subkey

准备完毕,接下来就是生成新子密钥的时间了。如果你是像我一样,将 Master Key 通过另一把 Yubikey 存储的话,这个时候就可以把合适的密钥插入,开始生成🚢新的子密钥了——

(所有用户操作均已高亮)

我们这次生成的 Key 都是 ED25519 算法的 ECC 密钥。其中一把是 Signature Key,负责给我们的 Git 操作签名;另一把是 Authentication Key,负责处理 SSH 相关的内容。我们选择给 Sign 密钥附上 1 year 的过期时间,这样我们可以更加灵活地管理 Git GPG 签名相关的事务;而 Auth 不设有效期的原因在于即时你配置了,SSH 也不会自动根据有效期拒绝过期的 Key(悲)

~ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90

gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

25 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

[ultimate] (1). Yesterday17 <[email protected]>

gpg> addkey

Secret parts of primary key are stored on-card.

Please select what kind of key you want:

(3) DSA (sign only)

(4) RSA (sign only)

(5) Elgamal (encrypt only)

(6) RSA (encrypt only)

(7) DSA (set your own capabilities)

(8) RSA (set your own capabilities)

(10) ECC (sign only)

(11) ECC (set your own capabilities)

(12) ECC (encrypt only)

(13) Existing key

(14) Existing key from card

Your selection? 10

Please select which elliptic curve you want:

(1) Curve 25519 *default*

(2) Curve 448

(3) NIST P-256

(4) NIST P-384

(5) NIST P-521

(6) Brainpool P-256

(7) Brainpool P-384

(8) Brainpool P-512

(9) secp256k1

Your selection? 1

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at 5/28 00:04:29 2025 CST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

27 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

[ultimate] (1). Yesterday17 <[email protected]>

gpg> addkey

Secret parts of primary key are stored on-card.

Please select what kind of key you want:

(3) DSA (sign only)

(4) RSA (sign only)

(5) Elgamal (encrypt only)

(6) RSA (encrypt only)

(7) DSA (set your own capabilities)

(8) RSA (set your own capabilities)

(10) ECC (sign only)

(11) ECC (set your own capabilities)

(12) ECC (encrypt only)

(13) Existing key

(14) Existing key from card

Your selection? 11

Possible actions for this ECC key: Sign Authenticate

Current allowed actions: Sign

(S) Toggle the sign capability

(A) Toggle the authenticate capability

(Q) Finished

Your selection? s

Possible actions for this ECC key: Sign Authenticate

Current allowed actions:

(S) Toggle the sign capability

(A) Toggle the authenticate capability

(Q) Finished

Your selection? a

Possible actions for this ECC key: Sign Authenticate

Current allowed actions: Authenticate

(S) Toggle the sign capability

(A) Toggle the authenticate capability

(Q) Finished

Your selection? q

Please select which elliptic curve you want:

(1) Curve 25519 *default*

(2) Curve 448

(3) NIST P-256

(4) NIST P-384

(5) NIST P-521

(6) Brainpool P-256

(7) Brainpool P-384

(8) Brainpool P-512

(9) secp256k1

Your selection? 1

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

gpg> save

3. 导出 Subkey

生成完毕,接下来就是导出了。让我们拔出 Master Key,换上崭新的日用 Key:

gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90

gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

gpg> key 7

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb* ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

gpg> keytocard

Please select where to store the key:

(1) Signature key

(3) Authentication key

Your selection? 1

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb* ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

Note: the local copy of the secret key will only be deleted with "save".

gpg> key 7

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

gpg> key 8

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb* ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

gpg> keytocard

Please select where to store the key:

(3) Authentication key

Your selection? 3

29 collapsed lines

sec ed25519/3CB3DFA9524C0B90

created: 2023-03-09 expires: never usage: SC

card-no: 0006 18139415

trust: ultimate validity: ultimate

ssb cv25519/B81202E9ACA8A99B

created: 2023-03-09 expires: never usage: E

card-no: 0006 18139415

ssb ed25519/298CFCC6EE0BB2AE

created: 2023-03-09 expires: never usage: A

card-no: 0006 18139415

ssb ed25519/2BC2249D2C2CF85D

created: 2023-03-09 expires: 2025-03-10 usage: S

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb ed25519/FB024359F49B5025

created: 2023-03-11 revoked: 2024-05-27 usage: S

card-no: 0006 20489903

ssb rsa2048/3A9967ACE891FA13

created: 2023-08-17 expires: 2024-08-16 usage: A

card-no: 0006 20817858

The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>

ssb rsa2048/1B29C1D42B01797D

created: 2023-08-17 revoked: 2024-05-27 usage: A

card-no: 0006 20489903

ssb ed25519/9DE5B4BEB4284E4F

created: 2024-05-27 expires: 2025-05-27 usage: S

ssb* ed25519/F2C2EA61718A9DBC

created: 2024-05-27 expires: never usage: A

[ultimate] (1). Yesterday17 <[email protected]>

Note: the local copy of the secret key will only be deleted with "save".

gpg> save

4. 导出公钥

这时候导出的就是崭新的可以用的公钥啦(

gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90

5. 准备丢失预案

再来一次肯定不能再重蹈覆辙了——基于这样简单的想法,我们需要整理一下之后的对策。

首先,在密钥遗失的情况下,我们首先需要做的就是把和这把密钥相关的所有服务彻底解绑。为此,我们需要:

  1. 记录使用了 FIDO 绑定的网站列表。只有知道了到底绑定了哪些网站,才能一个一个去解)
  2. 增加 VPS 的 SSH Key 自动更新机制。因为手动一个个更新 SSH Key 可能也不大现实,最好是可以自动化地去跑这个事情。从另一个角度想,如果这个自动化做好了的话,那么之后 Auth Key 也可以设置过期时间了(确信)

而从另一个角度来看,我们希望在密钥丢失之后最大限度地找回。所以——

  • 买些 Airtag 还是有必要的)

最后,最应该做的应该是尽可能不要遗失,所以——

我警告你们!出门携带 Yubikey 千万不要直接放口袋里!!!尤其不要在放口袋里之后就以为口袋是好的!!!!!!!!!!!!!!!!!!老子要升天了!!!!!!!!!!日妈批!!!!!

这次是运气好直接漏车上了,但不能有下次了!