前言
如果你是一位潜在的 Yubikey/硬件密钥用户,我的建议是尽早做好硬件密钥丢失的处理预案;如果你是一位现任的 Yubikey/硬件密钥用户,我的建议是,赶紧买一个 Airtag 保护一下自己的 Key(
嘛,废话不多说了。这篇文章是我在常用 Yubikey 丢失之后
ToC
-1. 吊销旧密钥
安全起见,我们需要做的第负一件事就是立即更新 GitHub 中绑定的 GPG 公钥,并且解绑这把 Key 在所有已绑定网站上的 FIDO2 两步验证 GPG 的 SSH 登录,也应该立即将更新所有配置了这一 SSH Key 作为 authorized_key 的 VPS 配置。
➜ ~ gpg --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
gpg (GnuPG) 2.4.1; Copyright (C) 2023 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
23 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
ssb ed25519/FB024359F49B5025
created: 2023-03-11 expires: 2025-03-10 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20489903
[ultimate] (1). Yesterday17 <[email protected]>
gpg> key 4
23 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
ssb* ed25519/FB024359F49B5025
created: 2023-03-11 expires: 2025-03-10 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20489903
[ultimate] (1). Yesterday17 <[email protected]>
gpg> key 6
23 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
ssb* ed25519/FB024359F49B5025
created: 2023-03-11 expires: 2025-03-10 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
ssb* rsa2048/1B29C1D42B01797D
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20489903
[ultimate] (1). Yesterday17 <[email protected]>
gpg> revkey
Do you really want to revoke the selected subkeys? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
Your decision? 1
Enter an optional description; end it with an empty line:
> The smartkey which stores this key was lost.
>
Reason for revocation: Key has been compromised
The smartkey which stores this key was lost.
Is this okay? (y/N) y
25 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
[ultimate] (1). Yesterday17 <[email protected]>
gpg> save
这时候你机器上的版本就已经吊销了。然后把公钥导出一下:
gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90
0. 购买
然后当然是购买了。由于 Cloudflare 的车车已经开走两年了,目前廉价获取 Yubikey 的手段或许只有闲鱼
1. 初始化
拿到新 Key 首先需要做的是初始化。
修改 OpenPGP Pin
首先启用一下 KDF,这样 Key 上就不会存储明文 Pin 了,然后再修改一下 Pin 的内容:
➜ ~ gpg --edit-card
gpg/card> admin
Admin commands are allowed
gpg/card> kdf-setup
gpg/card> passwd
gpg: OpenPGP card no. D2760001240100000006267887010000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
Error changing the PIN: Bad PIN
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
Error changing the PIN: Bad PIN
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? Q
gpg/card>
修改 Pin 重试次数
然后稍微调大一点 Pin 的重试次数,毕竟锁掉也挺烦人的……当然如果你足够相信你的记忆力和输入准确度,也可以保留默认的 3 次锁(
ykman openpgp access set-retries 8 1 8
Pin
Yubikey 总共有三种 Pin [1]:
- FIDO2
- PIV (smart card)
- OpenPGP
我们最常用的应该是 OpenPGP 的 Pin,它通常的输入时机是在 Git 提交、Push、SSH 登录的时候,通过 pinentry 输入。
拿到新 Yubikey 之后,我们首先需要默认将这些 Key 都设置上:
2. 生成 Subkey
准备完毕,接下来就是生成新子密钥的时间了。如果你是像我一样,将 Master Key 通过另一把 Yubikey 存储的话,这个时候就可以把合适的密钥插入,开始生成🚢新的子密钥了——
(所有用户操作均已高亮)
我们这次生成的 Key 都是 ED25519 算法的 ECC 密钥。其中一把是 Signature Key,负责给我们的 Git 操作签名;另一把是 Authentication Key,负责处理 SSH 相关的内容。我们选择给 Sign 密钥附上 1 year 的过期时间,这样我们可以更加灵活地管理 Git GPG 签名相关的事务;而 Auth 不设有效期的原因在于即时你配置了,SSH 也不会自动根据有效期拒绝过期的 Key(悲)
➜ ~ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
25 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
[ultimate] (1). Yesterday17 <[email protected]>
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 10
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(2) Curve 448
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at 水 5/28 00:04:29 2025 CST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
27 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
[ultimate] (1). Yesterday17 <[email protected]>
gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 11
Possible actions for this ECC key: Sign Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for this ECC key: Sign Authenticate
Current allowed actions:
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? a
Possible actions for this ECC key: Sign Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(2) Curve 448
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
gpg> save
3. 导出 Subkey
生成完毕,接下来就是导出了。让我们拔出 Master Key,换上崭新的日用 Key:
➜ gpg --expert --edit-key E730A010ECDFB4890FF198983CB3DFA9524C0B90
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
gpg> key 7
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb* ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb* ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
Note: the local copy of the secret key will only be deleted with "save".
gpg> key 7
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
gpg> key 8
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb* ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
gpg> keytocard
Please select where to store the key:
(3) Authentication key
Your selection? 3
29 collapsed lines
sec ed25519/3CB3DFA9524C0B90
created: 2023-03-09 expires: never usage: SC
card-no: 0006 18139415
trust: ultimate validity: ultimate
ssb cv25519/B81202E9ACA8A99B
created: 2023-03-09 expires: never usage: E
card-no: 0006 18139415
ssb ed25519/298CFCC6EE0BB2AE
created: 2023-03-09 expires: never usage: A
card-no: 0006 18139415
ssb ed25519/2BC2249D2C2CF85D
created: 2023-03-09 expires: 2025-03-10 usage: S
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb ed25519/FB024359F49B5025
created: 2023-03-11 revoked: 2024-05-27 usage: S
card-no: 0006 20489903
ssb rsa2048/3A9967ACE891FA13
created: 2023-08-17 expires: 2024-08-16 usage: A
card-no: 0006 20817858
The following key was revoked on 2024-05-27 by ? key 3CB3DFA9524C0B90 Yesterday17 <[email protected]>
ssb rsa2048/1B29C1D42B01797D
created: 2023-08-17 revoked: 2024-05-27 usage: A
card-no: 0006 20489903
ssb ed25519/9DE5B4BEB4284E4F
created: 2024-05-27 expires: 2025-05-27 usage: S
ssb* ed25519/F2C2EA61718A9DBC
created: 2024-05-27 expires: never usage: A
[ultimate] (1). Yesterday17 <[email protected]>
Note: the local copy of the secret key will only be deleted with "save".
gpg> save
4. 导出公钥
这时候导出的就是崭新的可以用的公钥啦(
gpg --armor --export E730A010ECDFB4890FF198983CB3DFA9524C0B90
5. 准备丢失预案
再来一次肯定不能再重蹈覆辙了——基于这样简单的想法,我们需要整理一下之后的对策。
首先,在密钥遗失的情况下,我们首先需要做的就是把和这把密钥相关的所有服务彻底解绑。为此,我们需要:
- 记录使用了 FIDO 绑定的网站列表。只有知道了到底绑定了哪些网站,才能一个一个去解)
- 增加 VPS 的 SSH Key 自动更新机制。因为手动一个个更新 SSH Key 可能也不大现实,最好是可以自动化地去跑这个事情。从另一个角度想,如果这个自动化做好了的话,那么之后 Auth Key 也可以设置过期时间了(确信)
而从另一个角度来看,我们希望在密钥丢失之后最大限度地找回。所以——
- 买些 Airtag 还是有必要的)
最后,最应该做的应该是尽可能不要遗失,所以——
我警告你们!出门携带 Yubikey 千万不要直接放口袋里!!!尤其不要在放口袋里之后就以为口袋是好的!!!!!!!!!!!!!!!!!!老子要升天了!!!!!!!!!!日妈批!!!!!