-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use a separate authentication key? #171
Comments
We currently only support the three methods of key generation described here which are standard OpenPGP keys - https://docs.crp.to/importpgp.html GPG has many other options that are not supported by OpenPGP.js or by the OnlyKey app. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys. Authentication keys are essentially signing keys that GPG (or the software) knows to only use for authentication. The restriction to use a key for signing or for authentication purposes is restricted in the software application (GPG). For a hardware device the function of signing (sign this blob of data) and authentication (sign this blob of authentication data) are the same function. |
Thank you for your prompt response and for clarifying. I suppose the question remains as to whether, when the current blocking issues are resolved, I may still be able to load this subkey into one of the ECC slots? And if so, whether there will be any particular trouble utilizing it were gpg to ask? |
I am not sure what you mean here. There are no blocking issues for OnlyKey its just we don't support those custom mutliple subkey use cases. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys. |
Maybe I'm confused as to what you mean by support. It was my understanding that keys which do not work with specific OnlyKey features may not load though the OnlyKey-App, but could be added manually. The idea is to store these keys on a secure hardware device. Is that possible? |
The keys themselves yes, could be added manually. However, the App only supports parsing standard OpenPGP keys. You would need a way to parse and extract the multiple subkey secret values from this custom PGP key then load those on OnlyKey. I don't know of a tool that would do that, possibly using PGPy. It would be easier to create and load multiple standard PGP keys through the App as that is supported (i.e. load first OpenPGP key and subkey to ECC slots 1 and 2, load second OpenPGP key and subkey to ECC slots 3 and 4) |
@onlykey :
Does this mean that we need to select "set a signature key" when importing the And this works with a 2048bit RSA subkey? |
@jonathancross You would need to set as signature key yes, but the advanced add private key tab where you are in the app only works for ECC keys. Is there an error when you try to load the key here on the keys tab? |
I was getting errors below the tabbed UI, but I don't have a record of them. Can you confirm that a 2048 bit RSA key is supported from this "Keys" tab if I select "Signature key"? PS: I don't know if this is relevant, but I am trying to use 3 subkeys on the device:
Note: this is a common & recommended setup for people using PGP hardware devices. The primary key is kept offline in case the device is lost/stolen and subkeys need to be revoked without affecting signatures on the primary key UIDs. |
Yes RSA 2048 and 4096 are supported. Could you create a test PGP key set up the same way as yours and send to me to test? |
I am attempting to load a new ECC Curve25519 master-key which was generated with GnuPG 2.2.27 using OnlyKey-App 5.3.3 and OnlyKey-Firmware 2.1.1. I then generated three subkeys and assigned the Signing, Encryption, and Authentication functions to each, keeping them separate from each other and from the Certification ability. Finally, I backed up the entire keychain for cold storage, removing the master-key and exporting the root-less key, as well as each individual subkey, with and without the keychain.
None of these files were considered valid by the OnlyKey-App which is likely due to an issue similar to that outlined in #98 and #166 and which will hopefully be addressed by updating OpenPGP.js. However, I could not fully test the suggestion to have "Stored Key User Input Mode" set to "Button Press Required" because when I try to modify this, either via the OnlyKey-App or onlykey-cli, the setting reverts to "Challenge Code Required".
If issues blocking the loading of these subkeys are resolved, then another question will arise about using a separate subkey for Authentication. Currently, the OnlyKey-App only has options for Signing keys and Decryption keys. Hopefully we can work on addressing this before it poses a problem!
Since I'm using a test-key for all of this, happy to share the various files being used if they would be helpful. Thank you for any suggestions and assistance!
The text was updated successfully, but these errors were encountered: