Hi,
i am currently trying to setup a security token (nitrokey 3) with
OpenPGP capabilities on rde system. When trying to run gpg --card-satus
or gpg --edit-card it fails with output: "gpg: selecting card failed: No
such device". Feature-gnupg and feature-security-token are part of my
system. I already tried to restart pcscd service and to add ccid
package as firmware. Has anyone tried to accomplish something similar with greater
success?
--
Best regards,
Peter
On 2023-08-29 17:17, Peter Kannewitz wrote:
> Hi,>> i am currently trying to setup a security token (nitrokey 3) with> OpenPGP capabilities on rde system. When trying to run gpg --card-satus> or gpg --edit-card it fails with output: "gpg: selecting card failed: No> such device". Feature-gnupg and feature-security-token are part of my> system. I already tried to restart pcscd service and to add ccid> package as firmware. Has anyone tried to accomplish something similar with greater> success?
Hi Peter,
I use yubikey 5C Nano with rde. I don't remember exact steps I
performed, but I used the following very extensive guide:
https://github.com/drduh/YubiKey-Guide
Document all the steps during configuration and share them, please.
Probably, in a few months I'll be migrating to a new laptop and will
document this process as well, but if you make it earlier it would be
great.
--
Best regards,
Andrew Tropin
> Hi Peter,
Hi Andrew,
> I use yubikey 5C Nano with rde. I don't remember exact steps I> performed, but I used the following very extensive guide:> https://github.com/drduh/YubiKey-Guide
Thank you for the reference. I followed a similar but less extensive
guide: https://docs.nitrokey.com/nitrokey3/linux/openpgp-keygen-backup.
> Document all the steps during configuration and share them, please.
I exactly followed the steps of the guide and got it working now. Also
the problem I faced was specific to my key. After taking a second look
at /etc/udev/rules.d/70-u2f.rules I found that the exact key was missing
even though the vendor was present with some keys. Therefore I added the
udev rules provided by libnitrokey to my system config with this commit:
https://git.sr.ht/~etropr/guixrc/commit/a02596700ac80ce97c25d0caab7aa042bdb28776
and can now access my card. WebAuthn was already working without the udev rules.
Where would you want to place such a write up, in rde manual? Would be
happy to contribute, but I am not quite sure since I did nothing
special but adding some rules and following the guide step by step.
> Probably, in a few months I'll be migrating to a new laptop and will> document this process as well, but if you make it earlier it would be> great.
Following up on the topic I still have two things I would like to
integerate in my rde setup:
1. User authentication with pam-u2f:
Therefore I already found a promising feature in rsauex config on GitHub
(https://github.com/rsauex/dotfiles/blob/77e405cda4277e282725108528874b6d9ebee968/rsauex/services/pam-u2f.scm).
Maybe this would also be interesting for feature security-token?
2. Unlocking encrypted LUKS volume with hardware securtiy token.
This seems even harder, because the only reference i found relies
heavily on systemd-cryptsetup, which i did not find an alternative
shepered version of.
(https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)
--
Best regards,
Peter Kannewitz
On 2023-09-04 19:42, Peter Kannewitz wrote:
>> Hi Peter,> Hi Andrew,>>> I use yubikey 5C Nano with rde. I don't remember exact steps I>> performed, but I used the following very extensive guide:>> https://github.com/drduh/YubiKey-Guide>> Thank you for the reference. I followed a similar but less extensive> guide: https://docs.nitrokey.com/nitrokey3/linux/openpgp-keygen-backup. >>> Document all the steps during configuration and share them, please.>> I exactly followed the steps of the guide and got it working now. Also> the problem I faced was specific to my key. After taking a second look> at /etc/udev/rules.d/70-u2f.rules I found that the exact key was missing> even though the vendor was present with some keys. Therefore I added the> udev rules provided by libnitrokey to my system config with this commit:> https://git.sr.ht/~etropr/guixrc/commit/a02596700ac80ce97c25d0caab7aa042bdb28776> and can now access my card. WebAuthn was already working without the udev rules.>> Where would you want to place such a write up, in rde manual? Would be> happy to contribute, but I am not quite sure since I did nothing> special but adding some rules and following the guide step by step.
Maybe even in guix manual, but rde manual will work too, somewhere in
the features chapter.
>>> Probably, in a few months I'll be migrating to a new laptop and will>> document this process as well, but if you make it earlier it would be>> great.>> Following up on the topic I still have two things I would like to> integerate in my rde setup:>> 1. User authentication with pam-u2f:>> Therefore I already found a promising feature in rsauex config on GitHub > (https://github.com/rsauex/dotfiles/blob/77e405cda4277e282725108528874b6d9ebee968/rsauex/services/pam-u2f.scm).> Maybe this would also be interesting for feature security-token?
Yes, looks like a good match.
>> 2. Unlocking encrypted LUKS volume with hardware securtiy token.>> This seems even harder, because the only reference i found relies> heavily on systemd-cryptsetup, which i did not find an alternative> shepered version of.> (https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html)
This is a tricky topic, AFAIR there was some related work on
guix-devel/guix-patches: https://yhetil.org/guix/
--
Best regards,
Andrew Tropin