mirror of
https://github.com/Yubico/yubikey-ksm.git
synced 2024-12-12 21:08:55 +01:00
79 lines
3.9 KiB
Plaintext
79 lines
3.9 KiB
Plaintext
|
== Import Keys To Yubikey KSM ==
|
||
|
|
||
|
To import keys into the YK-KSM database from text files in the
|
||
|
encrypted/signed KeyProvisioningFormat format, you can use the tool
|
||
|
'ykksm-import'. The tool reads the data on standard input, and will
|
||
|
import the data to the database. On any error, execution is aborted,
|
||
|
so be careful about partial imports leaving the database in an
|
||
|
intermediate state.
|
||
|
|
||
|
The tool requires that your system has a GnuPG private key, read
|
||
|
[[GenerateKSMKey]] on how to generate it.
|
||
|
|
||
|
For example, to import the file generated by the [[GenerateKeys]]
|
||
|
document:
|
||
|
|
||
|
<nowiki>
|
||
|
|
||
|
user@ksm:~$ ykksm-import --verbose --database 'DBI:Pg:dbname=ykksm;host=127.0.0.1' --db-user ykksmimporter --db-passwd otherpassword < ~/keys.txt
|
||
|
|
||
|
You need a passphrase to unlock the secret key for
|
||
|
user: "YK-KSM crater Import Key"
|
||
|
2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)
|
||
|
|
||
|
Verification output:
|
||
|
[GNUPG:] ENC_TO 8C73EAF1140A17F1 16 0
|
||
|
[GNUPG:] USERID_HINT 8C73EAF1140A17F1 YK-KSM crater Import Key
|
||
|
[GNUPG:] NEED_PASSPHRASE 8C73EAF1140A17F1 AE7279678B88A11B 16 0
|
||
|
[GNUPG:] GOOD_PASSPHRASE
|
||
|
gpg: encrypted with 2048-bit ELG-E key, ID 140A17F1, created 2009-12-14
|
||
|
"YK-KSM crater Import Key"
|
||
|
[GNUPG:] BEGIN_DECRYPTION
|
||
|
[GNUPG:] PLAINTEXT 62 1260805257
|
||
|
gpg: Signature made Mon 14 Dec 2009 04:40:57 PM CET using DSA key ID 8B88A11B
|
||
|
[GNUPG:] SIG_ID YGplk8qkUkb75lY0aurb/iS1Oog 2009-12-14 1260805257
|
||
|
[GNUPG:] GOODSIG AE7279678B88A11B YK-KSM crater Import Key
|
||
|
gpg: Good signature from "YK-KSM crater Import Key"
|
||
|
[GNUPG:] VALIDSIG 9B1820A2F02E3C3B84E344F5AE7279678B88A11B 2009-12-14 1260805257 0 4 0 17 2 00 9B1820A2F02E3C3B84E344F5AE7279678B88A11B
|
||
|
[GNUPG:] TRUST_ULTIMATE
|
||
|
[GNUPG:] DECRYPTION_OKAY
|
||
|
[GNUPG:] GOODMDC
|
||
|
[GNUPG:] END_DECRYPTION
|
||
|
encrypted to: 8C73EAF1140A17F1
|
||
|
signed by: 8B88A11B
|
||
|
|
||
|
You need a passphrase to unlock the secret key for
|
||
|
user: "YK-KSM crater Import Key"
|
||
|
2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)
|
||
|
|
||
|
line: 1,cccccccccccb,d74fbdf6a890,82211e0854e7369e83d941f24761a84e,881ae7bee927,2009-12-14T16:40:57,
|
||
|
serialnr 1 publicName cccccccccccb internalName d74fbdf6a890 aesKey 82211e0854e7369e83d941f24761a84e lockCode 881ae7bee927 created 2009-12-14T16:40:57 accessed eol
|
||
|
line: 2,cccccccccccd,7a5ad1886b70,3091a8048524ab8407ae816457d764e5,8e5ab609e346,2009-12-14T16:40:57,
|
||
|
serialnr 2 publicName cccccccccccd internalName 7a5ad1886b70 aesKey 3091a8048524ab8407ae816457d764e5 lockCode 8e5ab609e346 created 2009-12-14T16:40:57 accessed eol
|
||
|
line: 3,ccccccccccce,981abbbeafb8,91be4bfd2f40e24ebd39386868aa9619,037b6f6ae73c,2009-12-14T16:40:57,
|
||
|
serialnr 3 publicName ccccccccccce internalName 981abbbeafb8 aesKey 91be4bfd2f40e24ebd39386868aa9619 lockCode 037b6f6ae73c created 2009-12-14T16:40:57 accessed eol
|
||
|
line: 4,cccccccccccf,c1f33c17f77b,a2389839d7b80bfe4c80258184aff4ce,abf92cbbdab3,2009-12-14T16:40:57,
|
||
|
serialnr 4 publicName cccccccccccf internalName c1f33c17f77b aesKey a2389839d7b80bfe4c80258184aff4ce lockCode abf92cbbdab3 created 2009-12-14T16:40:57 accessed eol
|
||
|
line: 5,cccccccccccg,c55773192393,7387b5f6bede83f64a9cd75b2023826a,d70c937bbbff,2009-12-14T16:40:57,
|
||
|
serialnr 5 publicName cccccccccccg internalName c55773192393 aesKey 7387b5f6bede83f64a9cd75b2023826a lockCode d70c937bbbff created 2009-12-14T16:40:57 accessed eol
|
||
|
|
||
|
user@ksm:~$
|
||
|
</nowiki>
|
||
|
|
||
|
When importing large data sets it is recommended to avoid the
|
||
|
--verbose flag to reduce noise.
|
||
|
|
||
|
To test the import, you can attempt to decrypt an (invalid) OTP for
|
||
|
one of the AES keys. Like this:
|
||
|
|
||
|
user@ksm:~$ curl 'http://localhost/wsapi/decrypt?otp=cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv'
|
||
|
ERR Corrupt OTP
|
||
|
user@ksm:~$
|
||
|
|
||
|
In the system log file /var/log/ykksm.log you should get this error:
|
||
|
|
||
|
Dec 14 17:20:08 crater ykksm[12693]: UID error: cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv a515841f249c5f4bb8e9007ab0f7ac2b: a515841f249c vs 7a5ad1886b70
|
||
|
|
||
|
Note that the actual values may differ slightly because the AES key
|
||
|
you generated was random.
|