trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

Possible to Create Subkeys for Master GPG Key?

Open talosgt opened this issue 3 years ago • 8 comments

I want to create a subkey for my master key, but I only found this comment by Roman:

The --subkey feature is usually used to add TREZOR-based GPG keys to non-TREZOR-based existing GPG keys, e.g. see the following example for adding NISTP-256 TREZOR-based subkeys to existing RSA-2048 non-TREZOR-based GPG identity: https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md#generate-gnupg-subkeys.

Am I only able to use the master key created by my Trezor to use for GPG? I would like to create individual keys for signing, authenticating, etc and leave the master key alone.

Even if I try to create subkeys for an exsting NON-Trezor key, it doesn't seem to work as I get errors.

If I create a GPG key pair on my regular mac desktop, I am able to see it with "gpg -k". If I update my environment .bash_profile with export GNUPGHOME=~/.gnupg/trezor, I will not see this key that I created on my mac and only see the keys I created with the trezor. If I want to go by what Roman had said above where creating subkeys are really for existing NON-Trezor-based keys, then I'm unable to do so because these are in 2 different files.

Is there a way to create subkeys and use them normally?

I also noticed I'm unable to choose the key size, like 4096, is that because it's tied with the seed phrase of the Trezor when I initialized it?

Thanks!

talosgt avatar Feb 21 '22 22:02 talosgt

Is this still not possible?

doolio avatar Sep 03 '23 17:09 doolio

I stopped looking into this for the Trezor and decided to use Yubikeys instead.

https://youtu.be/rGZtlgNhAVU?si=x-l88rysSXnN1qTp

talosgt avatar Sep 03 '23 17:09 talosgt

OK, thanks.

doolio avatar Sep 03 '23 17:09 doolio

Subkey creation assumes you have a non-Trezor primary key in a different home folder frmo a Trezor subkey. The assumption is that you'll never need both at the same time. Generally, a primary key is intended to be on an offline computer anyway, while only the subkey is used regularly, so this assumption is valid. To violate this assumption, you would need the trezor-gpg-agent to be able to forward requests to another agent in the event that a requested key is not a Trezor key.

For much the same reason, setting up a non-Trezor subkey to a Trezor primary will not work. The agent cannot process a GENKEY request, and would need to somehow forward that request to the default agent or another home directory.

SlugFiller avatar Sep 10 '23 21:09 SlugFiller

OK, but could you in theory create a subkey for a Trezor primary key by using the following:

$ gpg --edit-key '<Trezor primary key fingerprint>'
gpg> addkey

where $ is my normal terminal prompt and gpg> is my gpg CLI prompt. Now in my case, my Trezor primary key is a nistp256 key and the options I see are as follows:

image

Not sure why I don't see ECDH, ECDSA or EDDSA as options considering:

image

doolio avatar Sep 11 '23 13:09 doolio

When I tested, I got the options

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card

So ECC (=ECDSA/ECDH) should be present

The issue is that the process fails later. First, because of a bug that unrecognized operations and other errors in the agent only log an error, but do not send an error to the client, so the client simply freezes instead of continuing.

And second, because, as I've mentioned above, even if you continued, you couldn't process the GENKEY request directly, because that would require trezor-pgp to basically be a fully-featured agent capable of generating, storing, and signing local (non-hardware) keys.

IMO, the most correct way to handle it is to forward the request to a different agent. Which is something I might work on in an upcoming PR, provided my existing one would be merged. (My OS choice means I can't work on anything other than on top of that PR)

Another option is to do it via a trezor-gpg specific command that simply takes a pubkey (e.g. generated by ssh-keygen) and transforms it into a subkey (and certifies it) that can be imported into another GPG homedir (which can then be used as the main, since you don't need to sign with your primary).

SlugFiller avatar Sep 11 '23 14:09 SlugFiller

When I tested, I got the options

Interesting and which version of gpg are you running?

The issue is that the process fails later.

I see. Thanks for detailed explanation.

doolio avatar Sep 11 '23 14:09 doolio 

***>gpg --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ***
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

SlugFiller avatar Sep 11 '23 14:09 SlugFiller