How to use a separate authentication key?

[altsalt]

I am attempting to load a new ECC Curve25519 master-key which was generated with GnuPG 2.2.27 using OnlyKey-App 5.3.3 and OnlyKey-Firmware 2.1.1. I then generated three subkeys and assigned the Signing, Encryption, and Authentication functions to each, keeping them separate from each other and from the Certification ability. Finally, I backed up the entire keychain for cold storage, removing the master-key and exporting the root-less key, as well as each individual subkey, with and without the keychain.

None of these files were considered valid by the OnlyKey-App which is likely due to an issue similar to that outlined in #98 and #166 and which will hopefully be addressed by updating OpenPGP.js. However, I could not fully test the suggestion to have "Stored Key User Input Mode" set to "Button Press Required" because when I try to modify this, either via the OnlyKey-App or onlykey-cli, the setting reverts to "Challenge Code Required".

If issues blocking the loading of these subkeys are resolved, then another question will arise about using a separate subkey for Authentication. Currently, the OnlyKey-App only has options for Signing keys and Decryption keys. Hopefully we can work on addressing this before it poses a problem!

Since I'm using a test-key for all of this, happy to share the various files being used if they would be helpful. Thank you for any suggestions and assistance!

[onlykey]

We currently only support the three methods of key generation described here which are standard OpenPGP keys - https://docs.crp.to/importpgp.html

GPG has many other options that are not supported by OpenPGP.js or by the OnlyKey app. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys.

Authentication keys are essentially signing keys that GPG (or the software) knows to only use for authentication. The restriction to use a key for signing or for authentication purposes is restricted in the software application (GPG). For a hardware device the function of signing (sign this blob of data) and authentication (sign this blob of authentication data) are the same function.

[altsalt]

Thank you for your prompt response and for clarifying. I suppose the question remains as to whether, when the current blocking issues are resolved, I may still be able to load this subkey into one of the ECC slots? And if so, whether there will be any particular trouble utilizing it were gpg to ask?

[onlykey]

I am not sure what you mean here. There are no blocking issues for OnlyKey its just we don't support those custom mutliple subkey use cases. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys.

[altsalt]

Maybe I'm confused as to what you mean by support. It was my understanding that keys which do not work with specific OnlyKey features may not load though the OnlyKey-App, but could be added manually. The idea is to store these keys on a secure hardware device. Is that possible?

[onlykey]

The keys themselves yes, could be added manually. However, the App only supports parsing standard OpenPGP keys. You would need a way to parse and extract the multiple subkey secret values from this custom PGP key then load those on OnlyKey. I don't know of a tool that would do that, possibly using PGPy. It would be easier to create and load multiple standard PGP keys through the App as that is supported (i.e. load first OpenPGP key and subkey to ECC slots 1 and 2, load second OpenPGP key and subkey to ECC slots 3 and 4)

[altsalt]

Thank you for writing the script to achieve this @onlykey . I'm closing the issue, but for anyone looking for breadcrumbs later on, the resolution discussion may be found in #166

[jonathancross]

@onlykey :

Authentication keys are essentially signing keys that GPG (or the software) knows to only use for authentication

Does this mean that we need to select "set a signature key" when importing the [A] Authentication subkey?

And this works with a 2048bit RSA subkey?

[onlykey]

@jonathancross You would need to set as signature key yes, but the advanced add private key tab where you are in the app only works for ECC keys. Is there an error when you try to load the key here on the keys tab?

[jonathancross]

I was getting errors below the tabbed UI, but I don't have a record of them. I'll try again when I get a chance.

Can you confirm that a 2048 bit RSA key is supported from this "Keys" tab if I select "Signature key"?

PS: I don't know if this is relevant, but I am trying to use 3 subkeys on the device:

ssb>  rsa2048/0xD8578DF8EA7CCF1B [S]
ssb>  rsa2048/0x8E1719FE1E8DA9B9 [E]
ssb>  rsa2048/0x397428FC5BA60C24 [A]

Note: this is a common & recommended setup for people using PGP hardware devices. The primary key is kept offline in case the device is lost/stolen and subkeys need to be revoked without affecting signatures on the primary key UIDs.

[onlykey]

Yes RSA 2048 and 4096 are supported. Could you create a test PGP key set up the same way as yours and send to me to test?