Install yubikey-manager directly on Debian
parent
a0fa35cf11
commit
6272fc4181
44
README.md
44
README.md
|
@ -215,7 +215,7 @@ sudo apt -y upgrade
|
||||||
sudo apt -y install \
|
sudo apt -y install \
|
||||||
wget gnupg2 gnupg-agent dirmngr \
|
wget gnupg2 gnupg-agent dirmngr \
|
||||||
cryptsetup scdaemon pcscd \
|
cryptsetup scdaemon pcscd \
|
||||||
yubikey-personalization
|
yubikey-personalization yubikey-manager
|
||||||
```
|
```
|
||||||
|
|
||||||
**Note** Live Ubuntu images [may require modification](https://github.com/drduh/YubiKey-Guide/issues/116) to `/etc/apt/sources.list` and may need additional packages:
|
**Note** Live Ubuntu images [may require modification](https://github.com/drduh/YubiKey-Guide/issues/116) to `/etc/apt/sources.list` and may need additional packages:
|
||||||
|
@ -224,26 +224,6 @@ sudo apt -y install \
|
||||||
sudo apt -y install libssl-dev swig libpcsclite-dev
|
sudo apt -y install libssl-dev swig libpcsclite-dev
|
||||||
```
|
```
|
||||||
|
|
||||||
**Optional** Install the `ykman` utility, which will allow you to enable touch policies (requires admin PIN):
|
|
||||||
|
|
||||||
```console
|
|
||||||
sudo apt -y install python3-pip python3-pyscard
|
|
||||||
|
|
||||||
pip3 install PyOpenSSL
|
|
||||||
|
|
||||||
pip3 install yubikey-manager
|
|
||||||
|
|
||||||
sudo service pcscd start
|
|
||||||
|
|
||||||
~/.local/bin/ykman openpgp info
|
|
||||||
```
|
|
||||||
|
|
||||||
**Note** Debian does not recommend installing non-Debian packaged Python applications globally. But fortunately, it is not necessary as `yubikey-manager` is available in the stable main repository:
|
|
||||||
|
|
||||||
```console
|
|
||||||
sudo apt install -y yubikey-manager
|
|
||||||
```
|
|
||||||
|
|
||||||
**OpenBSD**
|
**OpenBSD**
|
||||||
|
|
||||||
```console
|
```console
|
||||||
|
@ -581,8 +561,6 @@ sudo mkfs.ext2 /dev/mapper/gnupg-secrets -L gnupg-$(date +F)
|
||||||
Mount the filesystem and copy the temporary GnuPG working directory exported key materials:
|
Mount the filesystem and copy the temporary GnuPG working directory exported key materials:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
sudo mkdir /mnt/encrypted-storage
|
|
||||||
|
|
||||||
sudo mount /dev/mapper/gnupg-secrets /mnt/encrypted-storage
|
sudo mount /dev/mapper/gnupg-secrets /mnt/encrypted-storage
|
||||||
|
|
||||||
sudo cp -av $GNUPGHOME /mnt/encrypted-storage/
|
sudo cp -av $GNUPGHOME /mnt/encrypted-storage/
|
||||||
|
@ -669,8 +647,6 @@ $ doas newfs sd3i
|
||||||
Mount the filesystem and copy the temporary directory with the keyring:
|
Mount the filesystem and copy the temporary directory with the keyring:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
doas mkdir /mnt/encrypted-storage
|
|
||||||
|
|
||||||
doas mount /dev/sd3i /mnt/encrypted-storage
|
doas mount /dev/sd3i /mnt/encrypted-storage
|
||||||
|
|
||||||
doas cp -av $GNUPGHOME /mnt/encrypted-storage
|
doas cp -av $GNUPGHOME /mnt/encrypted-storage
|
||||||
|
@ -696,9 +672,7 @@ Create another partition on the portable storage device to store the public key,
|
||||||
|
|
||||||
**Linux**
|
**Linux**
|
||||||
|
|
||||||
Using the same `/dev/sdc` device as in the previous step:
|
Using the same `/dev/sdc` device as in the previous step, create a small (at least 20 Mb is recommended) partition for storing materials:
|
||||||
|
|
||||||
Create a small (20 Mb is more than enough) partition for storing secret materials:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
sudo fdisk /dev/sdc <<EOF
|
sudo fdisk /dev/sdc <<EOF
|
||||||
|
@ -715,8 +689,6 @@ Create a filesystem and export the public key:
|
||||||
```console
|
```console
|
||||||
sudo mkfs.ext2 /dev/sdc2
|
sudo mkfs.ext2 /dev/sdc2
|
||||||
|
|
||||||
sudo mkdir /mnt/public
|
|
||||||
|
|
||||||
sudo mount /dev/sdc2 /mnt/public
|
sudo mount /dev/sdc2 /mnt/public
|
||||||
|
|
||||||
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
|
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
|
||||||
|
@ -749,8 +721,6 @@ Create a filesystem and export the public key to it:
|
||||||
```console
|
```console
|
||||||
doas newfs sd2b
|
doas newfs sd2b
|
||||||
|
|
||||||
doas mkdir /mnt/public
|
|
||||||
|
|
||||||
doas mount /dev/sd2b /mnt/public
|
doas mount /dev/sd2b /mnt/public
|
||||||
|
|
||||||
gpg --armor --export $KEYID | doas tee /mnt/public/$KEYID-$(date +%F).asc
|
gpg --armor --export $KEYID | doas tee /mnt/public/$KEYID-$(date +%F).asc
|
||||||
|
@ -810,7 +780,7 @@ USER_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w6 | head -1)
|
||||||
echo "\nAdmin PIN: $ADMIN_PIN\nUser PIN: $USER_PIN"
|
echo "\nAdmin PIN: $ADMIN_PIN\nUser PIN: $USER_PIN"
|
||||||
```
|
```
|
||||||
|
|
||||||
Update the admin PIN:
|
Update the Admin PIN:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
|
gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
|
||||||
|
@ -822,7 +792,7 @@ q
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
Update the user PIN:
|
Update the User PIN:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
|
gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
|
||||||
|
@ -834,7 +804,7 @@ q
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
Remote and re-insert YubiKey.
|
Remove and re-insert YubiKey.
|
||||||
|
|
||||||
**Warning** Three incorrect *User PIN* entries will cause it to become blocked and must be unblocked with either the *Admin PIN* or *Reset Code*. Three incorrect *Admin PIN* or *Reset Code* entries will destroy data on YubiKey.
|
**Warning** Three incorrect *User PIN* entries will cause it to become blocked and must be unblocked with either the *Admin PIN* or *Reset Code*. Three incorrect *Admin PIN* or *Reset Code* entries will destroy data on YubiKey.
|
||||||
|
|
||||||
|
@ -1827,8 +1797,6 @@ sudo mount /dev/mapper/gnupg-secrets /mnt/encrypted-storage
|
||||||
Mount the non-encrypted public partition:
|
Mount the non-encrypted public partition:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
sudo mkdir /mnt/public
|
|
||||||
|
|
||||||
sudo mount /dev/sdc2 /mnt/public
|
sudo mount /dev/sdc2 /mnt/public
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -1924,8 +1892,6 @@ sudo cryptsetup luksClose gnupg-secrets
|
||||||
Export the updated public key:
|
Export the updated public key:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
sudo mkdir /mnt/public
|
|
||||||
|
|
||||||
sudo mount /dev/sdc2 /mnt/public
|
sudo mount /dev/sdc2 /mnt/public
|
||||||
|
|
||||||
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
|
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
|
||||||
|
|
Loading…
Reference in New Issue