Update introduction, fix formatting and fix #46
parent
d07007a368
commit
a470da3af7
144
README.md
144
README.md
|
@ -1,12 +1,10 @@
|
||||||
This is a practical guide to using [YubiKey](https://www.yubico.com/faq/yubikey/) as a [SmartCard](https://security.stackexchange.com/questions/38924/how-does-storing-gpg-ssh-private-keys-on-smart-cards-compare-to-plain-usb-drives) for storing GPG encryption and signing keys.
|
This is a guide to using [YubiKey](https://www.yubico.com/faq/yubikey/) as a [SmartCard](https://security.stackexchange.com/questions/38924/how-does-storing-gpg-ssh-private-keys-on-smart-cards-compare-to-plain-usb-drives) for storing GPG encryption and signing keys.
|
||||||
|
|
||||||
An authentication key can also be created for SSH and used with [gpg-agent](https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work/188813#188813).
|
An authentication key can also be created for SSH and used with [gpg-agent](https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work/188813#188813).
|
||||||
|
|
||||||
Keys stored on a smartcard like YubiKey are more difficult to steal than ones stored on disk, and are convenient for everyday use.
|
Keys stored on a smartcard like YubiKey are non-exportable (as opposed to keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN code - and all signing and encryption operations happen on the card, rather than in OS memory.
|
||||||
|
|
||||||
Instructions written for Debian GNU/Linux 8 (jessie) using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, updated to GPG version 2.2.1. Some notes are included for macOS as well. Note, older YubiKeys like the Neo are limited to **2048 bit** RSA keys. Please see a comparison of the different YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/).
|
These instructions are current to Debian 9 using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, using GPG version 2.2. Note, older YubiKeys like the Neo are [limited](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/) to **2048 bit** RSA keys. Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
|
||||||
|
|
||||||
Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
|
|
||||||
|
|
||||||
Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
|
Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
|
||||||
|
|
||||||
|
@ -75,7 +73,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
|
||||||
|
|
||||||
https://www.yubico.com/products/yubikey-hardware/
|
https://www.yubico.com/products/yubikey-hardware/
|
||||||
|
|
||||||
Consider purchasing a pair and programming both in case of loss or damage to one of them.
|
Consider purchasing a pair (or more) and programming both in case of loss or damage to one of them.
|
||||||
|
|
||||||
# 2. Install required software
|
# 2. Install required software
|
||||||
|
|
||||||
|
@ -86,45 +84,43 @@ You will need to install the following software:
|
||||||
$ sudo apt-get install -y gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
|
$ sudo apt-get install -y gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
|
||||||
|
|
||||||
You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
|
You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
|
||||||
|
|
||||||
```
|
```
|
||||||
$ curl -sO https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.17.3.tar.gz
|
$ curl -LfsOv https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.19.0.tar.gz
|
||||||
|
|
||||||
$ !!.sig
|
$ !!.sig
|
||||||
curl -sO https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.17.3.tar.gz.sig
|
curl -LfsOv https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.19.0.tar.gz
|
||||||
|
|
||||||
$ gpg ykpers*sig
|
$ gpg yk*sig
|
||||||
gpg: assuming signed data in `ykpers-1.17.3.tar.gz'
|
gpg: assuming signed data in 'ykpers-1.19.0.tar.gz'
|
||||||
gpg: Signature made Mon 28 Dec 2015 11:56:41 AM UTC
|
gpg: Signature made Tue Apr 24 01:29:05 2018 PDT
|
||||||
gpg: using RSA key 0xBCA00FD4B2168C0A
|
gpg: using RSA key 0xBCA00FD4B2168C0A
|
||||||
gpg: Can't check signature: public key not found
|
gpg: Can't check signature: No public key
|
||||||
|
|
||||||
$ gpg --recv 0xBCA00FD4B2168C0A
|
$ gpg --recv 0xBCA00FD4B2168C0A
|
||||||
gpg: requesting key 0xBCA00FD4B2168C0A from hkps server hkps.pool.sks-keyservers.net
|
|
||||||
mp/2.3
|
|
||||||
[...]
|
|
||||||
gpg: key 0xBCA00FD4B2168C0A: public key "Klas Lindfors <klas@yubico.com>" imported
|
gpg: key 0xBCA00FD4B2168C0A: public key "Klas Lindfors <klas@yubico.com>" imported
|
||||||
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
|
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
|
||||||
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|
||||||
gpg: Total number processed: 1
|
gpg: Total number processed: 1
|
||||||
gpg: imported: 1 (RSA: 1)
|
gpg: imported: 1
|
||||||
|
|
||||||
$ gpg ykpers*sig
|
$ gpg yk*sig
|
||||||
gpg: assuming signed data in `ykpers-1.17.3.tar.gz'
|
gpg: assuming signed data in 'ykpers-1.19.0.tar.gz'
|
||||||
gpg: Signature made Mon 28 Dec 2015 11:56:41 AM UTC
|
gpg: Signature made Tue Apr 24 01:29:05 2018 PDT
|
||||||
gpg: using RSA key 0xBCA00FD4B2168C0A
|
gpg: using RSA key 0xBCA00FD4B2168C0A
|
||||||
gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
|
gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
|
||||||
gpg: WARNING: This key is not certified with a trusted signature!
|
gpg: WARNING: This key is not certified with a trusted signature!
|
||||||
gpg: There is no indication that the signature belongs to the owner.
|
gpg: There is no indication that the signature belongs to the owner.
|
||||||
Primary key fingerprint: 0A3B 0262 BCA1 7053 07D5 FF06 BCA0 0FD4 B216 8C0A
|
Primary key fingerprint: 0A3B 0262 BCA1 7053 07D5 FF06 BCA0 0FD4 B216 8C0A
|
||||||
|
|
||||||
$ curl -sO https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz
|
$ curl -LfsOv https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz
|
||||||
|
|
||||||
$ !!.sig
|
$ !!.sig
|
||||||
curl -sO https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz.sig
|
curl -LfsOv https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz.sig
|
||||||
|
|
||||||
$ gpg libyubi*sig
|
$ gpg libyubi*sig
|
||||||
gpg: assuming signed data in `libyubikey-1.13.tar.gz'
|
gpg: assuming signed data in 'libyubikey-1.13.tar.gz'
|
||||||
gpg: Signature made Thu 05 Mar 2015 11:51:51 AM UTC
|
gpg: Signature made Thu Mar 5 03:51:51 2015 PST
|
||||||
gpg: using RSA key 0xBCA00FD4B2168C0A
|
gpg: using RSA key 0xBCA00FD4B2168C0A
|
||||||
gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
|
gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
|
||||||
gpg: WARNING: This key is not certified with a trusted signature!
|
gpg: WARNING: This key is not certified with a trusted signature!
|
||||||
|
@ -139,15 +135,17 @@ You may also need to download and install more recent versions of [yubikey-perso
|
||||||
|
|
||||||
$ cd ..
|
$ cd ..
|
||||||
|
|
||||||
$ tar xf ykpers-1.17.3.tar.gz
|
$ tar xf ykpers-1.19.0.tar.gz
|
||||||
|
|
||||||
$ cd ykpers-1.17.3
|
$ cd ykpers-1.19.0
|
||||||
|
|
||||||
$ ./configure && make && sudo make install
|
$ ./configure && make && sudo make install
|
||||||
|
|
||||||
$ sudo ldconfig
|
$ sudo ldconfig
|
||||||
```
|
```
|
||||||
If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 from the testing repository. This is a temporary fix suggested on a [securedrop issue](https://github.com/freedomofpress/securedrop/issues/1035):
|
|
||||||
|
If on [Tails](https://tails.boum.org/), you also need to install `libykpers-1-1` from the testing repository. This is a temporary fix suggested on a [securedrop issue](https://github.com/freedomofpress/securedrop/issues/1035):
|
||||||
|
|
||||||
```
|
```
|
||||||
$ sudo apt-get install -t testing libykpers-1-1
|
$ sudo apt-get install -t testing libykpers-1-1
|
||||||
```
|
```
|
||||||
|
@ -155,8 +153,9 @@ If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 f
|
||||||
## 2.2 Install - macOS
|
## 2.2 Install - macOS
|
||||||
|
|
||||||
You will need to install [Homebrew](https://brew.sh/) and the following brew packages:
|
You will need to install [Homebrew](https://brew.sh/) and the following brew packages:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ brew install gnupg yubikey-personalization hopenpgp-tools
|
$ brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac
|
||||||
```
|
```
|
||||||
|
|
||||||
## 2.3 Install - windows
|
## 2.3 Install - windows
|
||||||
|
@ -171,6 +170,7 @@ Skip to [3.3](#3.3-create-master-key)
|
||||||
## 3.1 Create temporary working directory for GPG
|
## 3.1 Create temporary working directory for GPG
|
||||||
|
|
||||||
Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared):
|
Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared):
|
||||||
|
|
||||||
```
|
```
|
||||||
$ export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME
|
$ export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME
|
||||||
/tmp/tmp.aaiTTovYgo
|
/tmp/tmp.aaiTTovYgo
|
||||||
|
@ -179,6 +179,7 @@ Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.
|
||||||
## 3.2 Create configuration
|
## 3.2 Create configuration
|
||||||
|
|
||||||
Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash) into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
|
Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash) into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ cat << EOF > $GNUPGHOME/gpg.conf
|
$ cat << EOF > $GNUPGHOME/gpg.conf
|
||||||
use-agent
|
use-agent
|
||||||
|
@ -206,7 +207,7 @@ Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-
|
||||||
> A note on key expiry: setting an expiry essentially forces you to manage your subkeys and announces to the rest of the world that you are doing so. Setting an expiry on a primary key is ineffective for protecting the key from loss - whoever has the primary key can simply extend its expiry period. Revocation certificates are [better suited](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) for this purpose. It may be appropriate for your use case to set expiry dates on subkeys.
|
> A note on key expiry: setting an expiry essentially forces you to manage your subkeys and announces to the rest of the world that you are doing so. Setting an expiry on a primary key is ineffective for protecting the key from loss - whoever has the primary key can simply extend its expiry period. Revocation certificates are [better suited](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) for this purpose. It may be appropriate for your use case to set expiry dates on subkeys.
|
||||||
|
|
||||||
Generate a new key with GPG, selecting RSA (sign only) and the appropriate key-size:
|
Generate a new key with GPG, selecting RSA (sign only) and the appropriate key-size:
|
||||||
```
|
|
||||||
% gpg --full-generate-key
|
% gpg --full-generate-key
|
||||||
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
|
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
|
||||||
This is free software: you are free to change and redistribute it.
|
This is free software: you are free to change and redistribute it.
|
||||||
|
@ -266,15 +267,17 @@ Note that as of [v2.1](https://www.gnupg.org/faq/whats-new-in-2.1.html#autorev),
|
||||||
### 3.4 Save Key ID
|
### 3.4 Save Key ID
|
||||||
|
|
||||||
Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) for use throughout:
|
Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) for use throughout:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ export KEYID=0xFF3E7D88647EBCDB
|
$ export KEYID=0xFF3E7D88647EBCDB
|
||||||
```
|
```
|
||||||
|
|
||||||
### 3.5 Create subkeys
|
### 3.5 Create subkeys
|
||||||
|
|
||||||
Note: If using a Yubikey 4, please use **4096 bit** as the size for the subkeys; if using a YubiKey Neo, please use **2048 bit** as the size for the subkeys.
|
Note: If using a Yubikey 4, please use **4096 bit** as the size for the subkeys; if using a YubiKey Neo, please use **2048 bit** as the size for the subkeys.
|
||||||
|
|
||||||
Edit the key to add subkeys:
|
Edit the key to add subkeys:
|
||||||
```
|
|
||||||
$ gpg --expert --edit-key $KEYID
|
$ gpg --expert --edit-key $KEYID
|
||||||
|
|
||||||
Secret key is available.
|
Secret key is available.
|
||||||
|
@ -288,7 +291,7 @@ Edit the key to add subkeys:
|
||||||
### 3.5a Signing key
|
### 3.5a Signing key
|
||||||
|
|
||||||
First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only):
|
First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only):
|
||||||
```
|
|
||||||
gpg> addkey
|
gpg> addkey
|
||||||
Key is protected.
|
Key is protected.
|
||||||
|
|
||||||
|
@ -329,11 +332,10 @@ First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rs
|
||||||
created: 2017-10-09 expires: never usage: S
|
created: 2017-10-09 expires: never usage: S
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
[ultimate] (1). Dr Duh <doc@duh.to>
|
||||||
|
|
||||||
|
|
||||||
### 3.5b Encryption key
|
### 3.5b Encryption key
|
||||||
|
|
||||||
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only):
|
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only):
|
||||||
```
|
|
||||||
gpg> addkey
|
gpg> addkey
|
||||||
Please select what kind of key you want:
|
Please select what kind of key you want:
|
||||||
(3) DSA (sign only)
|
(3) DSA (sign only)
|
||||||
|
@ -480,13 +482,14 @@ List your new secret keys:
|
||||||
ssb rsa4096/0x5912A795E90DD2CF 2017-10-09 [E]
|
ssb rsa4096/0x5912A795E90DD2CF 2017-10-09 [E]
|
||||||
ssb rsa4096/0x3F29127E79649A3D 2017-10-09 [A]
|
ssb rsa4096/0x3F29127E79649A3D 2017-10-09 [A]
|
||||||
|
|
||||||
|
|
||||||
Verify with OpenPGP key checks:
|
Verify with OpenPGP key checks:
|
||||||
|
|
||||||
If you're on Linux or macOS, use the automated [key best practice checker](https://riseup.net/en/security/message-security/openpgp/best-practices#openpgp-key-checks):
|
If you're on Linux or macOS, use the automated [key best practice checker](https://riseup.net/en/security/message-security/openpgp/best-practices#openpgp-key-checks):
|
||||||
|
|
||||||
|
```
|
||||||
$ sudo apt-get install hopenpgp-tools
|
$ sudo apt-get install hopenpgp-tools
|
||||||
$ gpg --export $KEYID | hokey lint
|
$ gpg --export $KEYID | hokey lint
|
||||||
|
```
|
||||||
|
|
||||||
The output will display any problems with your key in red text. If everything is green, your key passes each of the tests. If it is red, your key has failed one of the tests.
|
The output will display any problems with your key in red text. If everything is green, your key passes each of the tests. If it is red, your key has failed one of the tests.
|
||||||
|
|
||||||
|
@ -498,8 +501,10 @@ The output will display any problems with your key in red text. If everything is
|
||||||
|
|
||||||
Save a copy of your keys:
|
Save a copy of your keys:
|
||||||
|
|
||||||
|
```
|
||||||
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
|
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
|
||||||
$ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
|
$ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
|
||||||
|
```
|
||||||
|
|
||||||
The exported (primary) key will still have the passphrase in place.
|
The exported (primary) key will still have the passphrase in place.
|
||||||
|
|
||||||
|
@ -509,8 +514,10 @@ revocation certificate in a safe place:
|
||||||
|
|
||||||
### 3.7b Windows
|
### 3.7b Windows
|
||||||
|
|
||||||
|
```
|
||||||
$ gpg --armor --export-secret-keys $KEYID -o \path\to\dir\mastersub.gpg
|
$ gpg --armor --export-secret-keys $KEYID -o \path\to\dir\mastersub.gpg
|
||||||
$ gpg --armor --export-secret-subkeys $KEYID -o \path\to\dir\sub.gpg
|
$ gpg --armor --export-secret-subkeys $KEYID -o \path\to\dir\sub.gpg
|
||||||
|
```
|
||||||
|
|
||||||
Please note that using any extension other than .gpg or attempting IO redirection to a file will garble your secret key, making it impossible to import it again at a later date.
|
Please note that using any extension other than .gpg or attempting IO redirection to a file will garble your secret key, making it impossible to import it again at a later date.
|
||||||
|
|
||||||
|
@ -795,7 +802,6 @@ Previous gpg versions required the `toggle` command before selecting keys. The c
|
||||||
created: 2017-10-09 expires: never usage: A
|
created: 2017-10-09 expires: never usage: A
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
[ultimate] (1). Dr Duh <doc@duh.to>
|
||||||
|
|
||||||
|
|
||||||
### 3.11a Signature key
|
### 3.11a Signature key
|
||||||
|
|
||||||
Select and move the signature key (you will be prompted for the key passphrase and admin PIN):
|
Select and move the signature key (you will be prompted for the key passphrase and admin PIN):
|
||||||
|
@ -823,7 +829,6 @@ Select and move the signature key (you will be prompted for the key passphrase a
|
||||||
user: "Dr Duh <doc@duh.to>"
|
user: "Dr Duh <doc@duh.to>"
|
||||||
4096-bit RSA key, ID 0xBECFA3C1AE191D15, created 2016-05-24
|
4096-bit RSA key, ID 0xBECFA3C1AE191D15, created 2016-05-24
|
||||||
|
|
||||||
|
|
||||||
### 3.11b Encryption key
|
### 3.11b Encryption key
|
||||||
|
|
||||||
Type `key 1` again to deselect and `key 2` to select the next key:
|
Type `key 1` again to deselect and `key 2` to select the next key:
|
||||||
|
@ -849,7 +854,6 @@ Type `key 1` again to deselect and `key 2` to select the next key:
|
||||||
Your selection? 2
|
Your selection? 2
|
||||||
...
|
...
|
||||||
|
|
||||||
|
|
||||||
### 3.11c Authentication key
|
### 3.11c Authentication key
|
||||||
|
|
||||||
Type `key 2` again to deselect and `key 3` to select the next key:
|
Type `key 2` again to deselect and `key 3` to select the next key:
|
||||||
|
@ -869,8 +873,6 @@ Type `key 2` again to deselect and `key 3` to select the next key:
|
||||||
created: 2017-10-09 expires: never usage: A
|
created: 2017-10-09 expires: never usage: A
|
||||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
[ultimate] (1). Dr Duh <doc@duh.to>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
gpg> keytocard
|
gpg> keytocard
|
||||||
Please select where to store the key:
|
Please select where to store the key:
|
||||||
(3) Authentication key
|
(3) Authentication key
|
||||||
|
@ -1188,19 +1190,6 @@ Verify the previous signature:
|
||||||
Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
||||||
Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
|
Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
|
||||||
|
|
||||||
|
|
||||||
Putting it all together:
|
|
||||||
|
|
||||||
$ echo "$(uname -a)" | gpg --encrypt --sign --armor --default-key 0xFF3E7D88647EBCDB --recipient 0xBECFA3C1AE191D15 | gpg --decrypt --armor
|
|
||||||
gpg: encrypted with 4096-bit RSA key, ID 0x5912A795E90DD2CF, created 2016-05-24
|
|
||||||
"Dr Duh <doc@duh.to>"
|
|
||||||
Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
|
|
||||||
gpg: Signature made Wed 25 May 2016 01:00:00 AM UTC
|
|
||||||
gpg: using RSA key 0xBECFA3C1AE191D15
|
|
||||||
gpg: Good signature from "Dr Duh <doc@duh.to>" [ultimate]
|
|
||||||
Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
|
|
||||||
Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
|
|
||||||
|
|
||||||
## 4.5 SSH - Linux/macOS
|
## 4.5 SSH - Linux/macOS
|
||||||
|
|
||||||
### 4.5a Update configuration
|
### 4.5a Update configuration
|
||||||
|
@ -1228,17 +1217,19 @@ Depending on how your environment is set up, you might need to add these to your
|
||||||
|
|
||||||
**Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with:
|
**Note** On some systems, for example Arch Linux-based distributions, you may need to replace the second and the third line with:
|
||||||
|
|
||||||
|
```
|
||||||
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
||||||
gpg-connect-agent updatestartuptty /bye
|
gpg-connect-agent updatestartuptty /bye
|
||||||
|
```
|
||||||
|
|
||||||
### 4.5c Copy public key to server
|
### 4.5c Copy public key to server
|
||||||
|
|
||||||
There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file:
|
There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file:
|
||||||
|
|
||||||
|
```
|
||||||
$ ssh-add -L
|
$ ssh-add -L
|
||||||
ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211
|
ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211
|
||||||
|
```
|
||||||
|
|
||||||
#### (Optional) Save public key for identity file configuration
|
#### (Optional) Save public key for identity file configuration
|
||||||
|
|
||||||
|
@ -1248,7 +1239,6 @@ In the case of Yubikey usage, you do not have access to the private key, and `id
|
||||||
|
|
||||||
$ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub
|
$ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub
|
||||||
|
|
||||||
|
|
||||||
Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows:
|
Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows:
|
||||||
|
|
||||||
$ cat << EOF >> ~/.ssh/config
|
$ cat << EOF >> ~/.ssh/config
|
||||||
|
@ -1295,7 +1285,6 @@ The file should contain the line `enable-putty-support`.
|
||||||
|
|
||||||
Then, open a terminal and run the following commands:
|
Then, open a terminal and run the following commands:
|
||||||
|
|
||||||
|
|
||||||
> gpg-connect-agent killagent /bye
|
> gpg-connect-agent killagent /bye
|
||||||
> gpg-connect-agent /bye
|
> gpg-connect-agent /bye
|
||||||
|
|
||||||
|
@ -1310,6 +1299,7 @@ You can use your YubiKey to sign GitHub commits and tags. It can also be used fo
|
||||||
Log into GitHub and upload your SSH and PGP public keys.
|
Log into GitHub and upload your SSH and PGP public keys.
|
||||||
|
|
||||||
#### Signing
|
#### Signing
|
||||||
|
|
||||||
Then run the following commands:
|
Then run the following commands:
|
||||||
|
|
||||||
> git config --global user.singingkey $KEYID
|
> git config --global user.singingkey $KEYID
|
||||||
|
@ -1319,6 +1309,7 @@ Make sure your user.email option matches the email associated with your PGP iden
|
||||||
Now, to sign commits or tags simply use the `-S` option. GPG will automatically query your YubiKey and prompt you for your PIN.
|
Now, to sign commits or tags simply use the `-S` option. GPG will automatically query your YubiKey and prompt you for your PIN.
|
||||||
|
|
||||||
#### Authentication
|
#### Authentication
|
||||||
|
|
||||||
Run the following commands:
|
Run the following commands:
|
||||||
|
|
||||||
> git config --global core.sshcommand 'plink -agent'
|
> git config --global core.sshcommand 'plink -agent'
|
||||||
|
@ -1377,30 +1368,19 @@ On OpenBSD, you will need to install `pcsc-tools` and enable with `sudo rcctl en
|
||||||
|
|
||||||
The Yubikey has two configurations, one invoked with a short press, and the other with a long press. By default the short-press mode is configured for HID OTP - a brief touch will emit an OTP string starting with `cccccccc`. If you rarely use the OTP mode, you can swap it to the second configuration via the Yubikey Personalization tool. If you *never* use OTP, you can disable it entirely using the [Yubikey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named Yubikey NEO Manager).
|
The Yubikey has two configurations, one invoked with a short press, and the other with a long press. By default the short-press mode is configured for HID OTP - a brief touch will emit an OTP string starting with `cccccccc`. If you rarely use the OTP mode, you can swap it to the second configuration via the Yubikey Personalization tool. If you *never* use OTP, you can disable it entirely using the [Yubikey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named Yubikey NEO Manager).
|
||||||
|
|
||||||
# 6. References
|
# 6. References and similar work
|
||||||
|
|
||||||
<https://developers.yubico.com/yubikey-personalization/>
|
* https://developers.yubico.com/yubikey-personalization/
|
||||||
|
* https://developers.yubico.com/PGP/Card_edit.html
|
||||||
<https://developers.yubico.com/PGP/Card_edit.html>
|
* https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
|
||||||
|
* https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
|
||||||
<https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/>
|
* https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO
|
||||||
|
* https://trmm.net/Yubikey
|
||||||
<https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/>
|
* https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac
|
||||||
|
* https://jclement.ca/articles/2015/gpg-smartcard/
|
||||||
<https://blog.habets.se/2013/02/GPG-and-SSH-with-Yubikey-NEO>
|
* https://github.com/herlo/ssh-gpg-smartcard-config
|
||||||
|
* http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/
|
||||||
<https://trmm.net/Yubikey>
|
* https://help.riseup.net/en/security/message-security/openpgp/best-practices
|
||||||
|
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
||||||
<https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac>
|
* https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
|
||||||
|
* https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos
|
||||||
<https://jclement.ca/articles/2015/gpg-smartcard/>
|
|
||||||
|
|
||||||
<https://github.com/herlo/ssh-gpg-smartcard-config>
|
|
||||||
|
|
||||||
<http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/>
|
|
||||||
|
|
||||||
<https://help.riseup.net/en/security/message-security/openpgp/best-practices>
|
|
||||||
|
|
||||||
<https://alexcabal.com/creating-the-perfect-gpg-keypair/>
|
|
||||||
|
|
||||||
<https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/>
|
|
||||||
|
|
Loading…
Reference in New Issue