From a98866a18556e64ced27b8cc7e6300564d693562 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 26 Aug 2021 00:20:09 -0400 Subject: [PATCH 01/15] Minor grammar fixes --- README.md | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 124e4ec..648bc47 100644 --- a/README.md +++ b/README.md @@ -1075,7 +1075,7 @@ $ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-storage/ Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save. -Unmount, close and disconnected the encrypted volume: +Unmount, close and disconnect the encrypted volume: ```console $ sudo umount /mnt/encrypted-storage/ @@ -1156,7 +1156,7 @@ $ doas cp -avi $GNUPGHOME /mnt/encrypted-storage Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save. -Otherwise, unmount and disconnected the encrypted volume: +Otherwise, unmount and disconnect the encrypted volume: ```console $ doas umount /mnt/encrypted-storage @@ -1251,7 +1251,7 @@ $ gpg --keyserver keys.gnupg.net --send-key $KEYID $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID ``` -After some time, the public key will to propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index). +After some time, the public key will propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index). # Configure Smartcard @@ -1284,7 +1284,7 @@ General key info..: [none] **Windows** -Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named older YubiKey NEO Manager) to enable CCID functionality. +Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this is not the similarly named older YubiKey NEO Manager) to enable CCID functionality. ## Change PIN @@ -1530,7 +1530,7 @@ $ cd $GNUPGHOME ## Switching between two or more Yubikeys. -When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key form your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number). +When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key from your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number). However, when you do this same operation for a second Yubikey, the stub in your keyring is overwritten by the *keytocard* operation and now the stub points to your second Yubikey. Adding more repeats this overwriting operation. @@ -1697,7 +1697,7 @@ ssb> 4096R/0x3F29127E79649A3D created: 2017-10-09 expires: 2018-10-09 card-no: 0006 05553211 ``` -`sec#` indicates master key is not available (as it should be stored encrypted offline). +`sec#` indicates the master key is not available (as it should be stored encrypted offline). **Note** If you see `General key info..: [none]` in the output instead - go back and import the public key using the previous step. @@ -1767,13 +1767,13 @@ document.pdf.1580000000.enc -> document.pdf # Rotating keys -PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys. +PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or the random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys. When a sub-key expires, it can either be renewed or replaced. Both actions require access to the offline master key. Renewing sub-keys by updating their expiration date indicates you are still in possession of the offline master key and is more convenient. Replacing keys, on the other hand, is less convenient but more secure: the new sub-keys will **not** be able to decrypt previous messages, authenticate with SSH, etc. Contacts will need to receive the updated public key and any encrypted secrets need to be decrypted and re-encrypted to new sub-keys to be usable. This process is functionally equivalent to "losing" the YubiKey and provisioning a new one. However, you will always be able to decrypt previous messages using the offline encrypted backup of the original keys. -Neither rotation method is superior and it's up to personal philosophy on identity management and individual threat model to decide which one to use, or whether to expire sub-keys at all. Ideally, sub-keys would be ephemeral: used only once for each encryption, signing and authentication event, however in practice that is not really feasible or worthwhile with YubiKey. Advanced users may want to dedicate an offline device for more frequent key rotations and ease of provisioning. +Neither rotation method is superior and it's up to personal philosophy on identity management and individual threat model to decide which one to use, or whether to expire sub-keys at all. Ideally, sub-keys would be ephemeral: used only once for each encryption, signing and authentication event, however in practice that is not really feasible nor worthwhile with YubiKey. Advanced users may want to dedicate an offline device for more frequent key rotations and ease of provisioning. ## Setup environment @@ -1886,7 +1886,7 @@ ssb* rsa4096/0x3F29127E79649A3D [ultimate] (1). Dr Duh ``` -Then, use the `expire` command to set a new expiration date. (Despite the name, this will not cause currently valid keys to become expired). +Then, use the `expire` command to set a new expiration date. (Despite the name, this will not cause currently valid keys to become expired.) ```console gpg> expire @@ -1960,7 +1960,7 @@ $ gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc $ sudo umount /mnt/public ``` -Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory. +Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to the YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory. # Adding notations @@ -2181,7 +2181,7 @@ Host After successfully ssh into the remote, you should check that you have `/run/user/1000/gnupg/S.gpg-agent.ssh` lying there. -The in the *remote* you can type in command line or configure in the shell rc file with +Then in the *remote* you can type in command line or configure in the shell rc file with: ```console export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" @@ -2249,7 +2249,7 @@ $ doas reboot ## Windows -Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your YubiKey and open PowerShell to run the following command: +Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find your device's full name, plug in your YubiKey and open PowerShell to run the following command: ``` powershell PS C:\WINDOWS\system32> Get-PnpDevice -Class SoftwareDevice | Where-Object {$_.FriendlyName -like "*YubiKey*"} | Select-Object -ExpandProperty FriendlyName @@ -2299,7 +2299,7 @@ The goal here is to make the SSH client inside WSL work together with the Window #### Use ssh-agent or use S.weasel-pegant -One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved; However, if you use the other way(gpg ssh socket forwarding), you should not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more info. +One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved; However, if you use the other way (gpg ssh socket forwarding), you should not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more info. Another way is to forward the gpg ssh socket, as described below. @@ -2341,11 +2341,11 @@ StreamLocalBindUnlink yes And reload the SSH daemon (e.g., `sudo service sshd reload`). -Unplug YubiKey, disconnect or reboot. Log back in to Windows, open a WSL console and enter `ssh-add -l` - you should see nothing. +Unplug YubiKey, disconnect or reboot. Log back into Windows, open a WSL console and enter `ssh-add -l` - you should see nothing. Plug in YubiKey, enter the same command to display the ssh key. -Log in to the remote host, you should have the pinentry dialog asking for the YubiKey pin. +Log into the remote host, you should have the pinentry dialog asking for the YubiKey pin. On the remote host, type `ssh-add -l` - if you see the ssh key, that means forwarding works! @@ -2431,7 +2431,7 @@ Import public keys to the remote machine. This can be done by fetching from a ke $ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/ ``` -On modern distributions, such as Fedora 30, there is typically no need to also set `RemoteForward` in `~/.ssh/config` as detailed in the next chapter, because the right thing actually happens automatically. +On modern distributions, such as Fedora 30, there is typically no need to also set `RemoteForward` in `~/.ssh/config` as detailed in the next chapter, because the right thing happens automatically. If any error happens (or there is no `gpg-agent.socket` in the remote) for modern distributions, you may go through the configuration steps in the next section. @@ -2470,15 +2470,15 @@ pinentry-program /usr/bin/pinentry-gtk-2 extra-socket /run/user/1000/gnupg/S.gpg-agent.extra ``` -**Note** The pinentry program starts on *local* machine, not remote. Hence when there are needs to enter the pin you need to find the prompt on local machine. +**Note** The pinentry program starts on *local* machine, not remote. Hence when there are needs to enter the pin you need to find the prompt on the local machine. -**Important** Any pinentry program except `pinentry-tty` or `pinentry-curses` may be used. This is because local `gpg-agent` may start headlessly (By systemd without `$GPG_TTY` set locally telling which tty it is on), thus failed to obtain the pin. Errors on the remote may be misleading saying that there is *IO Error* (Yes internally there is actually *IO Error* since it happens when writing to/reading from tty while finding no tty to use, but for end users this is not friendly). +**Important** Any pinentry program except `pinentry-tty` or `pinentry-curses` may be used. This is because local `gpg-agent` may start headlessly (By systemd without `$GPG_TTY` set locally telling which tty it is on), thus failed to obtain the pin. Errors on the remote may be misleading saying that there is *IO Error*. (Yes, internally there is actually an *IO Error* since it happens when writing to/reading from tty while finding no tty to use, but for end users this is not friendly.) See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting. ## Chained GPG Agent Forwarding -Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines +Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines: ```console Host third From b59107d413a65746a57025ba1d204b474720a8b4 Mon Sep 17 00:00:00 2001 From: Jaeha Choi Date: Mon, 6 Sep 2021 20:29:32 -0700 Subject: [PATCH 02/15] Add note about KDF --- README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 124e4ec..5fcfbe5 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d - [Export public keys](#export-public-keys) - [Configure Smartcard](#configure-smartcard) * [Change PIN](#change-pin) + * [Enable KDF](#enable-kdf) * [Set information](#set-information) - [Transfer keys](#transfer-keys) * [Signing](#signing-1) @@ -1274,6 +1275,7 @@ Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 +KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] @@ -1286,6 +1288,16 @@ General key info..: [none] Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named older YubiKey NEO Manager) to enable CCID functionality. +## Enable KDF +Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. + +```console +gpg/card> admin +Admin commands are allowed + +gpg/card> kdf-setup +``` + ## Change PIN The [GPG interface](https://developers.yubico.com/PGP/) is separate from other modules on a Yubikey such as the [PIV interface](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html). The GPG interface has its own *PIN*, *Admin PIN*, and *Reset Code* - these should be changed from default values! @@ -1305,9 +1317,6 @@ Values are valid up to 127 ASCII characters and must be at least 6 (*PIN*) or 8 To update the GPG PINs on the Yubikey: ```console -gpg/card> admin -Admin commands are allowed - gpg/card> passwd gpg: OpenPGP card no. D2760001240102010006055532110000 detected @@ -1376,6 +1385,7 @@ Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 +KDF setting ......: on Signature key ....: [none] Encryption key....: [none] Authentication key: [none] @@ -1681,6 +1691,7 @@ Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 +KDF setting ......: on Signature key ....: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15 created ....: 2016-05-24 23:22:01 Encryption key....: 6F26 6F46 845B BEB8 BDF3 7E9B 5912 A795 E90D D2CF From ad09f543afd90efe93093d699411993875630367 Mon Sep 17 00:00:00 2001 From: basbebe Date: Sun, 10 Jan 2021 14:45:20 +0100 Subject: [PATCH 03/15] add prefix and date to temporary folder This makes identifying the latest version easier when daleing with backups. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 124e4ec..7eaf31a 100644 --- a/README.md +++ b/README.md @@ -403,7 +403,7 @@ An entropy pool value greater than 2000 is sufficient. Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs) and set it as the GnuPG directory: ```console -$ export GNUPGHOME=$(mktemp -d) +$ export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) ``` Otherwise, to preserve the working environment, set the GnuPG directory to your home folder: @@ -1800,7 +1800,7 @@ $ sudo mount /dev/mapper/secret /mnt/encrypted-storage Import the master key and configuration to a temporary working directory: ```console -$ export GNUPGHOME=$(mktemp -d) +$ export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) $ gpg --import /mnt/encrypted-storage/tmp.XXX/mastersub.key From 3418634c6644075b02c0975abe8430471c4de673 Mon Sep 17 00:00:00 2001 From: Daniel Miller Date: Mon, 4 Oct 2021 22:10:12 +1100 Subject: [PATCH 04/15] Use GPT instead of MBR --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 124e4ec..7ce7069 100644 --- a/README.md +++ b/README.md @@ -987,8 +987,8 @@ Be careful before using the write command. Device does not contain a recognized partition table. Created a new DOS disklabel with disk identifier 0x3c1ad14a. -Command (m for help): o -Created a new DOS disklabel with disk identifier 0xd756b789. +Command (m for help): g +Created a new GPT disklabel (GUID: 4E7495FD-85A3-3E48-97FC-2DD8D41516C3). Command (m for help): w The partition table has been altered. @@ -1102,8 +1102,9 @@ $ doas disklabel -h sd2 Initialize the disk by creating an `a` partition with FS type `RAID` and size of 25 Megabytes: ```console -$ doas fdisk -iy sd2 +$ doas fdisk -giy sd2 Writing MBR at offset 0. +Writing GPT. $ doas disklabel -E sd2 Label editor (enter '?' for help at any prompt) @@ -1128,8 +1129,9 @@ softraid0: CRYPTO volume attached as sd3 Create an `i` partition on the new crypto volume and the filesystem: ```console -$ doas fdisk -iy sd3 +$ doas fdisk -giy sd3 Writing MBR at offset 0. +Writing GPT. $ doas disklabel -E sd3 Label editor (enter '?' for help at any prompt) From 6740fa9a101341d7223c1529507ea26e61ad620e Mon Sep 17 00:00:00 2001 From: Niklas Merz Date: Tue, 5 Oct 2021 22:11:51 +0200 Subject: [PATCH 05/15] add pinentry path for M1 macs Closes #289 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 124e4ec..aa2ff2e 100644 --- a/README.md +++ b/README.md @@ -2018,7 +2018,7 @@ pinentry-program /usr/bin/pinentry-curses **Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`. -On macOS, use `brew install pinentry-mac` and set the program path to `pinentry-program /usr/local/bin/pinentry-mac` or `pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac` if using MacGPG Suite. +On macOS, use `brew install pinentry-mac` and set the program path to `pinentry-program /usr/local/bin/pinentry-mac` for Intel Macs, `/opt/homebrew/bin/pinentry-mac` for ARM/Apple Silicon Macs or `pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac` if using MacGPG Suite. ## Replace agents From 77394c2773716144d4948c3043ad7181cd104e91 Mon Sep 17 00:00:00 2001 From: Wheest Date: Sat, 25 Jul 2020 17:25:45 +0100 Subject: [PATCH 06/15] Added clearer recovery options --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 124e4ec..63f8c33 100644 --- a/README.md +++ b/README.md @@ -2634,7 +2634,7 @@ To enable GnuPG support, one can just use the config file `gpg.rc` provided by m If PIN attempts are exceeded, the card is locked and must be [reset](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html) and set up again using the encrypted backup. -Copy the following script to a file and run `gpg-connect-agent --run $file` to lock and terminate the card. Then re-insert YubiKey to reset. +Copy the following script to a file and run `gpg-connect-agent -r $file` to lock and terminate the card. Then re-insert YubiKey to reset. ```console /hex @@ -2664,6 +2664,13 @@ Reset code: NOT SET Admin PIN: 12345678 ``` + +# Recovery after reset + +If for whatever reason you need to reinstate your YubiKey from your master key backup (such as the one stored on an encrypted USB described in [Backup keys](#backup-keys)), follow the following steps in [Rotating keys](#rotating-keys) to setup your environment, and then follow the steps of again [Configure Smartcard](#configure-smartcard). + +Before you unmount your backup, ask yourself if you should make another one just in case. + # Notes 1. YubiKey has two configurations: one invoked with a short press, and the other with a long press. By default, the short-press mode is configured for HID OTP - a brief touch will emit an OTP string starting with `cccccccc`. If you rarely use the OTP mode, you can swap it to the second configuration via the YubiKey Personalization tool. If you *never* use OTP, you can disable it entirely using the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named older YubiKey NEO Manager). From 248e207527c3585b7fb1e28340c8f0384530f0dc Mon Sep 17 00:00:00 2001 From: Derek Gaffney <17263955+gaffneyd4@users.noreply.github.com> Date: Sun, 10 Oct 2021 08:52:12 -0400 Subject: [PATCH 07/15] Add TOC entry, fix link --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 63f8c33..71d73eb 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d * [Mailvelope on macOS](#mailvelope-on-macos) * [Mutt](#mutt) - [Reset](#reset) +- [Recovery after reset](#recovery-after-reset) - [Notes](#notes) - [Troubleshooting](#troubleshooting) - [Alternatives](#alternatives) @@ -2664,10 +2665,9 @@ Reset code: NOT SET Admin PIN: 12345678 ``` - # Recovery after reset -If for whatever reason you need to reinstate your YubiKey from your master key backup (such as the one stored on an encrypted USB described in [Backup keys](#backup-keys)), follow the following steps in [Rotating keys](#rotating-keys) to setup your environment, and then follow the steps of again [Configure Smartcard](#configure-smartcard). +If for whatever reason you need to reinstate your YubiKey from your master key backup (such as the one stored on an encrypted USB described in [Backup](#backup)), follow the following steps in [Rotating keys](#rotating-keys) to setup your environment, and then follow the steps of again [Configure Smartcard](#configure-smartcard). Before you unmount your backup, ask yourself if you should make another one just in case. From 76d32d2cd993fc40e971e4214817a8f702037fda Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Mon, 25 Oct 2021 09:31:57 +0200 Subject: [PATCH 08/15] Point out that paperkey backups are password-protected Fixes #263. Really though decision to make whether a paper printout with the password is a good way to go (recoverable but needs a really good place to keep) or not (more protection, but possibly worthless). --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0f7dc18..0f0df4f 100644 --- a/README.md +++ b/README.md @@ -951,10 +951,12 @@ The `revoke.asc` certificate file should be stored (or printed) in a (secondary) # Backup -Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypted** backup of the keyring and consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure. - +Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypted** backup of the keyring on removable media so you can keep it offline in a safe place. + **Tip** The ext2 filesystem (without encryption) can be mounted on both Linux and OpenBSD. Consider using a FAT32/NTFS filesystem for MacOS/Windows compatibility instead. +As an additional backup measure, consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys. The [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) points out that such printouts *are still password-protected*. It recommends to *write the password on the paper*, since it will be unlikely that you remember the original key password that was used when the paper backup was created. Obviously, you need a really good place to keep such a printout. + **Linux** Attach another external storage device and check its label: From 1a955f88aaf5c02e6588d35d653abc2ee754a984 Mon Sep 17 00:00:00 2001 From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com> Date: Sun, 7 Nov 2021 13:07:01 +0100 Subject: [PATCH 09/15] Add small adjustments after renewing my subkeys --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0f7dc18..aa4a1bb 100644 --- a/README.md +++ b/README.md @@ -1811,7 +1811,7 @@ Enter passphrase for /dev/mmcblk0p1: $ sudo mount /dev/mapper/secret /mnt/encrypted-storage ``` -Import the master key and configuration to a temporary working directory: +Import the master key and configuration to a temporary working directory. Note that Windows users should import mastersub.gpg: ```console $ export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX) @@ -2741,7 +2741,7 @@ Before you unmount your backup, ask yourself if you should make another one just ``` you need to adjust the trust associated with the key. See the above bullet. -- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key` or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. +- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. - Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance. From 33993e767c33f8f9b9993545a221d0bc85af00f1 Mon Sep 17 00:00:00 2001 From: Pedro H <5179251+pedrohdz@users.noreply.github.com> Date: Sat, 13 Nov 2021 14:42:05 +0100 Subject: [PATCH 10/15] Fixed broken "Change PUK" link Fixed a broken link found in https://github.com/drduh/YubiKey-Guide/issues/287 and updated the text. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f7dc18..30b3f0e 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Keys stored on YubiKey are [non-exportable](https://support.yubico.com/support/s **New!** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey. -**Security Note**: If you followed this guide before Jan 2021, your PUK (Pin Unblock Key) may be set to its default value of `12345678`. An attacker can use this to reset your PIN and use your Yubikey. Please see the [Change PUK](#change-puk) section for details on how to change your PUK. +> **Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs. If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub. From c69fc7badfe69a67f1ee75fd26e1e5d146b67729 Mon Sep 17 00:00:00 2001 From: Maksim Ramanouski Date: Sun, 2 Jan 2022 14:04:43 +0100 Subject: [PATCH 11/15] Fix for `tr: Illegal byte sequence` on macOS --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f7dc18..a9513b8 100644 --- a/README.md +++ b/README.md @@ -463,7 +463,7 @@ ydOmByxmDe63u7gqx2XI9eDgpvJwibNH Use upper case letters for improved readability if they are written down: ```console -$ tr -dc '[:upper:]' < /dev/urandom | fold -w 20 | head -n1 +$ LC_ALL=C tr -dc '[:upper:]' < /dev/urandom | fold -w 20 | head -n1 BSSYMUGGTJQVWZZWOPJG ``` From 543d218b686d00bc0e8bb605b2b712af0816e2c7 Mon Sep 17 00:00:00 2001 From: Hiroki Okada Date: Fri, 28 Jan 2022 03:39:57 +0900 Subject: [PATCH 12/15] Add missing preposition ("be able use" -> "be able to use") --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f7dc18..7897795 100644 --- a/README.md +++ b/README.md @@ -2170,7 +2170,7 @@ For example, `tmux` does not have some environment variables like `$SSH_AUTH_SOC In the above steps, you have successfully configured a local ssh-agent. -You should now be able use `ssh -A remote` on the _local_ machine to log into _remote_, and should then be able to use YubiKey as if it were connected to the remote machine. For example, using e.g. `ssh-add -l` on that remote machine should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.) +You should now be able to use `ssh -A remote` on the _local_ machine to log into _remote_, and should then be able to use YubiKey as if it were connected to the remote machine. For example, using e.g. `ssh-add -l` on that remote machine should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.) ### Use S.gpg-agent.ssh From 1e3e4bccbc2792512a0218738d52d066e6f6cda8 Mon Sep 17 00:00:00 2001 From: Dirk-jan Mollema Date: Tue, 15 Feb 2022 04:19:10 -0800 Subject: [PATCH 13/15] Add notes about KDF compatibility (solves #307) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f7dc18..82f7282 100644 --- a/README.md +++ b/README.md @@ -1292,7 +1292,7 @@ General key info..: [none] Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this is not the similarly named older YubiKey NEO Manager) to enable CCID functionality. ## Enable KDF -Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. +Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. Note that this requires a relatively new version of GnuPG to work, and may not be compatible with other GPG clients (notably mobile clients). These incompatible clients will be unable to use the YubiKey GPG functions as the PIN will always be rejected. If you are not sure you will only be using your YubiKey on supported platforms, it may be better to skip this step. ```console gpg/card> admin From 204b9f814f43aa4e9bd271a0a33b9e9c9f920550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20K=C3=A4ufl?= Date: Thu, 17 Mar 2022 18:18:07 +0100 Subject: [PATCH 14/15] Fix typo Closes drduh/YubiKey-Guide#297 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5078416..4998c85 100644 --- a/README.md +++ b/README.md @@ -1557,7 +1557,7 @@ You can force GPG to scan the card and re-create the stubs to point to another Y Having created two (or more Yubikeys) with the same GPG key (as described above) where the stubs are pointing to the second Yubikey: -Insert the first Yubikey (which has a different serial numnber) and run the following command: +Insert the first Yubikey (which has a different serial number) and run the following command: ```console $ gpg-connect-agent "scd serialno" "learn --force" /bye From 93ff1d3595b5822ab567cfadc8131a641b506239 Mon Sep 17 00:00:00 2001 From: beardedbotanist <99488691+beardedbotanist@users.noreply.github.com> Date: Fri, 8 Apr 2022 14:57:09 -0400 Subject: [PATCH 15/15] Adding wget as prerequisite on macOS When i was following the guide I could not fetch the gpg config because I was missing wget --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5078416..0dfe7a6 100644 --- a/README.md +++ b/README.md @@ -316,7 +316,7 @@ $ doas pkg_add gnupg pcsc-tools Download and install [Homebrew](https://brew.sh/) and the following packages: ```console -$ brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac +$ brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac wget ``` **Note** An additional Python package dependency may need to be installed to use [`ykman`](https://support.yubico.com/support/solutions/articles/15000012643-yubikey-manager-cli-ykman-user-guide) - `pip install yubikey-manager`