mirrors
/
YubiKey-Guide
mirror of https://github.com/drduh/YubiKey-Guide
0
0
Fork 0
Code Releases Activity

Merge pull request #458 from drduh/18aug24 

use printf, export keyid, fix link
master
drduh 2024-08-18 19:00:22 +00:00 committed by GitHub
parent 59caacc134 d0928bc007
commit e218607c1f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -348,7 +348,7 @@ This guide recommends a two year expiration for Subkeys to balance security and
When Subkeys expire, they may still be used to decrypt with GnuPG and authenticate with SSH, however they can **not** be used to encrypt nor sign new messages. When Subkeys expire, they may still be used to decrypt with GnuPG and authenticate with SSH, however they can **not** be used to encrypt nor sign new messages.
Subkeys must be renewed or rotated using the Certify key - see [Updating Subkeys](#updating-subkeys). Subkeys must be renewed or rotated using the Certify key - see [Updating keys](#updating-keys).
Set the expiration date to two years: Set the expiration date to two years:
@ -371,7 +371,7 @@ The following commands will generate a strong passphrase and avoid ambiguous cha
```console ```console
export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1) ; echo "\n$CERTIFY_PASS\n" cut -c2- | tr " " "-" | head -1) ; printf "\n$CERTIFY_PASS\n\n"
``` ```
Write the passphrase in a secure location, ideally separate from the portable storage device used for key material, or memorize it. Write the passphrase in a secure location, ideally separate from the portable storage device used for key material, or memorize it.
@ -511,7 +511,7 @@ Generate another unique [Passphrase](#passphrase) (ideally different from the on
```console ```console
export LUKS_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ export LUKS_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1) ; echo "\n$LUKS_PASS\n" cut -c2- | tr " " "-" | head -1) ; printf "\n$LUKS_PASS\n\n"
``` ```
This passphrase will also be used infrequently to access the Certify key and should be very strong. This passphrase will also be used infrequently to access the Certify key and should be very strong.
@ -912,8 +912,7 @@ Install the required packages:
```console ```console
sudo apt update sudo apt update
sudo apt install -y \ sudo apt install -y gnupg gnupg-agent scdaemon pcscd
gnupg gnupg-agent gnupg-curl scdaemon pcscd
``` ```
**OpenBSD** **OpenBSD**
@ -969,7 +968,7 @@ Determine the key ID:
```console ```console
gpg -k gpg -k
KEYID=0xF0F2CFEB04341FB5 export KEYID=0xF0F2CFEB04341FB5
``` ```
Assign ultimate trust by typing `trust` and selecting option `5` then `quit`: Assign ultimate trust by typing `trust` and selecting option `5` then `quit`:
@ -1351,18 +1350,11 @@ To launch `gpg-agent` for use by SSH, use the `gpg-connect-agent /bye` or `gpgco
Add the following to the shell rc file: Add the following to the shell rc file:
```console
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye > /dev/null
```
On modern systems, `gpgconf --list-dirs agent-ssh-socket` will automatically set `SSH_AUTH_SOCK` to the correct value and is better than hard-coding to `run/user/$UID/gnupg/S.gpg-agent.ssh`, if available:
```console ```console
export GPG_TTY="$(tty)" export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent gpgconf --launch gpg-agent
gpg-connect-agent updatestartuptty /bye > /dev/null
``` ```
For fish, `config.fish` should look like this (consider putting them into the `is-interactive` block): For fish, `config.fish` should look like this (consider putting them into the `is-interactive` block):