Commit Graph

403 Commits (8a99330f94b7a8c2dec5e29da78b48d20bb91e2e)

Author SHA1 Message Date
drduh 81ebc0799a
Merge pull request #324 from Granddave/master
State release date of Yubico press release
2022-08-21 11:23:53 -07:00
drduh 8f2cd81a9f
Merge pull request #338 from franciosi/patch-1
Quick VMware Name Correction
2022-08-21 11:23:37 -07:00
Felix Kronlage-Dammers dae723b409 make launchctl commands more copy 'n paste friendly 2022-08-10 21:40:12 +02:00
Franciosi 085f11a3cc
Quick VMware name correction
s/VMWare/VMware
2022-08-09 21:20:21 -03:00
Douglas Reis 9c2a5c9598 Update the command to change the pin retry attempts
Signed-off-by: Douglas Reis <doreis@lowrisc.org>
2022-06-19 10:30:09 +01:00
David Isaksson 75f771b346
State release date of Yubico press release 2022-05-14 18:11:01 +02:00
SeanOMik 136d6884a5
Add Fedora required software section 2022-04-28 00:10:08 -04:00
Dennis Hoppe a8c581cca7
Update OneRNG to version 3.7 2022-04-25 11:47:21 +02:00
Peter Engelbert b2038e8e89
Add explanation of a possible fix for the `signing failed: agent refused operation` error
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
2022-04-22 10:04:19 -05:00
apiraino 03f37b8513
Add section to quickly create keys 2022-04-15 11:34:01 +02:00
apiraino 813352d30a
reset all changes 2022-04-12 16:04:34 +02:00
apiraino a725230d23
Merge branch 'master' into rewrite-key-creation-take2 2022-04-12 14:48:28 +02:00
Peter Babič 26e474b9bd
replace dead link with the web archive 2022-04-12 07:36:49 +02:00
Scott Leggett 7771a3f52b
chore: add piv-agent to Alternatives section 2022-04-12 01:07:23 +08:00
drduh dc29279197
Merge pull request #311 from michael-k/typo
Fix typo (numnber → number)
2022-04-09 11:46:06 -07:00
beardedbotanist 93ff1d3595
Adding wget as prerequisite on macOS
When i was following the guide I could not fetch the gpg config because I was missing wget
2022-04-08 14:57:09 -04:00
Michael Käufl 204b9f814f
Fix typo
Closes drduh/YubiKey-Guide#297
2022-03-17 18:18:07 +01:00
drduh 4615b5e919
Merge pull request #292 from mpdude/patch-1
Point out that paperkey backups are password-protected
2022-03-16 15:29:42 -07:00
drduh 14e951bb01
Merge pull request #294 from DevSecNinja/patch-1
Add small adjustments after renewing my subkeys
2022-03-16 15:29:16 -07:00
drduh 3f959cfc0d
Merge pull request #308 from okada-h/add-missing-preposition
Add missing preposition ("be able use" -> "be able to use")
2022-03-16 15:28:53 -07:00
drduh 6992c9e115
Merge pull request #295 from pedrohdz-scrap/no-puk
Fixed broken "Change PUK" link
2022-03-16 15:28:39 -07:00
drduh 55be657375
Merge pull request #303 from maxromanovsky/patch-1
Fix for `tr: Illegal byte sequence` on macOS
2022-03-16 15:28:16 -07:00
Dirk-jan Mollema 1e3e4bccbc
Add notes about KDF compatibility (solves #307) 2022-02-15 04:19:10 -08:00
Hiroki Okada 543d218b68 Add missing preposition ("be able use" -> "be able to use") 2022-01-28 03:39:57 +09:00
Maksim Ramanouski c69fc7badf
Fix for `tr: Illegal byte sequence` on macOS 2022-01-02 14:04:43 +01:00
Pedro H 33993e767c
Fixed broken "Change PUK" link
Fixed a broken link found in
https://github.com/drduh/YubiKey-Guide/issues/287 and updated the text.
2021-11-13 14:42:05 +01:00
Jean-Paul van Ravensberg 1a955f88aa
Add small adjustments after renewing my subkeys 2021-11-07 13:07:01 +01:00
Matthias Pigulla 76d32d2cd9
Point out that paperkey backups are password-protected
Fixes #263. Really though decision to make whether a paper printout with the password is a good way to go (recoverable but needs a really good place to keep) or not (more protection, but possibly worthless).
2021-10-25 09:31:57 +02:00
drduh fe6434577b
Merge pull request #291 from gaffneyd4/improve-recovery-guide
Added clearer recovery options
2021-10-24 11:08:50 -07:00
drduh 5823d488f3
Merge pull request #290 from NiklasMerz/mac-m1
add pinentry path for M1 macs
2021-10-24 11:08:10 -07:00
drduh 2cbfcfba49
Merge pull request #288 from watermelonpizza/master
Use GPT instead of MBR
2021-10-24 11:07:16 -07:00
drduh 1c1e76623f
Merge pull request #285 from jaeha-choi/master
Add Key Derived Function (KDF) setting
2021-10-24 10:53:28 -07:00
drduh b621273182
Merge pull request #284 from jsoref/grammar
Minor grammar fixes
2021-10-24 10:52:28 -07:00
Derek Gaffney 248e207527
Add TOC entry, fix link 2021-10-10 08:52:12 -04:00
Wheest 77394c2773
Added clearer recovery options 2021-10-10 08:44:26 -04:00
Niklas Merz 6740fa9a10
add pinentry path for M1 macs
Closes #289
2021-10-05 22:16:36 +02:00
Daniel Miller 3418634c66
Use GPT instead of MBR 2021-10-04 22:10:12 +11:00
basbebe ad09f543af
add prefix and date to temporary folder
This makes identifying the latest version easier when daleing with backups.
2021-09-30 10:46:06 +02:00
Jaeha Choi b59107d413
Add note about KDF 2021-09-06 20:29:32 -07:00
Josh Soref a98866a185
Minor grammar fixes 2021-08-26 00:20:09 -04:00
apiraino d25f131c38
linting
Signed-off-by: apiraino <apiraino@users.noreply.github.com>
2021-08-22 21:31:20 +02:00
apiraino 5182d5e3d8
Rewrite keys generation tutorial
The master key is now created with `--batch` and a configuration script.
The subkeys are created with the quick key manipulation
interface (`--quick-add-key`).

Also provided two configuration scripts as templates for a RSA4096 or a
ED25519 master key.

Signed-off-by: apiraino <apiraino@users.noreply.github.com>
2021-08-22 21:31:17 +02:00
drduh 31074ac13d Stage alternatives section and cleanup grammar 2021-08-15 17:06:20 -07:00
drduh 569231bf2b Note to permasave password to fix #206 2021-08-15 16:12:36 -07:00
drduh 371d4ec77b Mention the yubikey troubleshooting guide for gpg to fix #217 2021-08-15 15:46:14 -07:00
drduh 7bfae57336 Update filenames to fix #222 2021-08-15 15:42:53 -07:00
drduh a02350f318
Merge pull request #276 from pedrohdz-scrap/clarify.pins-take.2
Clarified PIN config
2021-08-15 15:36:44 -07:00
drduh 92e2a5e8ac
Merge pull request #262 from iandstanley/patch-1
switching between Yubikeys
2021-08-15 15:24:30 -07:00
drduh 8816d9759f
Merge pull request #264 from iandstanley/master
added mention of ssh key support for blue security keys
2021-08-15 15:22:11 -07:00
Pedro H 1a83925dda
Expanded on GPG PIN config 2021-08-10 14:37:28 +02:00
Andrew Martinez 87f48f547b
clarify pins, drduh/YubiKey-Guide#248
- define each pin name, default, usage
- call out special admin pin restrictions
2021-08-10 12:50:36 +02:00
Sven Reissmann 23caa2c36b
Update nixos LiveCD example
````nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix```` no longer exists. 
Update to ````nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix````
2021-07-05 10:19:58 +02:00
Ian Stanley 15bb00b428
added mention of ssh key support for blue security keys
As detailed in their recent press release and blog post

https://www.yubico.com/blog/github-now-supports-ssh-security-keys/
2021-06-08 20:59:02 +01:00
Ian Stanley f6818480a5
added to section multiple Yubikeys section re: switching between Yubikeys
section describes the issue and the remedy for GPG stubs only pointing to the Yubikey that was last subject to the keytocard command
2021-06-04 22:47:38 +01:00
drduh 20dd0687cd
Merge pull request #247 from jamesob/jamesob-21-03-pass-trouble
Add note about pass insert error and `trust-key` usage
2021-05-31 16:21:51 +00:00
drduh 21c0e03cd0
Merge pull request #246 from whiskeysierra/patch-1
Update usage of ykman
2021-05-31 16:21:24 +00:00
drduh 6490586595
Merge pull request #232 from captn3m0/warning
[security] Adds warning about PUK being default
2021-05-31 16:19:49 +00:00
drduh 1566801177
Merge pull request #231 from captn3m0/change-puk
Adds instructions on changing the PUK
2021-05-31 16:19:29 +00:00
Michael Vorburger ⛑️ 49bfbf81ed
Add hint re. (new) `ssh-keygen -t ed25519-sk` 2021-05-01 16:20:32 +02:00
James O'Beirne 47cd085518
Add note about pass insert error and `trust-key` usage
When using a previously provisioned YubiKey on a new computer,
I was met with an "Unusable public key" error when trying to insert
a new password, despite being able to decrypt pass entries.

I tried setting the trust on the key via `gpg --edit-key`, but was
then met with "Need secret key to do this."

I found that the solution is apparently to use the `trust-key`
directive in `~/.gnupg/gpg.conf`, which is not mentioned in the README
at the moment.
2021-03-25 11:40:22 -04:00
Willi Schönborn 592bdc5733
Update usage of ykman
Fixes the following warning:

WARNING: The use of this command is deprecated and will be removed!
Replace with: ykman openpgp keys set-touch
2021-03-24 14:51:38 +01:00
drduh de29a9e45c
Merge pull request #242 from inducer/patch-1
Fix: "quit" to save -> "save" to save
2021-02-11 17:11:41 -08:00
drduh 1d03a5201d
Merge pull request #240 from basbebe/macOS-GUI-setup
Add SSH setup for macOS GUI applications
2021-02-08 22:55:21 -08:00
berwag fb4d390317
Update README.md 2021-02-04 19:39:15 +01:00
berwag 4370ba86ac
Update README.md
changed wording according to yubischiess' comment
2021-01-28 11:19:53 +01:00
berwag ed85d93845
Additions to "Required Software"
proposed change according to Issue#215
2021-01-27 20:24:51 +01:00
Andreas Klöckner d921fa05bb
Fix: "quit" to save -> "save" to save 2021-01-13 11:32:41 -06:00
basbebe a65cdca19a
add fish config 2021-01-10 20:01:55 +01:00
basbebe 9fe946c8b1
Add SSH setup for macOS GUI applications
On macOS, a LaunchAgent needs to be created to overwrite the system's SSH agent.

see https://github.com/drduh/YubiKey-Guide/issues/229
2021-01-10 19:54:58 +01:00
drduh 4544d41d4c
Merge pull request #225 from ZenithalHourlyRate/gpg-agent-forward
Add New Agent Forward Method and Clarify Two Methods
2020-12-30 09:14:23 -08:00
Nemo 548b2adf2b Adds warning about PUK being default 2020-12-25 12:52:39 +05:30
Nemo 8c5dfd2475 Adds instructions on changing the PUK 2020-12-25 12:49:06 +05:30
Zenithal 1eacf97835
Rephrase one sentence according to one comment on drduh/YubiKey-Guide#225 2020-12-24 21:08:41 +08:00
Zenithal a24fa8f373
Add subsections on chained agent forwarding 2020-12-24 21:01:44 +08:00
Zenithal 7e49f5cc89
Add note on chained agent forwarding 2020-12-03 01:18:21 +08:00
Zenithal 52727f1e04
Correct WSL agent forwarding
This is a mix of two forwarding method,
this commit separates them
2020-12-03 01:16:47 +08:00
Zenithal 6097e6762c
Change note in alter agent section
Different methods have different requirements
2020-12-03 01:01:36 +08:00
Zenithal 0d06d2ace8
Add new method for ssh-agent forwarding 2020-12-03 00:52:43 +08:00
Zenithal 54f9e8a3f9
Add details to GPG-Agent forward; Alter structure
GPG Agent forwarding has a broader usage, not only
limited to ssh-agent forwarding.

In this commit gpg-agent forwarding is raised as a
separate section as it can not be contained by #SSH
any longer.

More details are added for gpg-agent forwarding, including
some important notes taken from practice and analysis.

For ssh-agent forward, older method are contained, and new
method will be included as framework has been structured.
2020-12-03 00:13:15 +08:00
Zenithal 410a1d6ac2
Change format of important notes in mutt subsection 2020-12-02 23:23:34 +08:00
Zenithal 083aa53cf0
Add Mutt subsection in Email section 2020-12-02 22:59:30 +08:00
Zenithal 0ea32bb949
Add Mutt in Email intro 2020-12-02 22:35:56 +08:00
drduh fc6f9eb80d
Merge pull request #218 from DevSecNinja/devsecninja/addPowerShellCommand
Add PowerShell command to get YubiKey name
2020-11-21 10:59:23 -08:00
drduh 006ea19d04
Merge pull request #213 from linutsdc/fix-links
Fix links with parentheses
2020-11-21 10:48:00 -08:00
drduh 5c0bcd40a7
Merge pull request #211 from rgevaert/patch-1
unset GNUPGHOME variable
2020-11-21 10:45:59 -08:00
drduh f2aeed1b55
Merge pull request #214 from anmull/debian-iso-version
Changes command to download Debian ISO to use the value in the SHA512SUMS file
2020-11-21 10:45:40 -08:00
Nemo 7067ba6c38
Fix reset command
gpg-connect-agent uses `-r/--run` not `-R`
2020-11-14 09:24:19 +00:00
Jean-Paul van Ravensberg b1d3d279eb
Change edit to create or edit
As gpg-agent.conf didn't exist on my system
2020-10-31 11:29:35 +01:00
Jean-Paul van Ravensberg fd4b6f3eb4
Add PowerShell command to get YubiKey name 2020-10-31 11:15:51 +01:00
Anthony Muller 70dc01467b Update verification of Debian ISO to not hardcode the version. 2020-09-25 18:11:40 +00:00
Anthony Muller 967ca3cc52 Change Debian ISO url to be generated from the contents of SHA512SUM.
This removes the need to maintain the version number, which is currently
out of date.
2020-09-25 08:18:44 +00:00
andy f0e877fe5f Fix links with parentheses 2020-09-17 19:31:00 -04:00
dragon788 94a753d4a1
Merge branch 'master' into update-python-refs 2020-09-02 13:57:38 -05:00
Rudy Gevaert 547c1267bc
unset GNUPGHOME variable
if not done, in the next step you get error: 
gpg: keyblock resource '/home/..../gnupg-workspace/pubring.kbx': No such file or directory
gpg: no writable keyring found: Not found
2020-09-01 14:20:32 +02:00
drduh 03f0e40558 Merge branch 'master' of https://github.com/Amolith/YubiKey-Guide into Amolith-master 2020-08-30 14:19:41 -07:00
Mirko Vogt 767b84eb3b Add option to retrieve additionaly entropy from YubiKey itself 2020-08-29 16:24:34 +00:00
Amolith 0e7dabeeeb
change defaults and add info to #Require touch
As mentioned in #197, the previous behaviour would require users to
touch their key any time an authentication, signing, or encryption
operation was performed. In some situations, this behaviour would be
undesirable and the only way to revert it would be fully resetting the
key and starting from scratch. Rather than using `fixed`, this commit
simply turns the feature `on` so the user can change it later if they
wish.

Additionally, a note about the other policies was included so users can
decide for themselves which fits their situation better.
2020-08-26 23:42:53 -04:00
dragon788 9bb54914b4
Merge branch 'master' into update-python-refs 2020-08-23 13:20:03 -05:00
drduh 697a7d8fb9
Merge pull request #203 from bengim/bengim-patch-PyOpenSSL
fixing wrong cryptography version
2020-08-22 14:19:45 -07:00
bengim 2187610c1d
Update README.md
fixing wrong cryptography version by explicitly installing PyOpenSSL
2020-08-22 19:33:38 +04:00
dragon788 58b7c819d7
Python2 is EOL, update packages/references to Py3 2020-08-21 17:55:28 -05:00
Stefano Figura 8a95de3e3f
Correct spelling 2020-08-14 00:12:06 +02:00
Stefano Figura a2bc415f84
Update wording
Ensure that is clear that we do not need to modify keys or even plug the yubikey
2020-08-14 00:06:37 +02:00
Stefano Figura 8a08a8ac15
Update notation section 2020-08-13 23:51:42 +02:00
Stefano Figura c9ea04db2c
Add notations section 2020-08-13 23:45:18 +02:00
b1f6c1c4 f6f2c26e90
Fix usage inconsistency
Master key shall only be used to certify other keys. The usage indicator in
README.md is inconsistently shown as SC and C.
2020-08-11 02:17:08 -04:00
Kenny MacDermid 78164e8bfd
Set touch policy to fixed.
Setting the touch policy to `on` does not prevent the policy from
later being turned off again. Setting it to `fixed` is more secure
because it can not be turned off.

If someone wants to disable the touch policy they can always restore
the keys from the backups created in the guide.
2020-05-27 16:39:29 -03:00
Sebastian Schmieschek e1055025fe
Add information on potential PIN issues and how to debug them
I missed the error message when attempting to set a PIN of only 5 characters due
to the UI repeating the options below it.
Pinentry happily stores the bogus PIN and even counts down the retry counter
when entering the correct (default) one. This can be resolved by unblocking the
PIN.
Once I ran the gpg-agent with debug output (a tip found in the added link), the
issue was obvious.
2020-05-27 11:46:19 +01:00
drduh ccb8b0130a Stack rank secure environment and add a few tips 2020-05-25 12:49:07 -07:00
drduh 0bd52ed7d8
Merge pull request #185 from vald-phoenix/fix-borken-anchor
Fix broken anchor
2020-05-24 17:09:09 +00:00
Max Mäusezahl 1cf9656b33
Fix order of revocation command.
According to 'man gpg' the order of arguments should be

gpg [--homedir name] [--options file] [options] command [args]

In this case '--gen-revoke' is the command, '$KEYID' is an argument and
'--output $GNUPGHOME/revoke.asc' is an option. Previously this was
incorrect (option came first) and would spawn an error.
2020-05-24 17:53:56 +02:00
Mike Mazur de13c8dba6
Include --expert when editing master key
This is specifically during setup when rotating keys.
2020-05-17 21:00:03 +08:00
Vladyslav Krylasov 4c1d538c60 Fix broken anchor
There are two anchors with the same name and this breaks navigation.
2020-05-04 19:19:02 +01:00
Jason Stelzer aea317b527 Clarified wording 2020-05-04 08:28:23 -04:00
Jason Stelzer 07134a4e4f GPG keys on multiple computers
I feel like this took me longer to figure out than it should have.
2020-05-04 08:22:14 -04:00
drduh 93cbbd9d8b Address throw-keyids issue with mailvelope to fix #178 2020-05-03 14:18:29 -07:00
drduh 46d1d89115 Split export pubkey from backup to fix #175 2020-05-03 14:07:35 -07:00
drduh bf38b94a65 Disambiguate backup volume label to fix #176. 2020-05-03 13:45:58 -07:00
drduh aad01ffde4
Merge pull request #180 from vald-phoenix/yubikey-reset-by-ykman
Describe ykman PGP keys reset
2020-05-03 18:12:47 +00:00
drduh 3be47a8c32
Merge pull request #179 from vald-phoenix/multiple-yubikeys
Describe card serial number error
2020-05-03 18:12:28 +00:00
drduh a1a4a303f9
Merge pull request #177 from apiraino/revoke-cert
Add instructions to create a revoke certificate
2020-05-03 18:11:37 +00:00
drduh afd3fafcc5
Merge pull request #170 from murphy83/Abort-Trick
Added some additonal text describing alternatives that may be used
2020-05-03 18:10:49 +00:00
Vladyslav Krylasov 44d76ac5ab Describe card serial number error 2020-04-29 00:52:24 +01:00
Vladyslav Krylasov 6108558645 Describe ykman PGP keys reset 2020-04-28 21:28:44 +01:00
apiraino 2698cecd4c Add instruction to create a revoke certificate 2020-04-28 16:19:18 +02:00
Daniel Sockwell b5adb349ad Add steps for renewing (not rotating) sub-keys
As discussed in issue #164, the current section on Rotating Keys
presents two alternatives: replacing the existing keys with a newly
generated key or extending the validity of existing keys by changing
their expiration.  However, it only provides instructions for the
first approach.  This commit adds instructions for renewing sub-keys.

I am far from an expert, and am submitting this change mostly in hopes
that it will provide documentation for the next time I need to renew
my sub-keys.  I would welcome any changes or clarifications others
would care to offer.
2020-03-24 12:42:42 -04:00
Murphy Laptop db1d86cdd8 Added some additonal text describing alternatives that may be used 2020-03-02 21:18:56 +01:00
drduh 2c2cec316c Bump Debian version, license year 2020-02-12 09:38:36 -08:00
drduh 2fc50760db
Merge pull request #160 from rvl/nixos
Add instructions for NixOS
2020-01-22 06:39:14 +00:00
drduh 51ed654e43
Merge pull request #159 from rvl/multiple-yubikeys
Add more detail about what to do with multiple YubiKeys
2020-01-22 06:39:08 +00:00
Rodney Lorrimar bb5184a0b3 Add instructions for NixOS
I just tested these steps on a spare laptop.
2020-01-22 10:27:55 +10:00
Rodney Lorrimar b45174f185 Add more detail about what to do with multiple YubiKeys 2020-01-22 09:40:34 +10:00
Rodney Lorrimar 6cd76216c5 Add information about setting the primary user ID 2020-01-22 09:12:17 +10:00
Andrea Scarpino 8f10cd5819
Fix gnupg package name for Arch
`gnupg2` has been [removed since March 2012](https://lists.archlinux.org/pipermail/arch-dev-public/2012-March/022690.html)
2020-01-21 12:01:27 +01:00
wsyxbcl bb0a0d1ac8
fix broken links 2020-01-12 00:20:07 +08:00
Mark Fayngersh e4a063e0f0
Update GitHub instructions on Windows
Add command to instruct Git to use WinGPG
2020-01-07 16:13:48 -05:00
drduh 1b5a2fefd8 Formatting cleanup 2019-12-30 15:36:11 -08:00
drduh be7addad3c Use larger partition sizes to fix #149. 2019-12-30 15:22:39 -08:00
gusttt 908d3172a4
Fix typo in table of contents link 2019-12-16 15:05:46 +01:00
drduh 04127d566b Document issue #145 and fix #142 2019-12-14 11:48:33 -08:00
drduh 11d6e1aff6 Fix url formatting 2019-11-19 17:28:45 -08:00
drduh 701d9eb50f Update Debian version and fix #137 2019-11-19 17:24:57 -08:00
Maxim Baz 35e443f8cc
Mention yubikey-touch-detector 2019-11-17 20:42:04 +01:00
Emile 'iMil' Heitor 137300a713 Added a fix for failing ssh / GUI pinentry 2019-11-13 09:18:57 +01:00
Kiel C 010accf864
Add --keyserver flag pointing to Debian keyserver
Fixes #131
2019-11-07 13:29:39 -08:00
Sun Knudsen 4524c11632 Added important note about pin caching #135 2019-10-19 14:05:49 -04:00
Jakub Skory 5f150b68e2
More lines with old debian version corrected 2019-10-09 22:08:31 +02:00
Jakub Skory 754e480792
New Debian version: 10.1.0
Before curl returned http/404
2019-10-09 21:40:03 +02:00
Gary Johnson 13b9a92985 Update VM option 2019-09-27 02:26:44 -04:00
Gary Johnson 0f5df64094
Update README.md
Added primary source stating confirming that devices are read only in all but a few circumstances and that Keys ("secrets") cannot be read after being written to the device
2019-09-24 23:55:37 -04:00