mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2025-01-05 04:20:55 +00:00
Merge pull request #359 from drduh/wip-winter22
Fix issues #347, #354, #353, #349, #334
This commit is contained in:
commit
155df18d29
28
README.md
28
README.md
@ -1303,7 +1303,7 @@ $ sudo cp -avi $GNUPGHOME /mnt/encrypted-storage/
|
|||||||
$ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-storage/
|
$ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-storage/
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
**Note** If you plan on setting up multiple keys, keep the backup mounted or remember to terminate the gpg process before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
|
||||||
|
|
||||||
Unmount, close and disconnect the encrypted volume:
|
Unmount, close and disconnect the encrypted volume:
|
||||||
|
|
||||||
@ -1313,7 +1313,6 @@ $ sudo umount /mnt/encrypted-storage/
|
|||||||
$ sudo cryptsetup luksClose secret
|
$ sudo cryptsetup luksClose secret
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
**OpenBSD**
|
**OpenBSD**
|
||||||
|
|
||||||
Attach a USB disk and determine its label:
|
Attach a USB disk and determine its label:
|
||||||
@ -1386,7 +1385,7 @@ $ doas mount /dev/sd3i /mnt/encrypted-storage
|
|||||||
$ doas cp -avi $GNUPGHOME /mnt/encrypted-storage
|
$ doas cp -avi $GNUPGHOME /mnt/encrypted-storage
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
**Note** If you plan on setting up multiple keys, keep the backup mounted or remember to terminate the gpg process before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
|
||||||
|
|
||||||
Otherwise, unmount and disconnect the encrypted volume:
|
Otherwise, unmount and disconnect the encrypted volume:
|
||||||
|
|
||||||
@ -1513,6 +1512,13 @@ Authentication key: [none]
|
|||||||
General key info..: [none]
|
General key info..: [none]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Enter administrative mode:
|
||||||
|
|
||||||
|
```console
|
||||||
|
gpg/card> admin
|
||||||
|
Admin commands are allowed
|
||||||
|
```
|
||||||
|
|
||||||
**Note** If the card is locked, see [Reset](#reset).
|
**Note** If the card is locked, see [Reset](#reset).
|
||||||
|
|
||||||
**Windows**
|
**Windows**
|
||||||
@ -1523,9 +1529,6 @@ Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) applica
|
|||||||
Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. Note that this requires a relatively new version of GnuPG to work, and may not be compatible with other GPG clients (notably mobile clients). These incompatible clients will be unable to use the YubiKey GPG functions as the PIN will always be rejected. If you are not sure you will only be using your YubiKey on supported platforms, it may be better to skip this step.
|
Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. Note that this requires a relatively new version of GnuPG to work, and may not be compatible with other GPG clients (notably mobile clients). These incompatible clients will be unable to use the YubiKey GPG functions as the PIN will always be rejected. If you are not sure you will only be using your YubiKey on supported platforms, it may be better to skip this step.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg/card> admin
|
|
||||||
Admin commands are allowed
|
|
||||||
|
|
||||||
gpg/card> kdf-setup
|
gpg/card> kdf-setup
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -2470,10 +2473,13 @@ To authenticate:
|
|||||||
|
|
||||||
Run the following commands:
|
Run the following commands:
|
||||||
|
|
||||||
> git config --global core.sshcommand 'plink -agent'
|
```console
|
||||||
> git config --global gpg.program 'C:\Program Files (x86)\GnuPG\bin\gpg.exe'
|
git config --global core.sshcommand "plink -agent"
|
||||||
|
|
||||||
You can then change the repository url to `git@github.com:USERNAME/repository` and any authenticated commands will be authorized by YubiKey.
|
git config --global gpg.program 'C:\Program Files (x86)\GnuPG\bin\gpg.exe'
|
||||||
|
```
|
||||||
|
|
||||||
|
You can then change the repository URL to `git@github.com:USERNAME/repository` and any authenticated commands will be authorized by YubiKey.
|
||||||
|
|
||||||
**Note** If you encounter the error `gpg: signing failed: No secret key` - run `gpg --card-status` with YubiKey plugged in and try the git command again.
|
**Note** If you encounter the error `gpg: signing failed: No secret key` - run `gpg --card-status` with YubiKey plugged in and try the git command again.
|
||||||
|
|
||||||
@ -2747,8 +2753,8 @@ Alternatively, use a script to delete the GnuPG shadowed key, where the card ser
|
|||||||
```console
|
```console
|
||||||
$ cat >> ~/scripts/remove-keygrips.sh <<EOF
|
$ cat >> ~/scripts/remove-keygrips.sh <<EOF
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
test ! "$@" && echo "Specify a key." && exit 1
|
(( $# )) || { echo "Specify a key." >&2; exit 1; }
|
||||||
KEYGRIPS="$(gpg --with-keygrip --list-secret-keys $@ | grep Keygrip | awk '{print $3}')"
|
KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }')
|
||||||
for keygrip in $KEYGRIPS
|
for keygrip in $KEYGRIPS
|
||||||
do
|
do
|
||||||
rm "$HOME/.gnupg/private-keys-v1.d/$keygrip.key" 2> /dev/null
|
rm "$HOME/.gnupg/private-keys-v1.d/$keygrip.key" 2> /dev/null
|
||||||
|
Loading…
Reference in New Issue
Block a user