@ -2,7 +2,7 @@ This is a practical guide to using [YubiKey](https://www.yubico.com/faq/yubikey/
An authentication key can also be created for SSH and used with [gpg-agent](https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work/188813#188813).
Keys stored on a smartcard like YubiKey seem more difficult to steal than ones stored on disk, and are convenient for everyday use.
Keys stored on a smartcard like YubiKey are more difficult to steal than ones stored on disk, and are convenient for everyday use.
Instructions written for Debian GNU/Linux 8 (jessie) using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, updated to GPG version 2.2.1. Some notes are included for macOS as well. Note, older YubiKeys like the Neo are limited to **2048 bit** RSA keys. Please see a comparison of the different YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/).
@ -14,70 +14,79 @@ Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https:
If you have a comment or suggestion, please open an [issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
@ -137,30 +146,40 @@ You may also need to download and install more recent versions of [yubikey-perso
$ ./configure && make && sudo make install
$ sudo ldconfig
```
If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 from the testing repository. This is a temporary fix suggested on a [securedrop issue](https://github.com/freedomofpress/securedrop/issues/1035):
```
$ sudo apt-get install -t testing libykpers-1-1
```
## Install - macOS
## 2.2 Install - macOS
You will need to install [Homebrew](https://brew.sh/) and the following brew packages:
Download and install [Gpg4Win](https://www.gpg4win.org/). If you are interested in
using your YubiKey for SSH authentication you should also install [PuTTY](https://putty.org).
Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared):
Skip to [3.3](#3.3-create-master-key)
# 3. Creating keys
## 3.1 Create temporary working directory for GPG
Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared):
```
$ export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME
/tmp/tmp.aaiTTovYgo
```
## Create configuration
## 3.2 Create configuration
Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash) into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
@ -178,13 +197,16 @@ Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-
verify-options show-uid-validity
with-fingerprint
EOF
```
## Create master key
## 3.3 Create master key
> A note on key expiry: setting an expiry essentially forces you to manage your subkeys and announces to the rest of the world that you are doing so. Setting an expiry on a primary key is ineffective for protecting the key from loss - whoever has the primary key can simply extend its expiry period. Revocation certificates are [better suited](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) for this purpose. It may be appropriate for your use case to set expiry dates on subkeys.
> A note on security: for optimal security you should consider performing these actions on a bootable USB that you securely erase after completing the guide. Alternatively you should disable network connectivity on your computer and make sure you securely delete all secret keys and revocation certificates.
Generate a new key with GPG, selecting RSA (sign only) and the appropriate keysize:
> A note on key expiry: setting an expiry essentially forces you to manage your subkeys and announces to the rest of the world that you are doing so. Setting an expiry on a primary key is ineffective for protecting the key from loss - whoever has the primary key can simply extend its expiry period. Revocation certificates are [better suited](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) for this purpose. It may be appropriate for your use case to set expiry dates on subkeys.
Generate a new key with GPG, selecting RSA (sign only) and the appropriate key-size:
```
% gpg --full-generate-key
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
@ -208,7 +230,7 @@ Generate a new key with GPG, selecting RSA (sign only) and the appropriate keysi
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Dr Duh
@ -238,20 +260,21 @@ as you'll need it throughout.*
Note that as of [v2.1](https://www.gnupg.org/faq/whats-new-in-2.1.html#autorev), gpg automatically generates a revocation certificate.
## Save Key ID
### 3.4 Save Key ID
Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) for use throughout:
```
$ export KEYID=0xFF3E7D88647EBCDB
## Create subkeys
```
### 3.5 Create subkeys
Note: If using a Yubikey 4, please use **4096 bit** as the size for the subkeys; if using a YubiKey Neo, please use **2048 bit** as the size for the subkeys.
Edit the key to add subkeys:
```
$ gpg --expert --edit-key $KEYID
Secret key is available.
@ -261,10 +284,11 @@ Edit the key to add subkeys:
trust: ultimate validity: ultimate
[ultimate] (1). Dr Duh <doc@duh.to>
### Signing key
First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only):
### 3.5a Signing key
First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only):
```
gpg> addkey
Key is protected.
@ -305,10 +329,11 @@ First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rs
created: 2017-10-09 expires: never usage: S
[ultimate] (1). Dr Duh <doc@duh.to>
### Encryption key
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only):
### 3.5b Encryption key
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only):
```
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
@ -349,12 +374,14 @@ Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015s
created: 2017-10-09 expires: never usage: E
[ultimate] (1). Dr Duh <doc@duh.to>
### Authentication key
### 3.5c Authentication key
Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
GPG doesn't provide a 'RSA (authenticate only)' key type out of the box, so select 'RSA (set your own capabilities)' and toggle the required capabilities to end up with an Authenticate-only key:
```
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
@ -368,45 +395,45 @@ GPG doesn't provide a 'RSA (authenticate only)' key type out of the box, so sele
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
@ -440,7 +467,8 @@ GPG doesn't provide a 'RSA (authenticate only)' key type out of the box, so sele
gpg> save
## Check your work
## 3.6 Check your work
List your new secret keys:
@ -454,34 +482,48 @@ List your new secret keys:
ssb rsa4096/0x5912A795E90DD2CF 2017-10-09 [E]
ssb rsa4096/0x3F29127E79649A3D 2017-10-09 [A]
Verify with OpenPGP key checks:
Use the automated [key best practice checker](https://riseup.net/en/security/message-security/openpgp/best-practices#openpgp-key-checks):
If you're on Linux or macOS, use the automated [key best practice checker](https://riseup.net/en/security/message-security/openpgp/best-practices#openpgp-key-checks):
```
$ sudo apt-get install hopenpgp-tools
$ gpg --export $KEYID | hokey lint
```
$ sudo apt-get install hopenpgp-tools
$ gpg --export $KEYID | hokey lint
The output will display any problems with your key in red text. If everything is green, your key passes each of the tests. If it is red, your key has failed one of the tests.
>hokey may warn (orange text) about cross certification for the authentication key. GPG's [Signing Subkey Cross-Certification](https://gnupg.org/faq/subkey-cross-certify.html) documentation has more detail on cross certification, and gpg v2.2.1 notes "subkey <keyid> does not sign and so does not need to be cross-certified".
Please note that using any extension other than .gpg or attempting IO redirection to a file will garble your secret key, making it impossible to import it again at a later date.
The exported (primary) key will still have the passphrase in place.
In addition to the back up detailed in the next step, you should note the location of your revocation certificate from the terminal output and copy it to a secure location. Careful, anyone that has this certificate can revoke your key!
## 3.8 Backup everything
### 3.8a Linux/macOS
Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
@ -501,35 +543,34 @@ To create an encrypted USB drive, first attach it and check its label:
[ 7668.879514] sd 8:0:0:0: [sde] Attached SCSI removable disk
Check the size to make sure it's the right drive:
$ sudo fdisk -l | grep /dev/sde
Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors
/dev/sde1 2048 62980095 62978048 30G 6 FAT16
Erase and create a new partition table:
$ sudo fdisk /dev/sde
Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): o
Created a new DOS disklabel with disk identifier 0xeac7ee35.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
Remove and reinsert the USB drive, then create a new partition, selecting defaults::
Remove and reinsert the USB drive, then create a new partition, selecting defaults:
$ sudo fdisk /dev/sde
Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
@ -538,7 +579,7 @@ Remove and reinsert the USB drive, then create a new partition, selecting defaul
Partition number (1-4, default 1): 1
First sector (2048-62980095, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095):
Created a new partition 1 of type 'Linux' and of size 30 GiB.
Command (m for help): w
The partition table has been altered.
@ -548,42 +589,39 @@ Remove and reinsert the USB drive, then create a new partition, selecting defaul
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition:
$ sudo cryptsetup luksFormat /dev/sde1
WARNING!
========
This will overwrite data on /dev/sde1 irrevocably.
Keep the backup mounted if you plan on setting up two or more keys (as `keytocard` will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy on save), otherwise unmount and disconnected the encrypted USB drive:
$ sudo umount /mnt/usb
$ sudo cryptsetup luksClose encrypted-usb
## Configure YubiKey
### 3.8b Windows
I recommend creating an encrypted flash drive or container using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html). Store your encrypted container on multiple flash drives/hard drives. You should also consider making a [paper copy](http://www.jabberwocky.com/software/paperkey/) of your keys.
## 3.9 Configure YubiKey
### 3.9a Linux/macOS
YubiKey NEOs shipped after November 2015 have [all modes enabled](https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-neo-manager/), skip to the next step.
Older versions of the YubiKey NEO may need to be reconfigured as a composite USB device (HID + CCID) which allows OTPs to be emitted while in use as a smart card.
Plug in your YubiKey and configure it:
$ ykpersonalize -m82
Firmware version 4.2.7 Touch level 527 Program sequence 4
@ -623,10 +665,13 @@ Plug in your YubiKey and configure it:
Optionally, it may be uploaded to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
$ gpg --send-key $KEYID
@ -858,13 +912,21 @@ Optionally, it may be uploaded to a [public keyserver](https://debian-administra
After a little while, it ought to propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
## Finish
## 3.14 Finish
If all went well, you should now reboot or [securely delete](http://srm.sourceforge.net/) `$GNUPGHOME`.
# Using keys
If you are using Windows, the easiest way to remove the secret keys is to purge them from your GPG keyring.
$ gpg --delete-secret-key $KEYID
## Create GPG configuration
Make sure you backup up your key prior to doing this as the action is irreversible. You may also want to consider securely deleting the revocation certificate from your hard drive.
# 4. Using keys
## 4.1 Create GPG configuration
**Skip this section if you are on Windows**
Paste the following text into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
@ -895,7 +957,7 @@ Ensure you change to correct rights of that file to at least avoid a warning mes
chmod 600 ~/.gnupg/gpg.conf
## Import public key
## 4.2 Import public key
Import it from a file:
@ -913,13 +975,11 @@ Or download from a keyserver:
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
You may get an error `gpgkeys: HTTP fetch error 1: unsupported protocol` -- this means you need to install a special version of curl which supports gnupg:
**Linux/macOS:** You may get an error `gpgkeys: HTTP fetch error 1: unsupported protocol` -- this means you need to install a special version of curl which supports gnupg:
```
$ sudo apt-get install gnupg-curl
```
## Insert YubiKey
## 4.3 Insert YubiKey
Unplug and replug the Yubikey. Check the card's status:
@ -957,9 +1017,9 @@ Unplug and replug the Yubikey. Check the card's status:
**Note** If you see `General key info..: [none]` in the output instead, first import your public key using the previous step.
## GnuPG
## 4.4 GnuPG
### Trust master key
### 4.4a Trust master key
Edit the imported key to assign it ultimate trust:
@ -1006,10 +1066,13 @@ Edit the imported key to assign it ultimate trust:
gpg> quit
### Encryption
### 4.4b Encryption
Encrypt some sample text:
**Note for Windows users:**
Replace `echo "$(uname -a)"` with `echo "Test123"`
Paste the following text into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg-agent.conf) GPG agent configuration:
@ -1148,7 +1212,7 @@ Paste the following text into a terminal window to create a [recommended](https:
If you are using Linux on the desktop, you may want to use `/usr/bin/pinentry-gnome3` to use a GUI manager. For macOS, try `brew install pinentry-mac`, and adjust the `pinentry-program` setting to suit.
### Replace ssh-agent with gpg-agent
### 4.5b Replace ssh-agent with gpg-agent
[gpg-agent](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) provides OpenSSH agent emulation. To launch the agent for use by ssh use the `gpg-connect-agent /bye` or `gpgconf --launch gpg-agent` commands.
@ -1157,21 +1221,21 @@ Depending on how your environment is set up, you might need to add these to your
There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file:
#### (Optional) Save public key for identity file configuration
If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis.
@ -1180,6 +1244,7 @@ In the case of Yubikey usage, you do not have access to the private key, and `id
Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows:
$ cat <<EOF>> ~/.ssh/config
@ -1187,7 +1252,8 @@ Then, you can explicitly associate this Yubikey-stored key for used with the dom
IdentityFile ~/.ssh/id_rsa_yubikey.pub
EOF
### Connect with public key authentication
### 4.5d Connect with public key authentication
$ ssh git@github.com -vvv
[...]
@ -1208,9 +1274,59 @@ Then, you can explicitly associate this Yubikey-stored key for used with the dom
debug1: Authentication succeeded (publickey).
[...]
**Note** To make multiple connections or securely transfer many files, consider using the [ControlMaster](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing) ssh option. Also see [drduh/config/ssh_config](https://github.com/drduh/config/blob/master/ssh_config).
## Requiring touch to authenticate
## 4.6 SSH - Windows
Begin by exporting your SSH key from GPG:
$ gpg --export-ssh-key $USERID
Copy this key to a file and keep it for later use. It represents the public SSH key corresponding to the secret key on your YubiKey. You can upload this key to any server you wish to SSH into.
To authenticate SSH sessions via our YubiKey we need to enable Gpg4Win's PuTTY integration. Create a file named `gpg-agent.conf` and place it in the directory `C:\%APPDATA%\gnupg`.
The file should contain the line `enable-putty-support`.
Then, open a terminal and run the following commands:
> gpg-connect-agent killagent /bye
> gpg-connect-agent /bye
Create a shortcut that points to `gpg-connect-agent /bye` and place it in your startup folder to make sure the agent starts after a system shutdown.
Now you can use PuTTY for public key SSH authentication. When the server asks for publickey verification, PuTTY will foward the request to GPG, whcih will prompt you for your PIN and authorize the login using your YubiKey.
### 4.6a GitHub
You can use your YubiKey to sign GitHub commits and tags. It can also be used for GitHub SSH authentication, allowing you to push, pull, and commit without your GitHub password.
Log into GitHub and upload your SSH and PGP public keys.
#### Signing
Then run the following commands:
> git config --global user.singingkey $KEYID
Make sure your user.email option matches the email associated with your PGP identity.
Now, to sign commits or tags simply use the `-S` option. GPG will automatically query your YubiKey and prompt you for your PIN.
`git@github.com:USERNAME/repository`. Any authenticated commands will be authorized by your YubiKey.
**Note:** If you encounter the error `gpg: signing failed: No secret key`, run `gpg --card-status` with your YubiKey plugged in and try the git command again.
## 4.7 Requiring touch to authenticate
Note: this is only possible on the Yubikey 4 line.
By default the Yubikey will perform key operations without requiring a touch from the user. To require a touch for every SSH connection, use the [Yubikey Manager](https://developers.yubico.com/yubikey-manager/) (you'll need the Admin PIN):
@ -1223,11 +1339,11 @@ To require a touch for the signing and encrypting keys as well:
The Yubikey will blink when it's waiting for the touch.
### OpenBSD
### 4.8 OpenBSD
On OpenBSD, you will need to install `pcsc-tools` and enable with `sudo rcctl enable pcscd`, then reboot in order to recognize the key.
# Troubleshooting
# 5. Troubleshooting
- If you don't understand some option, read `man gpg`.
@ -1253,11 +1369,11 @@ On OpenBSD, you will need to install `pcsc-tools` and enable with `sudo rcctl en
- If you totally screw up, you can [reset the card](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html).
## Yubikey OTP Mode and cccccccc....
## 5.1 Yubikey OTP Mode and cccccccc....
The Yubikey has two configurations, one invoked with a short press, and the other with a long press. By default the short-press mode is configured for HID OTP - a brief touch will emit an OTP string starting with `cccccccc`. If you rarely use the OTP mode, you can swap it to the second configuration via the Yubikey Personalization tool. If you *never* use OTP, you can disable it entirely using the [Yubikey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named Yubikey NEO Manager).
drduh
6 years ago
committed by