From 1c16d968e9e1174204071d80fcf161029a022ae2 Mon Sep 17 00:00:00 2001
From: drduh <drduh@users.noreply.github.com>
Date: Mon, 25 Apr 2016 17:49:51 +0000
Subject: [PATCH] Add encrypted USB backup instructions, grammar fixes

---
 README.md | 133 ++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 110 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index 251d8a9..65b6daa 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Instructions written on Debian GNU/Linux 8 (jessie) using YubiKey 4 in OTP+CCID
 
 Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB keys.
 
-If you have a comment or suggestion, please open an issue on GitHub.
+If you have a comment or suggestion, please open an [issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
 
 - [Purchase YubiKey](#purchase-yubikey)
 - [Install required software](#install-required-software)
@@ -59,7 +59,7 @@ https://www.yubico.com/store/
 
 https://www.amazon.com/Yubico/b/ref=bl_dp_s_web_10358012011?ie=UTF8&node=10358012011
 
-Consider purchasing a pair and programming both in case of loss or damage.
+Consider purchasing a pair and programming both in case of loss or damage to oneof them.
 
 # Install required software
 
@@ -94,9 +94,6 @@ Consider purchasing a pair and programming both in case of loss or damage.
 ## Create master key
 
     $ gpg --gen-key
-    gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
-    This is free software: you are free to change and redistribute it.
-    There is NO WARRANTY, to the extent permitted by law.
 
     Please select what kind of key you want:
        (1) RSA and RSA (default)
@@ -191,10 +188,6 @@ Consider purchasing a pair and programming both in case of loss or damage.
 
     $ gpg --expert --edit-key 0x47FE984F98EE7407
 
-    gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
-    This is free software: you are free to change and redistribute it.
-    There is NO WARRANTY, to the extent permitted by law.
-
     Secret key is available.
 
     pub  4096R/0x47FE984F98EE7407  created: 2016-01-30  expires: never       usage: SC
@@ -404,9 +397,108 @@ Consider purchasing a pair and programming both in case of loss or damage.
     
 ## Back up everything
 
-Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made a backup before proceeding.
+Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
+
+To use a USB drive, attach it and check its label:
+
+    $ dmesg | tail
+    [ 7667.607011] scsi8 : usb-storage 2-1:1.0
+    [ 7667.608766] usbcore: registered new interface driver usb-storage
+    [ 7668.874016] scsi 8:0:0:0: USB 0: 0 ANSI: 6
+    [ 7668.874242] sd 8:0:0:0: Attached scsi generic sg4 type 0
+    [ 7668.874682] sd 8:0:0:0: [sde] 62980096 512-byte logical blocks: (32.2 GB/30.0 GiB)
+    [ 7668.875022] sd 8:0:0:0: [sde] Write Protect is off
+    [ 7668.875023] sd 8:0:0:0: [sde] Mode Sense: 43 00 00 00
+    [ 7668.877939]  sde: sde1
+    [ 7668.879514] sd 8:0:0:0: [sde] Attached SCSI removable disk
+
+Check the size to make sure it's the right drive:
+
+    $ sudo fdisk -l | grep /dev/sde
+    Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors
+    /dev/sde1        2048 62980095 62978048  30G  6 FAT16
+
+Erase and create a new partition table:
+
+    $ sudo fdisk /dev/sde
+    
+    Welcome to fdisk (util-linux 2.25.2).
+    Changes will remain in memory only, until you decide to write them.
+    Be careful before using the write command.
+    
+    Command (m for help): o
+    Created a new DOS disklabel with disk identifier 0xeac7ee35.
+    
+    Command (m for help): w
+    The partition table has been altered.
+    Calling ioctl() to re-read partition table.
+    Syncing disks.
+
+Remove and reinsert the USB drive, then create a new partition:
+
+    $ sudo fdisk /dev/sde
+    
+    Welcome to fdisk (util-linux 2.25.2).
+    Changes will remain in memory only, until you decide to write them.
+    Be careful before using the write command.
+    
+    Command (m for help): n
+    Partition type
+       p   primary (0 primary, 0 extended, 4 free)
+       e   extended (container for logical partitions)
+    Select (default p): p
+    Partition number (1-4, default 1): 1
+    First sector (2048-62980095, default 2048):
+    Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095):
+    
+    Created a new partition 1 of type 'Linux' and of size 30 GiB.
+    Command (m for help): w
+    The partition table has been altered.
+    Calling ioctl() to re-read partition table.
+    Syncing disks.
+
+Use LUKS to encrypt the new partition:
+
+    $ sudo cryptsetup luksFormat /dev/sde1
+    
+    WARNING!
+    ========
+    This will overwrite data on /dev/sde1 irrevocably.
+    
+    Are you sure? (Type uppercase yes): YES
+    Enter passphrase:
+    Verify passphrase:
+
+Mount the partition and create a filesystem:
+
+    $ sudo cryptsetup luksOpen /dev/sde1 encrypted-usb
+    Enter passphrase for /dev/sde1:
+    
+    $ sudo mkfs.ext4 /dev/mapper/encrypted-usb -L encrypted-usb
+    mke2fs 1.42.12 (29-Aug-2014)
+    Creating filesystem with 7871744 4k blocks and 1970416 inodes
+    Superblock backups stored on blocks:
+            32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
+            4096000
+    
+    Allocating group tables: done
+    Writing inode tables: done
+    Creating journal (32768 blocks): done
+    Writing superblocks and filesystem accounting information: done
+
+Mount the filesystem:
+
+    $ sudo mkdir /mnt/usb
+    $ sudo mount /dev/mapper/encrypted-usb /mnt/usb
+
+Finally, copy files to it:
+
+    $ sudo cp -avi $GNUPGHOME /mnt/usb
+
+Make sure the files were copied, then disconnected the USB drive:
 
-    $ cp -avi $GNUPGHOME /mnt/offline-encrypted-usb/backup/
+    $ sudo umount /mnt/usb
+    $ sudo cryptsetup luksClose encrypted-usb
 
 ## Configure YubiKey
 
@@ -417,7 +509,7 @@ Once keys are moved to hardware, they cannot be extracted again (otherwise, what
 
     Commit? (y/n) [n]: y
 
->The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.
+> The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.
 
 https://www.yubico.com/2012/12/yubikey-neo-openpgp/
 
@@ -448,7 +540,7 @@ https://www.yubico.com/2012/12/yubikey-neo-openpgp/
 
 ### Change PINs
 
-The default PIN codes are `12345678` and `123456`.
+The default PIN codes are `12345678` and `123456`
 
     gpg/card> admin
     Admin commands are allowed
@@ -526,12 +618,9 @@ The default PIN codes are `12345678` and `123456`.
 
 ## Transfer keys
 
-This is a one-way operation only. Make sure you've made a backup before proceeding!
+Transfering keys to YubiKey is a one-way operation only: make sure you've made a backup before proceeding!
 
     $ gpg --edit-key 0x47FE984F98EE7407
-    gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
-    This is free software: you are free to change and redistribute it.
-    There is NO WARRANTY, to the extent permitted by law.
 
     Secret key is available.
 
@@ -588,7 +677,7 @@ This is a one-way operation only. Make sure you've made a backup before proceedi
 
 ### Encryption key
 
-Type `key 1` again to deselect and switch to the next key.
+Type `key 1` again to deselect and `key 2` to switch to the next key.
 
     gpg> key 1
 
@@ -738,9 +827,6 @@ Type `key 1` again to deselect and switch to the next key.
 ## Trust master key
 
     $ gpg --edit-key 0x47FE984F98EE7407
-    gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
-    This is free software: you are free to change and redistribute it.
-    There is NO WARRANTY, to the extent permitted by law.
 
     Secret key is available.
 
@@ -818,7 +904,7 @@ Type `key 1` again to deselect and switch to the next key.
 
 ### Encryption/decryption
 
-    $ echo "$(uname -a)" | gpg --encrypt --armor -r 0x47FE984F98EE7407 | gpg --debug --decrypt --armor
+    $ echo "$(uname -a)" | gpg --encrypt --armor -r 0x47FE984F98EE7407 | gpg --decrypt --armor
 
     Please enter the PIN
     gpg: encrypted with 4096-bit RSA key, ID 0x39988E0390CB4B0C, created 2016-01-30
@@ -889,8 +975,9 @@ Type `key 1` again to deselect and switch to the next key.
 
 - Don't write to drduh@users.noreply.github.com, open an issue on GitHub instead.
 - Programming YubiKey for GPG keys still lets you use its two slots - OTP and static password modes, for example.
+- If you encounter problems, simply try unplugging and re-inserting your YubiKey, and restarting the `gpg-agent` process.
 - ECC may be preferred to RSA 4096, but the 1.4.x branch of GnuPG does not support it.
-- If you encounter problems, try unplugging and re-inserting your YubiKey. Also try installing and using GnuPG 2.x (`sudo apt-get install gnupg2` and `gpg2`)
+- Try installing and using the newer, more feature-rich [GnuPG 2.x](https://superuser.com/questions/655246/are-gnupg-1-and-gnupg-2-compatible-with-each-other) with `sudo apt-get install gnupg2`
 
 # References