From 25c8e23b8f6bf87e237c408abdf5531fa5b32df0 Mon Sep 17 00:00:00 2001
From: drduh <doc@duh.to>
Date: Sat, 16 Jun 2018 14:06:45 -0700
Subject: [PATCH] Emphasize live distro to fix #45

---
 README.md | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 6cc8148..578a316 100644
--- a/README.md
+++ b/README.md
@@ -4,8 +4,6 @@ An authentication key can also be created for SSH and used with [gpg-agent](http
 
 Keys stored on a smartcard like YubiKey are non-exportable (as opposed to keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN code - and all signing and encryption operations happen on the card, rather than in OS memory.
 
-These instructions are current to Debian 9 using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, using GPG version 2.2. Note, older YubiKeys like the Neo are [limited](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/) to **2048 bit** RSA keys. Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
-
 Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
 
 **New!** [Purse](https://github.com/drduh/Purse) is a password manager which can integrate with GPG on YubiKey.
@@ -67,7 +65,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
   4.8 [OpenBSD](#48-openbsd)  
 5. [Troubleshooting](#5-troubleshooting)  
   5.1 [Yubikey OTP Mode and cccccccc....](#51-yubikey-otp-mode-and-cccccccc)  
-6. [References](#6-references)  
+6. [References and other work](#6-references-and-other-work)  
 
 # 1. Purchase YubiKey
 
@@ -77,11 +75,16 @@ Consider purchasing a pair (or more) and programming both in case of loss or dam
 
 # 2. Install required software
 
+These instructions are current to Debian 9 using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, using GPG version 2.2. Note, older YubiKeys like the Neo are [limited](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/) to **2048 bit** RSA keys.
+
+For improved security, use a live GNU/Linux distribution like [Tails](https://tails.boum.org/index.en.html) or [Debian Live](https://www.debian.org/CD/live/) - with no connection to outgoing Internet.
+
 ## 2.1 Install - Linux
 
 You will need to install the following software:
 
-    $ sudo apt-get install -y gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
+    $ sudo apt-get install -y \
+        gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
 
 You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
 
@@ -376,7 +379,6 @@ Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015s
         created: 2017-10-09  expires: never       usage: E   
     [ultimate] (1). Dr Duh <doc@duh.to>
 
-
 ### 3.5c Authentication key
 
 Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
@@ -509,8 +511,7 @@ $ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
 The exported (primary) key will still have the passphrase in place.
 
 In addition to the backup below, you might want to keep a separate copy of the
-revocation certificate in a safe place:
-`$GNUPGHOME/openpgp-revocs.d/<key fingerprint>.rev`
+revocation certificate in a safe place - `$GNUPGHOME/openpgp-revocs.d/<key fingerprint>.rev`
 
 ### 3.7b Windows
 
@@ -529,11 +530,11 @@ In addition to the back up detailed in the next step, you should note the locati
 
 ### 3.8a Linux/macOS
 
-Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
+Once keys are moved to hardware, they cannot be extracted again, so make sure you have made an **encrypted** backup before proceeding.
 
 Also consider using a [paper copy](http://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
 
-To create an encrypted USB drive, first attach it and check its label:
+To format and encrypt a USB drive on Linux, first attach it and check its label:
 
     $ dmesg | tail
     [ 7667.607011] scsi8 : usb-storage 2-1:1.0
@@ -552,7 +553,6 @@ Check the size to make sure it's the right drive:
     Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors
     /dev/sde1        2048 62980095 62978048  30G  6 FAT16
 
-
 Erase and create a new partition table:
 
     $ sudo fdisk /dev/sde
@@ -628,7 +628,7 @@ Mount the filesystem:
     $ sudo mkdir /mnt/usb
     $ sudo mount /dev/mapper/encrypted-usb /mnt/usb
 
-Finally, copy files to it:
+Copy files to it:
 
     $ sudo cp -avi $GNUPGHOME /mnt/usb
     ‘/tmp/tmp.aaiTTovYgo’ -> ‘/mnt/usb/tmp.aaiTTovYgo’
@@ -643,14 +643,16 @@ Finally, copy files to it:
     ‘/tmp/tmp.aaiTTovYgo/pubring.gpg~’ -> ‘/mnt/usb/tmp.aaiTTovYgo/pubring.gpg~’
     ‘/tmp/tmp.aaiTTovYgo/pubring.gpg’ -> ‘/mnt/usb/tmp.aaiTTovYgo/pubring.gpg’
 
-Keep the backup mounted if you plan on setting up two or more keys (as `keytocard` will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy on save), otherwise unmount and disconnected the encrypted USB drive:
+Keep the backup mounted if you plan on setting up two or more keys (as `keytocard` will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy on save).
+
+Otherwise unmount and disconnected the encrypted USB drive:
 
     $ sudo umount /mnt/usb
     $ sudo cryptsetup luksClose encrypted-usb
 
 ### 3.8b Windows
 
-I recommend creating an encrypted flash drive or container using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html). Store your encrypted container on multiple flash drives/hard drives. You should also consider making a [paper copy](http://www.jabberwocky.com/software/paperkey/) of your keys.
+An encrypted flash drive or container can be made using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html).
 
 ## 3.9 Configure YubiKey