arno
/
YubiKey-Guide
mirror of https://github.com/drduh/YubiKey-Guide.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Emphasize live distro to fix #45

Browse Source
pull/60/head
drduh 6 years ago committed by GitHub
parent a470da3af7
commit 25c8e23b8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File

28
README.md
Unescape View File

@ -4,8 +4,6 @@ An authentication key can also be created for SSH and used with [gpg-agent](http
Keys stored on a smartcard like YubiKey are non-exportable (as opposed to keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN code - and all signing and encryption operations happen on the card, rather than in OS memory. Keys stored on a smartcard like YubiKey are non-exportable (as opposed to keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN code - and all signing and encryption operations happen on the card, rather than in OS memory.
These instructions are current to Debian 9 using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, using GPG version 2.2. Note, older YubiKeys like the Neo are [limited](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/) to **2048 bit** RSA keys. Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example. Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
**New!** [Purse](https://github.com/drduh/Purse) is a password manager which can integrate with GPG on YubiKey. **New!** [Purse](https://github.com/drduh/Purse) is a password manager which can integrate with GPG on YubiKey.
@ -67,7 +65,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
4.8 [OpenBSD](#48-openbsd) 4.8 [OpenBSD](#48-openbsd)
5. [Troubleshooting](#5-troubleshooting) 5. [Troubleshooting](#5-troubleshooting)
5.1 [Yubikey OTP Mode and cccccccc....](#51-yubikey-otp-mode-and-cccccccc) 5.1 [Yubikey OTP Mode and cccccccc....](#51-yubikey-otp-mode-and-cccccccc)
6. [References](#6-references) 6. [References and other work](#6-references-and-other-work)
# 1. Purchase YubiKey # 1. Purchase YubiKey
@ -77,11 +75,16 @@ Consider purchasing a pair (or more) and programming both in case of loss or dam
# 2. Install required software # 2. Install required software
These instructions are current to Debian 9 using YubiKey 4 - with support for **4096 bit** RSA keys - in OTP+CCID mode, using GPG version 2.2. Note, older YubiKeys like the Neo are [limited](https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/) to **2048 bit** RSA keys.
For improved security, use a live GNU/Linux distribution like [Tails](https://tails.boum.org/index.en.html) or [Debian Live](https://www.debian.org/CD/live/) - with no connection to outgoing Internet.
## 2.1 Install - Linux ## 2.1 Install - Linux
You will need to install the following software: You will need to install the following software:
$ sudo apt-get install -y gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev $ sudo apt-get install -y \
gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/): You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
@ -376,7 +379,6 @@ Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015s
created: 2017-10-09 expires: never usage: E created: 2017-10-09 expires: never usage: E
[ultimate] (1). Dr Duh <doc@duh.to> [ultimate] (1). Dr Duh <doc@duh.to>
### 3.5c Authentication key ### 3.5c Authentication key
Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for). Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
@ -509,8 +511,7 @@ $ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
The exported (primary) key will still have the passphrase in place. The exported (primary) key will still have the passphrase in place.
In addition to the backup below, you might want to keep a separate copy of the In addition to the backup below, you might want to keep a separate copy of the
revocation certificate in a safe place: revocation certificate in a safe place - `$GNUPGHOME/openpgp-revocs.d/<key fingerprint>.rev`
`$GNUPGHOME/openpgp-revocs.d/<key fingerprint>.rev`
### 3.7b Windows ### 3.7b Windows
@ -529,11 +530,11 @@ In addition to the back up detailed in the next step, you should note the locati
### 3.8a Linux/macOS ### 3.8a Linux/macOS
Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding. Once keys are moved to hardware, they cannot be extracted again, so make sure you have made an **encrypted** backup before proceeding.
Also consider using a [paper copy](http://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure. Also consider using a [paper copy](http://www.jabberwocky.com/software/paperkey/) of the keys as an additional backup measure.
To create an encrypted USB drive, first attach it and check its label: To format and encrypt a USB drive on Linux, first attach it and check its label:
$ dmesg | tail $ dmesg | tail
[ 7667.607011] scsi8 : usb-storage 2-1:1.0 [ 7667.607011] scsi8 : usb-storage 2-1:1.0
@ -552,7 +553,6 @@ Check the size to make sure it's the right drive:
Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors
/dev/sde1 2048 62980095 62978048 30G 6 FAT16 /dev/sde1 2048 62980095 62978048 30G 6 FAT16
Erase and create a new partition table: Erase and create a new partition table:
$ sudo fdisk /dev/sde $ sudo fdisk /dev/sde
@ -628,7 +628,7 @@ Mount the filesystem:
$ sudo mkdir /mnt/usb $ sudo mkdir /mnt/usb
$ sudo mount /dev/mapper/encrypted-usb /mnt/usb $ sudo mount /dev/mapper/encrypted-usb /mnt/usb
Finally, copy files to it: Copy files to it:
$ sudo cp -avi $GNUPGHOME /mnt/usb $ sudo cp -avi $GNUPGHOME /mnt/usb
/tmp/tmp.aaiTTovYgo -> /mnt/usb/tmp.aaiTTovYgo /tmp/tmp.aaiTTovYgo -> /mnt/usb/tmp.aaiTTovYgo
@ -643,14 +643,16 @@ Finally, copy files to it:
/tmp/tmp.aaiTTovYgo/pubring.gpg~ -> /mnt/usb/tmp.aaiTTovYgo/pubring.gpg~ /tmp/tmp.aaiTTovYgo/pubring.gpg~ -> /mnt/usb/tmp.aaiTTovYgo/pubring.gpg~
/tmp/tmp.aaiTTovYgo/pubring.gpg -> /mnt/usb/tmp.aaiTTovYgo/pubring.gpg /tmp/tmp.aaiTTovYgo/pubring.gpg -> /mnt/usb/tmp.aaiTTovYgo/pubring.gpg
Keep the backup mounted if you plan on setting up two or more keys (as `keytocard` will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy on save), otherwise unmount and disconnected the encrypted USB drive: Keep the backup mounted if you plan on setting up two or more keys (as `keytocard` will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy on save).
Otherwise unmount and disconnected the encrypted USB drive:
$ sudo umount /mnt/usb $ sudo umount /mnt/usb
$ sudo cryptsetup luksClose encrypted-usb $ sudo cryptsetup luksClose encrypted-usb
### 3.8b Windows ### 3.8b Windows
I recommend creating an encrypted flash drive or container using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html). Store your encrypted container on multiple flash drives/hard drives. You should also consider making a [paper copy](http://www.jabberwocky.com/software/paperkey/) of your keys. An encrypted flash drive or container can be made using [VeraCrypt](https://www.veracrypt.fr/en/Downloads.html).
## 3.9 Configure YubiKey ## 3.9 Configure YubiKey

Write Preview
Loading…
Cancel
Save