See [OpenBSD FAQ#14](https://www.openbsd.org/faq/faq14.html#softraidCrypto) for more information.
# Export public keys
# Export public key
**Important** Without the *public* key, it will **not** be possible to use GnuPG to encrypt, decrypt, nor sign messages. However, YubiKey may still be used for SSH authentication.
**Important** Without the public key, it will **not** be possible to use GnuPG to decrypt and sign messages. However, YubiKey can still be used for SSH authentication.
Create another partition on the portable storage device to store the public key, or reconnect networking and upload to a key server.
@ -1183,29 +1182,7 @@ gpg/card> quit
Insert YubiKey and use GnuPG to configure it:
```console
$ gpg --card-edit
Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D2760001240102010006055532110000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 05553211
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg --card-edit
```
Enter administrative mode:
@ -1314,17 +1291,19 @@ gpg/card> quit
**Important** Transferring keys to YubiKey is a one-way operation. Verify backups were made before proceeding. `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent YubiKeys.
The currently selected key(s) are indicated with an `*`. When transferring keys, only one subkey should be selected at a time.
The currently selected key(s) are indicated with an `*`.
When transferring keys, only one subkey should be selected at a time.
```console
gpg --edit-key $KEYID
```
The Certify key passphrase and Admin PIN will be prompted.
The Certify key passphrase and Admin PIN are required to transfer keys.
## Signature key
Select and transfer the Signature key - `*` will appear next to the selected subkey (`ssb*`):
Type `key 1` to select the first key and `keytocard` to transfer it, then `1` as the destination:
```console
gpg> key 1
@ -1349,7 +1328,7 @@ Your selection? 1
## Encryption key
Type `key 1` again to deselect the first key and `key 2` to select the next key:
Type `key 1` again to deselect the first key and `key 2` to select the next key, then `keytocard` to transfer it, then `2` as the destination:
```console
gpg> key 1
@ -1375,7 +1354,7 @@ Your selection? 2
## Authentication key
Type `key 2` again to deselect the second key and `key 3` to select the third key:
Type `key 2` again to deselect the second key and `key 3` to select the third key, then `keytocard` to transfer it, then `3` as the destination:
```console
gpg> key 2
@ -2031,7 +2010,7 @@ For example, tmux does not have environment variables such as `$SSH_AUTH_SOCK` w
### Use ssh-agent
You should now be able to use `ssh -A remote` on the _local_ host to log into _remote_ host, and should then be able to use YubiKey as if it were connected to the remote host. For example, using e.g. `ssh-add -l` on that remote host should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.)
You should now be able to use `ssh -A remote` on the _local_ host to log into _remote_ host, and should then be able to use YubiKey as if it were connected to the remote host. For example, using e.g. `ssh-add -l` on that remote host will show the public key from the YubiKey (`cardno:`). Always use `ForwardAgent yes` only for a single host, never for all servers.
drduh
3 months ago