mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-11-22 15:28:06 +00:00
explicit keytocard instructions
This commit is contained in:
parent
0b24d77c18
commit
29563423c1
47
README.md
47
README.md
@ -33,7 +33,7 @@ To suggest an improvement, please send a pull request or open an [issue](https:/
|
|||||||
- [Export secret keys](#export-secret-keys)
|
- [Export secret keys](#export-secret-keys)
|
||||||
- [Revocation certificate](#revocation-certificate)
|
- [Revocation certificate](#revocation-certificate)
|
||||||
- [Backup](#backup)
|
- [Backup](#backup)
|
||||||
- [Export public keys](#export-public-keys)
|
- [Export public key](#export-public-key)
|
||||||
- [Configure YubiKey](#configure-yubikey)
|
- [Configure YubiKey](#configure-yubikey)
|
||||||
* [Enable KDF](#enable-kdf)
|
* [Enable KDF](#enable-kdf)
|
||||||
* [Change PIN](#change-pin)
|
* [Change PIN](#change-pin)
|
||||||
@ -822,10 +822,9 @@ List available secret keys:
|
|||||||
gpg -K
|
gpg -K
|
||||||
```
|
```
|
||||||
|
|
||||||
The output should display Certify, Signature, Encryption and Authentication keys, for example:
|
The output will display Certify, Signature, Encryption and Authentication keys, for example:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
---------------------------------------
|
|
||||||
sec rsa4096/0xF0F2CFEB04341FB5 2024-01-01 [C]
|
sec rsa4096/0xF0F2CFEB04341FB5 2024-01-01 [C]
|
||||||
Key fingerprint = 4E2C 1FA3 372C BA96 A06A C34A F0F2 CFEB 0434 1FB5
|
Key fingerprint = 4E2C 1FA3 372C BA96 A06A C34A F0F2 CFEB 0434 1FB5
|
||||||
uid [ultimate] YubiKey User <yubikey@example>
|
uid [ultimate] YubiKey User <yubikey@example>
|
||||||
@ -1071,9 +1070,9 @@ doas bioctl -d sd3
|
|||||||
|
|
||||||
See [OpenBSD FAQ#14](https://www.openbsd.org/faq/faq14.html#softraidCrypto) for more information.
|
See [OpenBSD FAQ#14](https://www.openbsd.org/faq/faq14.html#softraidCrypto) for more information.
|
||||||
|
|
||||||
# Export public keys
|
# Export public key
|
||||||
|
|
||||||
**Important** Without the *public* key, it will **not** be possible to use GnuPG to encrypt, decrypt, nor sign messages. However, YubiKey may still be used for SSH authentication.
|
**Important** Without the public key, it will **not** be possible to use GnuPG to decrypt and sign messages. However, YubiKey can still be used for SSH authentication.
|
||||||
|
|
||||||
Create another partition on the portable storage device to store the public key, or reconnect networking and upload to a key server.
|
Create another partition on the portable storage device to store the public key, or reconnect networking and upload to a key server.
|
||||||
|
|
||||||
@ -1183,29 +1182,7 @@ gpg/card> quit
|
|||||||
Insert YubiKey and use GnuPG to configure it:
|
Insert YubiKey and use GnuPG to configure it:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ gpg --card-edit
|
gpg --card-edit
|
||||||
|
|
||||||
Reader ...........: Yubico Yubikey 4 OTP U2F CCID
|
|
||||||
Application ID ...: D2760001240102010006055532110000
|
|
||||||
Application type .: OpenPGP
|
|
||||||
Version ..........: 3.4
|
|
||||||
Manufacturer .....: Yubico
|
|
||||||
Serial number ....: 05553211
|
|
||||||
Name of cardholder: [not set]
|
|
||||||
Language prefs ...: [not set]
|
|
||||||
Salutation .......:
|
|
||||||
URL of public key : [not set]
|
|
||||||
Login data .......: [not set]
|
|
||||||
Signature PIN ....: not forced
|
|
||||||
Key attributes ...: rsa2048 rsa2048 rsa2048
|
|
||||||
Max. PIN lengths .: 127 127 127
|
|
||||||
PIN retry counter : 3 0 3
|
|
||||||
Signature counter : 0
|
|
||||||
KDF setting ......: off
|
|
||||||
Signature key ....: [none]
|
|
||||||
Encryption key....: [none]
|
|
||||||
Authentication key: [none]
|
|
||||||
General key info..: [none]
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Enter administrative mode:
|
Enter administrative mode:
|
||||||
@ -1314,17 +1291,19 @@ gpg/card> quit
|
|||||||
|
|
||||||
**Important** Transferring keys to YubiKey is a one-way operation. Verify backups were made before proceeding. `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent YubiKeys.
|
**Important** Transferring keys to YubiKey is a one-way operation. Verify backups were made before proceeding. `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent YubiKeys.
|
||||||
|
|
||||||
The currently selected key(s) are indicated with an `*`. When transferring keys, only one subkey should be selected at a time.
|
The currently selected key(s) are indicated with an `*`.
|
||||||
|
|
||||||
|
When transferring keys, only one subkey should be selected at a time.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --edit-key $KEYID
|
gpg --edit-key $KEYID
|
||||||
```
|
```
|
||||||
|
|
||||||
The Certify key passphrase and Admin PIN will be prompted.
|
The Certify key passphrase and Admin PIN are required to transfer keys.
|
||||||
|
|
||||||
## Signature key
|
## Signature key
|
||||||
|
|
||||||
Select and transfer the Signature key - `*` will appear next to the selected subkey (`ssb*`):
|
Type `key 1` to select the first key and `keytocard` to transfer it, then `1` as the destination:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> key 1
|
gpg> key 1
|
||||||
@ -1349,7 +1328,7 @@ Your selection? 1
|
|||||||
|
|
||||||
## Encryption key
|
## Encryption key
|
||||||
|
|
||||||
Type `key 1` again to deselect the first key and `key 2` to select the next key:
|
Type `key 1` again to deselect the first key and `key 2` to select the next key, then `keytocard` to transfer it, then `2` as the destination:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> key 1
|
gpg> key 1
|
||||||
@ -1375,7 +1354,7 @@ Your selection? 2
|
|||||||
|
|
||||||
## Authentication key
|
## Authentication key
|
||||||
|
|
||||||
Type `key 2` again to deselect the second key and `key 3` to select the third key:
|
Type `key 2` again to deselect the second key and `key 3` to select the third key, then `keytocard` to transfer it, then `3` as the destination:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> key 2
|
gpg> key 2
|
||||||
@ -2031,7 +2010,7 @@ For example, tmux does not have environment variables such as `$SSH_AUTH_SOCK` w
|
|||||||
|
|
||||||
### Use ssh-agent
|
### Use ssh-agent
|
||||||
|
|
||||||
You should now be able to use `ssh -A remote` on the _local_ host to log into _remote_ host, and should then be able to use YubiKey as if it were connected to the remote host. For example, using e.g. `ssh-add -l` on that remote host should show the public key from the YubiKey (note `cardno:`). (If you don't want to have to remember to use `ssh -A`, you can use `ForwardAgent yes` in `~/.ssh/config`. As a security best practice, always use `ForwardAgent yes` only for a single `Hostname`, never for all servers.)
|
You should now be able to use `ssh -A remote` on the _local_ host to log into _remote_ host, and should then be able to use YubiKey as if it were connected to the remote host. For example, using e.g. `ssh-add -l` on that remote host will show the public key from the YubiKey (`cardno:`). Always use `ForwardAgent yes` only for a single host, never for all servers.
|
||||||
|
|
||||||
### Use S.gpg-agent.ssh
|
### Use S.gpg-agent.ssh
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user