@ -8,7 +8,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
- [Purchase YubiKey](#purchase-yubikey)
- [Verify YubiKey](#verify-yubikey)
- [Live image](#live-image)
- [Download OS image](#download-os-image)
- [Required software](#required-software)
* [Entropy](#entropy)
- [Creating keys](#creating-keys)
@ -58,7 +58,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
You will also need several small storage devices for booting a live image, creating backups of private and public keys.
You will also need several small storage devices for booting a temporary operating system and creating backups of private/public keys.
# Verify YubiKey
@ -66,14 +66,14 @@ To verify a YubiKey is genuine, open a [browser with U2F support](https://suppor
This website verifies the YubiKey's device attestation certificates signed by a set of Yubico CAs, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
# Live image
# Download OS Image
It is recommended to generate cryptographic keys and configure YubiKey from a secure operating system and ephemeral environment, such as [Debian Live](https://www.debian.org/CD/live/), [Tails](https://tails.boum.org/index.en.html), or [OpenBSD](https://www.openbsd.org/).
It is recommended to generate cryptographic keys and configure YubiKey from a secure operating system and using an ephemeral environment ("live image"), such as [Debian](https://www.debian.org/CD/live/), [Tails](https://tails.boum.org/index.en.html), or [OpenBSD](https://www.openbsd.org/) booted from a USB drive.
$ doas dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
$ doas dd if=debian-live-10.0.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
465+1 records in
465+1 records out
1951432704 bytes transferred in 139.125 secs (14026448 bytes/sec)
@ -152,11 +154,11 @@ $ doas dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
Shut down the computer and disconnect internal hard drives and all unnecessary peripheral devices.
Consider using secure hardware like a ThinkPad X230 running [Coreboot](https://www.coreboot.org/) and cleaned of [Intel ME](https://github.com/corna/me_cleaner).
Consider using secure hardware like a ThinkPad X230 running [Coreboot](https://www.coreboot.org/) and [cleaned of Intel ME](https://github.com/corna/me_cleaner).
# Required software
Boot the live image and configure networking.
Boot the OS image and configure networking.
**Note** If the screen locks, unlock with `user`/`live`.
@ -165,7 +167,7 @@ Open the terminal and install several required packages:
**Important** Make sure you have securely erased all generated keys and revocation certificates if a Live image was not used!
**Important** Make sure you have securely erased all generated keys and revocation certificates if an ephemeral enviroment was not used!
# Using keys
@ -1855,10 +1857,9 @@ $ ykman openpgp set-touch enc on
YubiKey will blink when it is waiting for a touch.
# Email
GPG keys on YubiKey can be used with ease to encrypt or sign email messages and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions.
GPG keys on YubiKey can be used with ease to encrypt and/or sign emails and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions.