@ -14,7 +14,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
- [Entropy](#entropy)
- [Creating keys](#creating-keys)
- [Master key](#master-key)
- [Sub-keys](#sub-keys)
- [Subkeys](#subkeys)
- [Signing](#signing)
- [Encryption](#encryption)
- [Authentication](#authentication)
@ -54,7 +54,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
- [Windows Subsystem for Linux (WSL)](#wsl)
- [Troubleshooting](#troubleshooting)
- [Notes](#notes)
- [Similar work](#similar-work)
- [Links](#links)
# Purchase YubiKey
@ -64,7 +64,7 @@ Consider purchasing a pair of YubiKeys, programming both, and storing one in a s
# Live image
It is recommended to generate cryptographic keys and configure YubiKey from a secure environment. One way to do that is by downloading and booting to a [Debian Live](https://www.debian.org/CD/live/) or [Tails](https://tails.boum.org/index.en.html) image loaded from a USB drive into memory.
It is recommended to generate cryptographic keys and configure YubiKey from a secure environment to minimize exposure. One way to do that is by downloading and booting to a [Debian Live](https://www.debian.org/CD/live/) or [Tails](https://tails.boum.org/index.en.html) image loaded from a USB drive into memory.
Download the latest image and verify its integrity:
@ -193,7 +198,7 @@ Disable networking for the remainder of the setup.
# Master key
The first key to generate is the master key. It will be used for certification only - to issue sub-keys that are used for encryption, signing and authentication. This master key should be kept offline at all times and only accessed to revoke or issue new sub-keys.
The first key to generate is the master key. It will be used for certification only - to issue subkeys that are used for encryption, signing and authentication. This master key should be kept offline at all times and only accessed to revoke or issue new subkeys.
You'll be prompted to enter and verify a passphrase - keep it handy as you'll need it throughout. To generate a strong passphrase which could be written down in a hidden or secure place; or memorized:
@ -230,7 +235,7 @@ GnuPG needs to construct a user ID to identify your key.
Real name: Dr Duh
Email address: doc@duh.to
Comment:
Comment: [Optional - leave blank]
You selected this USER-ID:
"Dr Duh <doc@duh.to>"
@ -261,9 +266,9 @@ Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/de
**Optional** Add any additional identities or email addresses now using the `adduid` command.
To verify with OpenPGP key checks, use the automated [key best practice checker](https://riseup.net/en/security/message-security/openpgp/best-practices#openpgp-key-checks):
@ -493,7 +500,7 @@ The output will display any problems with your key in red text. If everything is
# Export keys
The Master and sub-keys will be encrypted with your passphrase when exported.
The Master and subkeys will be encrypted with your passphrase when exported.
Optionally, the public key may be uploaded to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
**Optional** The public key may be uploaded to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
```
$ gpg --send-key $KEYID
gpg: sending key 0xFF3E7D88647EBCDB to hkps server hkps.pool.sks-keyservers.net
After some time, the public key will to propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
@ -923,10 +923,10 @@ After some time, the public key will to propagate to [other](https://pgp.key-ser
Ensure you have:
* Saved the Encryption, Signing and Authentication sub-keys to YubiKey.
* Saved the Encryption, Signing and Authentication subkeys to YubiKey.
* Saved the YubiKey PINs which you changed from defaults.
* Saved the password to the Master key.
* Saved a copy of the Master key, sub-keys and revocation certificates on an encrypted volume stored offline.
* Saved a copy of the Master key, subkeys and revocation certificates on an encrypted volume stored offline.
* Saved the password to that encrypted volume in a separate location.
* Saved a copy of the public key somewhere easily accessible later.
@ -934,7 +934,6 @@ Reboot or [securely delete](http://srm.sourceforge.net/) `$GNUPGHOME` and remove
By default, YubiKey will perform key operations without requiring a touch from the user. To require a touch for every SSH connection, use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager/) and Admin PIN:
By default, YubiKey will perform key operations without requiring a touch from the user. To require a touch for every SSH authentication, use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager/) and Admin PIN:
ykman openpgp touch aut on
To require a touch for the signing and encrypting keys as well:
To require a touch for signing and encryption operations:
ykman openpgp touch sig on
ykman openpgp touch enc on
@ -1416,7 +1415,8 @@ Now you can use PuTTY for public key SSH authentication. When the server asks fo
## WSL
The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve:
![WSL agent architecture](media/schema_gpg.png)
**Note**: this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information.
**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information.
### Prerequisites
- Install Ubuntu >16.04 for WSL
@ -1425,48 +1425,54 @@ The goal here is to make the SSH client inside WSL work together with the Window
### WSL configuration
- Download or clone [weasel-pageant](https://github.com/vuori/weasel-pageant).
- Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent.
**Note**: we use a named socket here so we can use it in the RemoteForward directive of the .ssh/config file.
- Source it `$ . ~/.bashrc`.
- Add `eval $(/mnt/c/<path of extraction>/weasel-pageant -r -a /tmp/S.weasel-pageant)` to your .bashrc or equivalent. Use a named socket here so it can be used in the RemoteForward directive of the .ssh/config file.
- Source it with `source ~/.bashrc`.
- You should be able to see your SSH key with `$ ssh-add -l`.
- Edit your `~/.ssh/config` file.
- For each host you want to use agent forwarding, add:
- Edit `~/.ssh/config` - for each host you want to use agent forwarding, add:
- Reload the ssh daemon (e.g. `$ sudo service sshd reload`).
- Reload the ssh daemon (e.g., `sudo service sshd reload`).
### Final test
- Unplug your YubiKey, disconnect or reboot.
- Log back on Windows, open a WSL console and enter `$ ssh-add -l`, you should see nothing.
- Plug your YubiKey, enter the same command, you should see your ssh key.
- Log in to your remote host, you should have the pinentry popup/window asking for your YubiKey pin.
- On your remote host, type `$ ssh-add -l`. If you see your ssh key, that means your forwarding works !
**Note**: you can chain the agent forwarding through multiple hosts, you just have to follow the same [protocol](#remote-host-configuration) to configure each host.
- Unplug YubiKey, disconnect or reboot.
- Log back in to Windows, open a WSL console and enter `ssh-add -l` - you should see nothing.
- Plug in YubiKey, enter the same command, you should see your ssh key.
- Log in to your remote host, you should have the pinentry dialog asking for the YubiKey pin.
- On your remote host, type `ssh-add -l` - if you see your ssh key, that means forwarding works!
**Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host.
# Remote Machines (agent forwarding)
If you want to use your YubiKey to sign a git commit on a remote machine, or ssh through another layer, then this is possible using "Agent Forwarding". Assuming that you have your YubiKey setup on your host machine.
To forward your agent, ssh using the `-a` flag
To enable agent forwarding, ssh using the `-A` flag:
```
ssh -A user@remote
$ ssh -A user@remote
```
Or add the following to your ssh config file:
@ -1510,20 +1516,26 @@ You should then be able to use your YubiKey as if it were connected to the remot
1. Programming YubiKey for GPG keys still lets you use its two configurations - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
1. Setting an expiry essentially forces you to manage your subkeys and announces to the rest of the world that you are doing so. Setting an expiry on a primary key is ineffective for protecting the key from loss - whoever has the primary key can simply extend its expiry period. Revocation certificates are [better suited](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) for this purpose. It may be appropriate for your use case to set expiry dates on subkeys.