arno
/
YubiKey-Guide
mirror of https://github.com/drduh/YubiKey-Guide.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Simplify and automate fdisk commands

Browse Source
pull/425/head
drduh 2 months ago
parent ac8ff82085
commit a0fa35cf11
1 changed files with 92 additions and 112 deletions
Show Stats Download Patch File Download Diff File

204
README.md
Unescape View File

@ -119,24 +119,20 @@ grep $(sha512sum debian-live-*-amd64-xfce.iso) SHA512SUMS
See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information.
Mount a portable storage device and copy the image:
Connect a portable storage device and identify the disk label - this guide uses `/dev/sdc` throughout, but this value may differ on your system:
**Linux**
```console
$ sudo dmesg | tail
usb-storage 3-2:1.0: USB Mass Storage device detected
scsi host2: usb-storage 3-2:1.0
scsi 2:0:0:0: Direct-Access TS-RDF5 SD Transcend TS3A PQ: 0 ANSI: 6
sd 2:0:0:0: Attached scsi generic sg1 type 0
sd 2:0:0:0: [sdb] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
sd 2:0:0:0: [sdb] Write Protect is off
sd 2:0:0:0: [sdb] Mode Sense: 23 00 00 00
sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
sdb: sdb1 sdb2
sd 2:0:0:0: [sdb] Attached SCSI removable disk
$ sudo dd if=debian-live-*-amd64-xfce.iso of=/dev/sdb bs=4M status=progress ; sync
sd 2:0:0:0: [sdc] Attached SCSI removable disk
```
Copy the Debian image to the device:
```console
$ sudo dd if=debian-live-*-amd64-xfce.iso of=/dev/sdc bs=4M status=progress ; sync
465+1 records in
465+1 records out
1951432704 bytes (2.0 GB, 1.8 GiB) copied, 42.8543 s, 45.5 MB/s
@ -293,7 +289,7 @@ nix build --experimental-features "nix-command flakes" .#nixosConfigurations.yub
Copy it to a USB drive:
```console
sudo cp -v result/iso/yubikeyLive.iso /dev/sdb ; sync
sudo cp -v result/iso/yubikeyLive.iso /dev/sdc ; sync
```
Skip steps to create a temporary working directory and a hardened configuration, as they are already part of the image.
@ -415,23 +411,19 @@ EXPIRATION=2026-05-01
Generate a passphrase, which will be used to issue the Certify key and Subkeys.
The passphrase is recommended to consist of only upper case letters and numbers for improved readability. [Diceware](https://secure.research.vt.edu/diceware) is another method for creating strong and memorable passphrases.
The passphrase is recommended to consist of only uppercase letters and numbers for improved readability. [Diceware](https://secure.research.vt.edu/diceware) is another method for creating strong and memorable passphrases.
The following command will generate a strong passphrase while avoiding ambiguous characters:
The following commands will generate and display a strong passphrase which avoids ambiguous characters:
```console
PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1)
```
Display the password, then memorize or write it in a secure location, ideally separate from the portable storage device used for key material:
```console
echo $PASS
```
This repository includes a [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) file which can be printed and filled out by hand to assist with passphrase transcription. Save the raw file and open it with a browser to print.
Memorize the passphrase or write it in a secure location, ideally separate from the portable storage device used for key material. This repository includes a [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) template to help with transcription. Save the raw file, open it with a browser and print. Use a pen or permanent marker to select a letter or number on each row for each character in the passphrase.
# Create Certify key
@ -509,98 +501,91 @@ gpg --output $GNUPGHOME/$KEYID.asc \
```
Create an **encrypted** backup on portable storage to be kept offline in a secure and durable location.
**Tip** The [ext2](https://en.wikipedia.org/wiki/Ext2) filesystem without encryption can be mounted on Linux and OpenBSD. Use [FAT32](https://en.wikipedia.org/wiki/Fat32) or [NTFS](https://en.wikipedia.org/wiki/Ntfs) filesystem for macOS and Windows compatibility instead.
As an additional backup measure, use [Paperkey](https://www.jabberwocky.com/software/paperkey/) to make a physical copy of materials. See [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) for more information.
The following process is recommended to be repeated several times on multiple portable storage devices, as they can fail over time. As an additional backup measure, [Paperkey](https://www.jabberwocky.com/software/paperkey/) may be used to make a physical copy of key materials for improved durability.
**Tip** The [ext2](https://en.wikipedia.org/wiki/Ext2) filesystem without encryption can be mounted on Linux and OpenBSD. Use [FAT32](https://en.wikipedia.org/wiki/Fat32) or [NTFS](https://en.wikipedia.org/wiki/Ntfs) filesystem for macOS and Windows compatibility instead.
**Linux**
Attach another portable storage device and check its label:
Attach a portable storage device and check its label, in this case `/dev/sdc`:
```console
$ sudo dmesg | tail
mmc0: new high speed SDHC card at address a001
mmcblk0: mmc0:a001 SS16G 14.8 GiB
usb-storage 3-2:1.0: USB Mass Storage device detected
sd 2:0:0:0: [sdc] Attached SCSI removable disk
$ sudo fdisk -l /dev/mmcblk0
Disk /dev/mmcblk0: 14.9 GiB, 15931539456 bytes, 31116288 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
$ sudo fdisk -l /dev/sdc
Disk /dev/sdc: 14.9 GiB, 15931539456 bytes, 31116288 sectors
```
Write it with random data to prepare for encryption:
**Warning** Confirm the destination (`of`) before issuing the following command! This guide uses `/dev/sdc` throughout, but this value may differ on your system.
Zero the header to prepare for encryption:
```console
sudo dd if=/dev/urandom of=/dev/mmcblk0 bs=4M status=progress
sudo dd if=/dev/zero of=/dev/sdc bs=4M count=1
```
Erase and create a new partition table:
```console
$ sudo fdisk /dev/mmcblk0
sudo fdisk /dev/sdc <<EOF
g
w
EOF
```
Welcome to fdisk (util-linux 2.33.1).
Create a small (at least 20 Mb is recommended to account for the LUKS header size) partition for storing secret materials:
Command (m for help): g
Created a new GPT disklabel (GUID: 4E7495FD-85A3-3E48-97FC-2DD8D41516C3).
```console
sudo fdisk /dev/sdc <<EOF
n
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
+20M
w
EOF
```
Create a new partition with a 25 Megabyte size:
```console
$ sudo fdisk /dev/mmcblk0
Welcome to fdisk (util-linux 2.36.1).
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition.
Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-30261214, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-30261214, default 30261214): +25M
Once again, generate a unique passphrase (different from the [Passphrase](#passphrase) used for the GnuPG identity) to protect the encrypted volume:
Created a new partition 1 of type 'Linux filesystem' and of size 25 MiB.
```console
PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1)
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
echo $PASS
```
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition.
Generate a unique passphrase (different from the [Passphrase](#passphrase) used for the GnuPG identity) to protect the encrypted volume:
Memorize or write it down, then format the partition:
```console
sudo cryptsetup luksFormat /dev/mmcblk0p1
echo $PASS | sudo cryptsetup -q luksFormat /dev/sdc1
```
Mount the partition:
```console
sudo cryptsetup luksOpen /dev/mmcblk0p1 secret
echo $PASS | sudo cryptsetup -q luksOpen /dev/sdc1 gnupg-secrets
```
Create an ext2 filesystem:
```console
sudo mkfs.ext2 /dev/mapper/secret -L gpg-$(date +%F)
sudo mkfs.ext2 /dev/mapper/gnupg-secrets -L gnupg-$(date +F)
```
Mount the filesystem and copy the temporary GnuPG directory with keyring:
Mount the filesystem and copy the temporary GnuPG working directory exported key materials:
```console
sudo mkdir /mnt/encrypted-storage
sudo mount /dev/mapper/secret /mnt/encrypted-storage
sudo mount /dev/mapper/gnupg-secrets /mnt/encrypted-storage
sudo cp -avi $GNUPGHOME /mnt/encrypted-storage/
sudo cp -av $GNUPGHOME /mnt/encrypted-storage/
```
**Optional** Backup the OneRNG package:
@ -609,14 +594,14 @@ sudo cp -avi $GNUPGHOME /mnt/encrypted-storage/
sudo cp onerng_3.7-1_all.deb /mnt/encrypted-storage/
```
**Note** To set up multiple keys, keep the backup mounted or remember to terminate the GnuPG process before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
**Note** To provision multiple YubiKeys, keep the backup mounted or remember to terminate the GnuPG process before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
Unmount, close and disconnect the encrypted volume:
Unmount and close the encrypted volume:
```console
sudo umount /mnt/encrypted-storage/
sudo umount /mnt/encrypted-storage
sudo cryptsetup luksClose secret
sudo cryptsetup luksClose gnupg-secrets
```
**OpenBSD**
@ -688,7 +673,7 @@ doas mkdir /mnt/encrypted-storage
doas mount /dev/sd3i /mnt/encrypted-storage
doas cp -avi $GNUPGHOME /mnt/encrypted-storage
doas cp -av $GNUPGHOME /mnt/encrypted-storage
```
**Note** To set up multiple YubiKeys, keep the backup mounted or terminate GnuPG before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
@ -711,36 +696,38 @@ Create another partition on the portable storage device to store the public key,
**Linux**
Provision the portable storage device:
Using the same `/dev/sdc` device as in the previous step:
```console
$ sudo fdisk /dev/mmcblk0
Create a small (20 Mb is more than enough) partition for storing secret materials:
Welcome to fdisk (util-linux 2.36.1).
Command (m for help): n
Partition number (2-128, default 2):
First sector (53248-30261214, default 53248):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (53248-30261214, default 30261214): +25M
```console
sudo fdisk /dev/sdc <<EOF
n
Created a new partition 2 of type 'Linux filesystem' and of size 25 MiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
+20M
w
EOF
```
Create a filesystem and export the public key:
```console
sudo mkfs.ext2 /dev/mmcblk0p2
sudo mkfs.ext2 /dev/sdc2
sudo mkdir /mnt/public
sudo mount /dev/mmcblk0p2 /mnt/public
sudo mount /dev/sdc2 /mnt/public
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
sudo chmod 0444 /mnt/public/0x*.asc
```
Unmount and remove the storage device:
```console
sudo umount /mnt/public
```
**OpenBSD**
@ -809,13 +796,9 @@ User PIN | `123456` | cryptographic operations (decrypt, sign, authentica
Admin PIN | `12345678` | reset PIN, change Reset Code, add keys and owner information
Reset Code | None | reset PIN ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055))
Entering the *PIN* incorrectly 3 times will cause the PIN to become blocked. It can be unblocked with either the *Admin PIN* or *Reset Code*.
**Warning** Entering the *Admin PIN* or *Reset Code* incorrectly 3 times will destroy data on YubiKey.
Determine the desired PIN values. They can be shorter than the GnuPG identity passphrase due to limited brute-forcing opportunities. The User PIN should be convenient enough to remember for every-day use.
*PIN* values must be at least 6 characters. *Admin PIN* values must be at least 8 characters. A maximum of 127 ASCII characters are allowed. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for more information.
The *User PIN* must be at least 6 characters and the *Admin PIN* must be at least 8 characters. A maximum of 127 ASCII characters are allowed. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for more information.
Set PINs manually or generate them, for example a 6 digit User PIN and 8 digit Admin PIN:
@ -853,7 +836,9 @@ EOF
Remote and re-insert YubiKey.
**Optional** The number of [retry attempts](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries) can be changed to 5 with:
**Warning** Three incorrect *User PIN* entries will cause it to become blocked and must be unblocked with either the *Admin PIN* or *Reset Code*. Three incorrect *Admin PIN* or *Reset Code* entries will destroy data on YubiKey.
The number of [retry attempts](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries) can be changed, for example to 5 attempts:
```console
ykman openpgp access set-retries 5 5 5 -f -a $ADMIN_PIN
@ -950,11 +935,11 @@ A `>` after a tag indicates the key is stored on a smart card.
Verify you have done the following:
- [ ] Memorized or wrote down Certify key passphrase to a secure and durable location
- [ ] Memorized or wrote down the Certify key passphrase to a secure and durable location
- [ ] Saved the Certify key and Subkeys to encrypted portable storage, to be kept offline
- [ ] Memorized or wrote down passphrase to encrypted volume on portable storage
- [ ] Exported a copy of the public key where is can be easily accessed later
- [ ] Memorized or wrote down YubiKey user and admin PINs, which are unique and changed from default values
- [ ] Memorized or wrote down the User Pin and Admin PIN, which are unique and changed from default values
- [ ] Moved Encryption, Signature and Authentication Subkeys to YubiKey (`gpg -K` shows `ssb>` for 3 Subkeys)
Reboot to clear the ephemeral environment and complete setup.
@ -1012,7 +997,7 @@ doas reboot
Mount the non-encrypted volume with the public key:
```console
doas mount /dev/mmcblk0p2 /mnt
doas mount /dev/sd3i /mnt
```
Import it:
@ -1203,7 +1188,7 @@ ykman openpgp keys set-touch aut on
To view and adjust policy options:
```
```console
ykman openpgp keys set-touch -h
```
@ -1829,21 +1814,14 @@ Neither rotation method is superior and it is up to personal philosophy on ident
To renew or rotate Subkeys, follow the same process as generating keys: boot to a secure environment, install required software and disconnect networking.
Connect the portable storage device with the Certify key and identify the disk label:
```console
$ sudo dmesg | tail
mmc0: new high speed SDHC card at address a001
mmcblk0: mmc0:a001 SS16G 14.8 GiB (ro)
mmcblk0: p1 p2
```
Connect the portable storage device with the Certify key and identify the disk label.
Decrypt and mount the encrypted volume:
```console
sudo cryptsetup luksOpen /dev/mmcblk0p1 secret
sudo cryptsetup luksOpen /dev/sdc1 gnupg-secrets
sudo mount /dev/mapper/secret /mnt/encrypted-storage
sudo mount /dev/mapper/gnupg-secrets /mnt/encrypted-storage
```
Mount the non-encrypted public partition:
@ -1851,7 +1829,7 @@ Mount the non-encrypted public partition:
```console
sudo mkdir /mnt/public
sudo mount /dev/mmcblk0p2 /mnt/public
sudo mount /dev/sdc2 /mnt/public
```
Copy the original private key materials to a temporary working directory:
@ -1859,7 +1837,9 @@ Copy the original private key materials to a temporary working directory:
```console
GNUPGHOME=$(mktemp -d -t gnupg-$(date +%Y-%m-%d)-XXXXXXXXXX)
cp -rv /mnt/encrypted-storage/* $GNUPGHOME
cd $GNUPGHOME
cp -avi /mnt/encrypted-storage/gnupg-*/* $GNUPGHOME
```
Confirm the identity is available, set it and the key fingerprint:
@ -1867,7 +1847,7 @@ Confirm the identity is available, set it and the key fingerprint:
```console
gpg -K
KEYID=0xF0F2CFEB04341FB5
KEYID=$(gpg -K | grep -Po "(0x\w+)" | head -1)
KEYFPR=$(gpg --fingerprint "$KEYID" | grep -Eo '([0-9A-F][0-9A-F ]{49})' | head -n 1 | tr -d ' ')
```
@ -1938,7 +1918,7 @@ Unmount and close the encrypted volume:
```console
sudo umount /mnt/encrypted-storage
sudo cryptsetup luksClose /dev/mapper/secret
sudo cryptsetup luksClose gnupg-secrets
```
Export the updated public key:
@ -1946,7 +1926,7 @@ Export the updated public key:
```console
sudo mkdir /mnt/public
sudo mount /dev/mmcblk0p2 /mnt/public
sudo mount /dev/sdc2 /mnt/public
gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
@ -2002,7 +1982,7 @@ Admin PIN: 12345678
1. To switch between YubiKeys, unplug the first YubiKey and restart gpg-agent, ssh-agent and pinentry with `pkill "gpg-agent|ssh-agent|pinentry" ; eval $(gpg-agent --daemon --enable-ssh-support)` then insert the other YubiKey and run `gpg-connect-agent updatestartuptty /bye`
1. To use YubiKey on multiple computers, import the corresponding public keys. Confirm see YubiKey is visible with `gpg --card-status`, then trust the imported public keys ultimately with `trust` and `5`. `gpg --list-secret-keys` will show the correct and trusted key.
1. To use YubiKey on multiple computers, import the corresponding public keys, then confirm YubiKey is visible with `gpg --card-status`. Trust the imported public keys ultimately with `trust` and `5`, then `gpg --list-secret-keys` will show the correct and trusted key.
# Troubleshooting

Write Preview
Loading…
Cancel
Save