@ -20,12 +20,12 @@ To suggest an improvement, send a pull request or open an [issue](https://github
- [Create Certify key](#create-certify-key)
- [Create Subkeys](#create-subkeys)
- [Verify keys](#verify-keys)
- [Backup private keys](#backup-private-keys)
- [Backup keys](#backup-keys)
- [Export public key](#export-public-key)
- [Configure YubiKey](#configure-yubikey)
* [Enable KDF](#enable-kdf)
* [Change PIN](#change-pin)
* [Set information](#set-information)
* [Set attributes](#set-attributes)
- [Transfer Subkeys](#transfer-subkeys)
* [Signature key](#signature-key)
* [Encryption key](#encryption-key)
@ -81,7 +81,8 @@ A dedicated, secure operating environment is recommended to generate cryptograph
The following is a general ranking of environments least to most hospitable to generating materials:
1. Daily, currently in use operating system with unrestricted network access
1. Public, shared or other computer owned by someone else
1. Daily-use personal operating system with unrestricted network access
1. Virtualized operating system with limited capabilities (using [virt-manager](https://virt-manager.org/), VirtualBox or VMware, for example)
1. Dedicated and hardened [Debian](https://www.debian.org/) or [OpenBSD](https://www.openbsd.org/) installation
1. Ephemeral [Debian Live](https://www.debian.org/CD/live/) or [Tails](https://tails.boum.org/index.en.html) booted without primary storage attached
@ -440,7 +441,7 @@ Display the password, then memorize or write it in a secure location, ideally se
echo $PASS
```
This repository includes a [`passphrase.html`](passphrase.html) file which can be printed and filled out by hand to assist with passphrase transcription.
This repository includes a [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) file which can be printed and filled out by hand to assist with passphrase transcription. Save the raw file and open it with a browser to print.
Create an **encrypted** backup on portable storage to be kept offline in a secure and durable location.
@ -841,8 +845,14 @@ Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing
**Note** This feature may not be compatible with older GnuPG versions, especially mobile clients. These incompatible clients will not function because the PIN will always be rejected.
Enable KDF using the default Admin pin of `12345678`:
A maximum of 127 ASCII characters are allowed. See the GnuPG documentation on [Managing PINs](https://www.gnupg.org/howtos/card-howto/en/ch03s02.html) for more information.
Update PINs:
Determine the desired PIN values and set them manually, or generate them randomly:
**Note** The number of retry attempts can be changed later with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries):
```bash
ykman openpgp access set-retries 5 5 5 -f -a YOUR_ADMIN_PIN
```console
ykman openpgp access set-retries 5 5 5 -f -a $ADMIN_PIN
```
## Set information
## Set attributes
While still in administrative mode:
Set the [smart card attributes](https://gnupg.org/howtos/card-howto/en/smartcard-howto-single.html):
**Important** Verify a backup of Subkeys was made before proceeding. Transferring keys to YubiKey is a one-way operation: `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent YubiKeys.
The currently selected key(s) are indicated with an `*` symbol.
When transferring keys, only one subkey must be selected at a time.
```console
gpg --edit-key $KEYID
```
The currently selected key(s) are indicated with an `*` symbol. When transferring keys, only one subkey must be selected at a time.
The Certify key passphrase and Admin PIN are required to transfer keys.
## Signature key
Type `key 1` to select the first key and `keytocard` to transfer it, then `1` as the destination: