mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-11-22 15:28:06 +00:00
commit
b621273182
38
README.md
38
README.md
@ -1075,7 +1075,7 @@ $ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-storage/
|
||||
|
||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
||||
|
||||
Unmount, close and disconnected the encrypted volume:
|
||||
Unmount, close and disconnect the encrypted volume:
|
||||
|
||||
```console
|
||||
$ sudo umount /mnt/encrypted-storage/
|
||||
@ -1156,7 +1156,7 @@ $ doas cp -avi $GNUPGHOME /mnt/encrypted-storage
|
||||
|
||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
||||
|
||||
Otherwise, unmount and disconnected the encrypted volume:
|
||||
Otherwise, unmount and disconnect the encrypted volume:
|
||||
|
||||
```console
|
||||
$ doas umount /mnt/encrypted-storage
|
||||
@ -1251,7 +1251,7 @@ $ gpg --keyserver keys.gnupg.net --send-key $KEYID
|
||||
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID
|
||||
```
|
||||
|
||||
After some time, the public key will to propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
|
||||
After some time, the public key will propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
|
||||
|
||||
# Configure Smartcard
|
||||
|
||||
@ -1284,7 +1284,7 @@ General key info..: [none]
|
||||
|
||||
**Windows**
|
||||
|
||||
Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named older YubiKey NEO Manager) to enable CCID functionality.
|
||||
Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this is not the similarly named older YubiKey NEO Manager) to enable CCID functionality.
|
||||
|
||||
## Change PIN
|
||||
|
||||
@ -1530,7 +1530,7 @@ $ cd $GNUPGHOME
|
||||
|
||||
## Switching between two or more Yubikeys.
|
||||
|
||||
When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key form your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number).
|
||||
When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key from your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number).
|
||||
|
||||
However, when you do this same operation for a second Yubikey, the stub in your keyring is overwritten by the *keytocard* operation and now the stub points to your second Yubikey. Adding more repeats this overwriting operation.
|
||||
|
||||
@ -1697,7 +1697,7 @@ ssb> 4096R/0x3F29127E79649A3D created: 2017-10-09 expires: 2018-10-09
|
||||
card-no: 0006 05553211
|
||||
```
|
||||
|
||||
`sec#` indicates master key is not available (as it should be stored encrypted offline).
|
||||
`sec#` indicates the master key is not available (as it should be stored encrypted offline).
|
||||
|
||||
**Note** If you see `General key info..: [none]` in the output instead - go back and import the public key using the previous step.
|
||||
|
||||
@ -1767,13 +1767,13 @@ document.pdf.1580000000.enc -> document.pdf
|
||||
|
||||
# Rotating keys
|
||||
|
||||
PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys.
|
||||
PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or the random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys.
|
||||
|
||||
When a sub-key expires, it can either be renewed or replaced. Both actions require access to the offline master key. Renewing sub-keys by updating their expiration date indicates you are still in possession of the offline master key and is more convenient.
|
||||
|
||||
Replacing keys, on the other hand, is less convenient but more secure: the new sub-keys will **not** be able to decrypt previous messages, authenticate with SSH, etc. Contacts will need to receive the updated public key and any encrypted secrets need to be decrypted and re-encrypted to new sub-keys to be usable. This process is functionally equivalent to "losing" the YubiKey and provisioning a new one. However, you will always be able to decrypt previous messages using the offline encrypted backup of the original keys.
|
||||
|
||||
Neither rotation method is superior and it's up to personal philosophy on identity management and individual threat model to decide which one to use, or whether to expire sub-keys at all. Ideally, sub-keys would be ephemeral: used only once for each encryption, signing and authentication event, however in practice that is not really feasible or worthwhile with YubiKey. Advanced users may want to dedicate an offline device for more frequent key rotations and ease of provisioning.
|
||||
Neither rotation method is superior and it's up to personal philosophy on identity management and individual threat model to decide which one to use, or whether to expire sub-keys at all. Ideally, sub-keys would be ephemeral: used only once for each encryption, signing and authentication event, however in practice that is not really feasible nor worthwhile with YubiKey. Advanced users may want to dedicate an offline device for more frequent key rotations and ease of provisioning.
|
||||
|
||||
## Setup environment
|
||||
|
||||
@ -1886,7 +1886,7 @@ ssb* rsa4096/0x3F29127E79649A3D
|
||||
[ultimate] (1). Dr Duh <doc@duh.to>
|
||||
```
|
||||
|
||||
Then, use the `expire` command to set a new expiration date. (Despite the name, this will not cause currently valid keys to become expired).
|
||||
Then, use the `expire` command to set a new expiration date. (Despite the name, this will not cause currently valid keys to become expired.)
|
||||
|
||||
```console
|
||||
gpg> expire
|
||||
@ -1960,7 +1960,7 @@ $ gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).asc
|
||||
$ sudo umount /mnt/public
|
||||
```
|
||||
|
||||
Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory.
|
||||
Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to the YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory.
|
||||
|
||||
# Adding notations
|
||||
|
||||
@ -2181,7 +2181,7 @@ Host
|
||||
|
||||
After successfully ssh into the remote, you should check that you have `/run/user/1000/gnupg/S.gpg-agent.ssh` lying there.
|
||||
|
||||
The in the *remote* you can type in command line or configure in the shell rc file with
|
||||
Then in the *remote* you can type in command line or configure in the shell rc file with:
|
||||
|
||||
```console
|
||||
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
||||
@ -2249,7 +2249,7 @@ $ doas reboot
|
||||
|
||||
## Windows
|
||||
|
||||
Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your YubiKey and open PowerShell to run the following command:
|
||||
Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find your device's full name, plug in your YubiKey and open PowerShell to run the following command:
|
||||
|
||||
``` powershell
|
||||
PS C:\WINDOWS\system32> Get-PnpDevice -Class SoftwareDevice | Where-Object {$_.FriendlyName -like "*YubiKey*"} | Select-Object -ExpandProperty FriendlyName
|
||||
@ -2299,7 +2299,7 @@ The goal here is to make the SSH client inside WSL work together with the Window
|
||||
|
||||
#### Use ssh-agent or use S.weasel-pegant
|
||||
|
||||
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved; However, if you use the other way(gpg ssh socket forwarding), you should not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more info.
|
||||
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved; However, if you use the other way (gpg ssh socket forwarding), you should not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more info.
|
||||
|
||||
Another way is to forward the gpg ssh socket, as described below.
|
||||
|
||||
@ -2341,11 +2341,11 @@ StreamLocalBindUnlink yes
|
||||
|
||||
And reload the SSH daemon (e.g., `sudo service sshd reload`).
|
||||
|
||||
Unplug YubiKey, disconnect or reboot. Log back in to Windows, open a WSL console and enter `ssh-add -l` - you should see nothing.
|
||||
Unplug YubiKey, disconnect or reboot. Log back into Windows, open a WSL console and enter `ssh-add -l` - you should see nothing.
|
||||
|
||||
Plug in YubiKey, enter the same command to display the ssh key.
|
||||
|
||||
Log in to the remote host, you should have the pinentry dialog asking for the YubiKey pin.
|
||||
Log into the remote host, you should have the pinentry dialog asking for the YubiKey pin.
|
||||
|
||||
On the remote host, type `ssh-add -l` - if you see the ssh key, that means forwarding works!
|
||||
|
||||
@ -2431,7 +2431,7 @@ Import public keys to the remote machine. This can be done by fetching from a ke
|
||||
$ scp ~/.gnupg/pubring.kbx remote:~/.gnupg/
|
||||
```
|
||||
|
||||
On modern distributions, such as Fedora 30, there is typically no need to also set `RemoteForward` in `~/.ssh/config` as detailed in the next chapter, because the right thing actually happens automatically.
|
||||
On modern distributions, such as Fedora 30, there is typically no need to also set `RemoteForward` in `~/.ssh/config` as detailed in the next chapter, because the right thing happens automatically.
|
||||
|
||||
If any error happens (or there is no `gpg-agent.socket` in the remote) for modern distributions, you may go through the configuration steps in the next section.
|
||||
|
||||
@ -2470,15 +2470,15 @@ pinentry-program /usr/bin/pinentry-gtk-2
|
||||
extra-socket /run/user/1000/gnupg/S.gpg-agent.extra
|
||||
```
|
||||
|
||||
**Note** The pinentry program starts on *local* machine, not remote. Hence when there are needs to enter the pin you need to find the prompt on local machine.
|
||||
**Note** The pinentry program starts on *local* machine, not remote. Hence when there are needs to enter the pin you need to find the prompt on the local machine.
|
||||
|
||||
**Important** Any pinentry program except `pinentry-tty` or `pinentry-curses` may be used. This is because local `gpg-agent` may start headlessly (By systemd without `$GPG_TTY` set locally telling which tty it is on), thus failed to obtain the pin. Errors on the remote may be misleading saying that there is *IO Error* (Yes internally there is actually *IO Error* since it happens when writing to/reading from tty while finding no tty to use, but for end users this is not friendly).
|
||||
**Important** Any pinentry program except `pinentry-tty` or `pinentry-curses` may be used. This is because local `gpg-agent` may start headlessly (By systemd without `$GPG_TTY` set locally telling which tty it is on), thus failed to obtain the pin. Errors on the remote may be misleading saying that there is *IO Error*. (Yes, internally there is actually an *IO Error* since it happens when writing to/reading from tty while finding no tty to use, but for end users this is not friendly.)
|
||||
|
||||
See [Issue #85](https://github.com/drduh/YubiKey-Guide/issues/85) for more information and troubleshooting.
|
||||
|
||||
## Chained GPG Agent Forwarding
|
||||
|
||||
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines
|
||||
Assume you have gone through the steps above and have `S.gpg-agent` on the *remote*, and you would like to forward this agent into a *third* box, first you may need to configure `sshd_config` of *third* in the same way as *remote*, then in the ssh config of *remote*, add the following lines:
|
||||
|
||||
```console
|
||||
Host third
|
||||
|
Loading…
Reference in New Issue
Block a user