+ [Steps for older distributions](#steps-for-older-distributions)
* [GitHub](#github)
* [OpenBSD](#openbsd-1)
@ -66,15 +71,14 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
- [Troubleshooting](#troubleshooting)
- [Links](#links)
# Purchase YubiKey
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
# Purchase
# Verify YubiKey
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
This website verifies the YubiKey's device attestation certificates signed by a set of Yubico CAs, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
This website verifies YubiKey device attestation certificates signed by a set of Yubico certificate authorities, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
# Download OS Image
@ -186,7 +190,21 @@ Open the terminal and install required software packages.
@ -327,33 +345,26 @@ An entropy pool value greater than 2000 is sufficient.
# Creating keys
## Using a temporary file system (Tmpfs)
## Using a temporary file system
Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs):
Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs) and set it as the GnuPG directory:
```console
$ export GNUPGHOME=$(mktemp -d)
$ cd $GNUPGHOME
```
## Use the Storage Device as backup and reusable enviroment
As you may want to keep a offline backup of your keys as well as a clean enviroment to be set up easily, you also might consider to keep your USB-Storage device including the keys in a save place. Therefore, just set your desired GNUPGHOME-Variable:
Otherwise, to preserve the working environment, set the GnuPG directory to your home folder:
```console
$ export GNUPGHOME=~/gnupg-workspace
$ cd $GNUPGHOME
```
**Remember** You must store the device in a secure place afterwards or destroy it physically (smash, burn, shred etc.)
## Harden your setup
## Harden configuration
Create a hardened configuration in the temporary directory with the following options:
Create a hardened configuration in the temporary working directory with the following options:
Disable networking for the remainder of the setup.
@ -387,14 +398,14 @@ The first key to generate is the master key. It will be used for certification o
You'll be prompted to enter and verify a passphrase - keep it handy as you'll need it multiple times later.
To generate a strong passphrase which could be written down in a hidden or secure place; or memorized:
Generate a strong passphrase which could be written down in a secure place or memorized:
```console
$ gpg --gen-random --armor 0 24
ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
```
On Linux or OpenBSD, select the password with the mouse to copy it to the clipboard and paste using the middle mouse button or `Shift`-`Insert`.
On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
@ -459,7 +470,7 @@ Key does not expire at all
Is this correct? (y/N) y
```
Select a name and email address - neither has to be valid nor existing.
Input any name and email address:
```console
GnuPG needs to construct a user ID to identify your key.
@ -717,7 +728,7 @@ Finish by saving the keys.
gpg> save
```
## Add extra emails
## Add extra emails (optional)
```console
gpg> adduid
@ -868,10 +879,10 @@ Even worse, we cannot advertise this fact in any way to those that are using our
Keep the backup mounted if you plan on setting up two or more keys as `keytocard`**will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
@ -995,9 +1015,9 @@ Keep the backup mounted if you plan on setting up two or more keys as `keytocard
Unmount, close and disconnected the encrypted volume:
```console
$ sudo umount /mnt/encrypted-usb
$ sudo umount /mnt/encrypted-storage/
$ sudo cryptsetup luksClose usb
$ sudo cryptsetup luksClose secret
```
Create another partition to store the public key, or skip this step if you plan on uploading it to a key server.
@ -1005,7 +1025,7 @@ Create another partition to store the public key, or skip this step if you plan
**Important** Without the *public* key, you will not be able to use GPG to encrypt, decrypt, nor sign messages. However, you will still be able to use YubiKey for SSH authentication.
```console
$ sudo fdisk /dev/sdb
$ sudo fdisk /dev/mmcblk0
Command (m for help): n
Partition type
@ -1023,7 +1043,7 @@ The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
$ sudo mkfs.ext2 /dev/sdb2
$ sudo mkfs.ext2 /dev/mmcblk0p2
Creating filesystem with 10240 1k blocks and 2560 inodes
If you have additional (e.g. backup) security devices, restore the USB backup and repeat the [Configure Smartcard](#configure-smartcard) steps.
To provision additional security keys, restore the master key backup and repeat the [Configure Smartcard](#configure-smartcard) procedure.
```console
$ cd
$ mv -vi $GNUPGHOME $GNUPGHOME.1
renamed '/tmp.FLZC0xcM' -> '/tmp.FLZC0xcM.1'
@ -1418,10 +1442,10 @@ $ cd $GNUPGHOME
Ensure you have:
* Saved the encryption, signing and authentication sub-keys to YubiKey.
* Saved the YubiKey PINs which you changed from defaults.
* Saved the password to the master key.
* Saved a copy of the master key, sub-keys and revocation certificates on an encrypted volume, to be stored offline.
* Saved encryption, signing and authentication sub-keys to YubiKey (`gpg -K` should show `ssb>` for sub-keys).
* Saved the YubiKey user and admin PINs which you changed from defaults.
* Saved the password to the GPG master key.
* Saved a copy of the master key, sub-keys and revocation certificate on an encrypted volume, to be stored offline.
* Saved the password to that encrypted volume in a separate location.
* Saved a copy of the public key somewhere easily accessible later.
@ -1636,7 +1660,25 @@ Neither rotation method is superior and it's up to personal philosophy on identi
### Initial setup for rotating keys or renewing sub-keys
To renew or rotate sub-keys, follow the same procedure to boot to a secure environment. Install required software and disconnect networking. Decrypt and mount the offline volume, then import the master key and configuration to a temporary working directory:
To renew or rotate sub-keys, follow the same process as generating keys: boot to a secure environment, install required software and disconnect networking.
Connect the offline secret storage device with the master keys and identify the disk label:
```console
$ sudo dmesg | tail
mmc0: new high speed SDHC card at address a001
mmcblk0: mmc0:a001 SS16G 14.8 GiB (ro)
mmcblk0: p1 p2
```
Decrypt and mount the offline volume:
```console
$ sudo cryptsetup luksOpen /dev/mmcblk0p1 secret
Enter passphrase for /dev/mmcblk0p1:
```
Import the master key and configuration to a temporary working directory:
```console
$ export GNUPGHOME=$(mktemp -d)
@ -2257,10 +2299,16 @@ scd apdu 00 44 00 00
/echo Card has been successfully reset.
```
Or you may do it via `ykman` if installed:
Or use `ykman`:
```console
$ ykman openpgp reset
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
Resetting OpenPGP data, don't remove your YubiKey...
Success! All data has been cleared and default PINs are set.
PIN: 123456
Reset code: NOT SET
Admin PIN: 12345678
```
# Notes
@ -2304,6 +2352,8 @@ $ ykman openpgp reset
- If you receive the error, `Please insert the card with serial number: *` see [management of multiple keys](#multiple-keys).
- If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`.