mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2025-01-05 12:30:58 +00:00
Disambiguate backup volume label to fix #176.
This commit is contained in:
parent
aad01ffde4
commit
bf38b94a65
204
README.md
204
README.md
@ -6,11 +6,10 @@ Keys stored on YubiKey are [non-exportable](https://support.yubico.com/support/s
|
|||||||
|
|
||||||
If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
|
If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
|
||||||
|
|
||||||
- [Purchase YubiKey](#purchase-yubikey)
|
- [Purchase](#purchase)
|
||||||
- [Verify YubiKey](#verify-yubikey)
|
|
||||||
- [Download OS Image](#download-os-image)
|
- [Download OS Image](#download-os-image)
|
||||||
- [Required software](#required-software)
|
- [Required software](#required-software)
|
||||||
* [Debian/Ubuntu](#debianubuntu)
|
* [Debian/Ubuntu](#debian-ubuntu)
|
||||||
* [Arch](#arch)
|
* [Arch](#arch)
|
||||||
* [RHEL7](#rhel7)
|
* [RHEL7](#rhel7)
|
||||||
* [NixOS](#nixos)
|
* [NixOS](#nixos)
|
||||||
@ -19,16 +18,18 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
|
|||||||
* [Windows](#windows)
|
* [Windows](#windows)
|
||||||
- [Entropy](#entropy)
|
- [Entropy](#entropy)
|
||||||
- [Creating keys](#creating-keys)
|
- [Creating keys](#creating-keys)
|
||||||
|
* [Using a temporary file system](#using-a-temporary-file-system)
|
||||||
|
* [Harden configuration](#harden-configuration)
|
||||||
- [Master key](#master-key)
|
- [Master key](#master-key)
|
||||||
- [Sign with an existing key (optional)](#sign-with-an-existing-key-optional)
|
- [Sign with an existing key (optional)](#sign-with-an-existing-key--optional-)
|
||||||
- [Sub-keys](#sub-keys)
|
- [Sub-keys](#sub-keys)
|
||||||
* [Signing](#signing)
|
* [Signing](#signing)
|
||||||
* [Encryption](#encryption)
|
* [Encryption](#encryption)
|
||||||
* [Authentication](#authentication)
|
* [Authentication](#authentication)
|
||||||
* [Add extra emails](#add-extra-emails)
|
* [Add extra emails (optional)](#add-extra-emails--optional-)
|
||||||
- [Verify](#verify)
|
- [Verify](#verify)
|
||||||
- [Create a revoke certificate](#create-a-revoke-certificate)
|
|
||||||
- [Export](#export)
|
- [Export](#export)
|
||||||
|
- [Create a revoke certificate](#create-a-revoke-certificate)
|
||||||
- [Backup](#backup)
|
- [Backup](#backup)
|
||||||
- [Configure Smartcard](#configure-smartcard)
|
- [Configure Smartcard](#configure-smartcard)
|
||||||
* [Change PIN](#change-pin)
|
* [Change PIN](#change-pin)
|
||||||
@ -38,17 +39,21 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
|
|||||||
* [Encryption](#encryption-1)
|
* [Encryption](#encryption-1)
|
||||||
* [Authentication](#authentication-1)
|
* [Authentication](#authentication-1)
|
||||||
- [Verify card](#verify-card)
|
- [Verify card](#verify-card)
|
||||||
|
- [Multiple keys](#multiple-keys)
|
||||||
- [Cleanup](#cleanup)
|
- [Cleanup](#cleanup)
|
||||||
- [Using keys](#using-keys)
|
- [Using keys](#using-keys)
|
||||||
- [Rotating keys](#rotating-keys)
|
- [Rotating keys](#rotating-keys)
|
||||||
|
+ [Initial setup for rotating keys or renewing sub-keys](#initial-setup-for-rotating-keys-or-renewing-sub-keys)
|
||||||
|
+ [Renewing sub-keys](#renewing-sub-keys)
|
||||||
|
+ [Rotating keys](#rotating-keys-1)
|
||||||
- [SSH](#ssh)
|
- [SSH](#ssh)
|
||||||
* [Create configuration](#create-configuration)
|
* [Create configuration](#create-configuration)
|
||||||
* [Replace agents](#replace-agents)
|
* [Replace agents](#replace-agents)
|
||||||
* [Copy public key](#copy-public-key)
|
* [Copy public key](#copy-public-key)
|
||||||
* [(Optional) Save public key for identity file configuration](#optional-save-public-key-for-identity-file-configuration)
|
* [(Optional) Save public key for identity file configuration](#-optional--save-public-key-for-identity-file-configuration)
|
||||||
* [Connect with public key authentication](#connect-with-public-key-authentication)
|
* [Connect with public key authentication](#connect-with-public-key-authentication)
|
||||||
* [Import SSH keys](#import-ssh-keys)
|
* [Import SSH keys](#import-ssh-keys)
|
||||||
* [Remote Machines (Agent Forwarding)](#remote-machines-agent-forwarding)
|
* [Remote Machines (Agent Forwarding)](#remote-machines--agent-forwarding-)
|
||||||
+ [Steps for older distributions](#steps-for-older-distributions)
|
+ [Steps for older distributions](#steps-for-older-distributions)
|
||||||
* [GitHub](#github)
|
* [GitHub](#github)
|
||||||
* [OpenBSD](#openbsd-1)
|
* [OpenBSD](#openbsd-1)
|
||||||
@ -66,15 +71,14 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
|
|||||||
- [Troubleshooting](#troubleshooting)
|
- [Troubleshooting](#troubleshooting)
|
||||||
- [Links](#links)
|
- [Links](#links)
|
||||||
|
|
||||||
# Purchase YubiKey
|
|
||||||
|
# Purchase
|
||||||
|
|
||||||
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
|
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
|
||||||
|
|
||||||
# Verify YubiKey
|
|
||||||
|
|
||||||
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
|
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
|
||||||
|
|
||||||
This website verifies the YubiKey's device attestation certificates signed by a set of Yubico CAs, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
|
This website verifies YubiKey device attestation certificates signed by a set of Yubico certificate authorities, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
|
||||||
|
|
||||||
# Download OS Image
|
# Download OS Image
|
||||||
|
|
||||||
@ -186,7 +190,21 @@ Open the terminal and install required software packages.
|
|||||||
```console
|
```console
|
||||||
$ sudo apt update
|
$ sudo apt update
|
||||||
|
|
||||||
$ sudo apt install -y wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
|
$ sudo apt -y upgrade
|
||||||
|
|
||||||
|
$ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
|
||||||
|
```
|
||||||
|
|
||||||
|
To install and use the `ykman` utility:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ sudo apt -y install python-pip python-pyscard
|
||||||
|
|
||||||
|
$ pip install yubikey-manager
|
||||||
|
|
||||||
|
$ sudo service pcscd start
|
||||||
|
|
||||||
|
$ ~/.local/bin/ykman openpgp info
|
||||||
```
|
```
|
||||||
|
|
||||||
## Arch
|
## Arch
|
||||||
@ -289,7 +307,7 @@ Most operating systems use software-based pseudorandom number generators. A hard
|
|||||||
Install and configure OneRNG software:
|
Install and configure OneRNG software:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo apt install -y at rng-tools python-gnupg openssl
|
$ sudo apt -y install at rng-tools python-gnupg openssl
|
||||||
|
|
||||||
$ wget https://github.com/OneRNG/onerng.github.io/raw/master/sw/onerng_3.6-1_all.deb
|
$ wget https://github.com/OneRNG/onerng.github.io/raw/master/sw/onerng_3.6-1_all.deb
|
||||||
|
|
||||||
@ -327,33 +345,26 @@ An entropy pool value greater than 2000 is sufficient.
|
|||||||
|
|
||||||
# Creating keys
|
# Creating keys
|
||||||
|
|
||||||
## Using a temporary file system (Tmpfs)
|
## Using a temporary file system
|
||||||
|
|
||||||
Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs):
|
Create a temporary directory which will be cleared on [reboot](https://en.wikipedia.org/wiki/Tmpfs) and set it as the GnuPG directory:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ export GNUPGHOME=$(mktemp -d)
|
$ export GNUPGHOME=$(mktemp -d)
|
||||||
|
|
||||||
$ cd $GNUPGHOME
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Use the Storage Device as backup and reusable enviroment
|
Otherwise, to preserve the working environment, set the GnuPG directory to your home folder:
|
||||||
|
|
||||||
As you may want to keep a offline backup of your keys as well as a clean enviroment to be set up easily, you also might consider to keep your USB-Storage device including the keys in a save place. Therefore, just set your desired GNUPGHOME-Variable:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ export GNUPGHOME=~/gnupg-workspace
|
$ export GNUPGHOME=~/gnupg-workspace
|
||||||
|
|
||||||
$ cd $GNUPGHOME
|
|
||||||
```
|
```
|
||||||
**Remember** You must store the device in a secure place afterwards or destroy it physically (smash, burn, shred etc.)
|
|
||||||
|
|
||||||
## Harden your setup
|
## Harden configuration
|
||||||
|
|
||||||
Create a hardened configuration in the temporary directory with the following options:
|
Create a hardened configuration in the temporary working directory with the following options:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ wget https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
$ wget -O $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
||||||
|
|
||||||
$ grep -ve "^#" $GNUPGHOME/gpg.conf
|
$ grep -ve "^#" $GNUPGHOME/gpg.conf
|
||||||
personal-cipher-preferences AES256 AES192 AES
|
personal-cipher-preferences AES256 AES192 AES
|
||||||
@ -373,8 +384,8 @@ verify-options show-uid-validity
|
|||||||
with-fingerprint
|
with-fingerprint
|
||||||
require-cross-certification
|
require-cross-certification
|
||||||
no-symkey-cache
|
no-symkey-cache
|
||||||
throw-keyids
|
|
||||||
use-agent
|
use-agent
|
||||||
|
throw-keyids
|
||||||
```
|
```
|
||||||
|
|
||||||
Disable networking for the remainder of the setup.
|
Disable networking for the remainder of the setup.
|
||||||
@ -387,14 +398,14 @@ The first key to generate is the master key. It will be used for certification o
|
|||||||
|
|
||||||
You'll be prompted to enter and verify a passphrase - keep it handy as you'll need it multiple times later.
|
You'll be prompted to enter and verify a passphrase - keep it handy as you'll need it multiple times later.
|
||||||
|
|
||||||
To generate a strong passphrase which could be written down in a hidden or secure place; or memorized:
|
Generate a strong passphrase which could be written down in a secure place or memorized:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ gpg --gen-random --armor 0 24
|
$ gpg --gen-random --armor 0 24
|
||||||
ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
|
ydOmByxmDe63u7gqx2XI9eDgpvJwibNH
|
||||||
```
|
```
|
||||||
|
|
||||||
On Linux or OpenBSD, select the password with the mouse to copy it to the clipboard and paste using the middle mouse button or `Shift`-`Insert`.
|
On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
|
||||||
|
|
||||||
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
|
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
|
||||||
|
|
||||||
@ -459,7 +470,7 @@ Key does not expire at all
|
|||||||
Is this correct? (y/N) y
|
Is this correct? (y/N) y
|
||||||
```
|
```
|
||||||
|
|
||||||
Select a name and email address - neither has to be valid nor existing.
|
Input any name and email address:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
GnuPG needs to construct a user ID to identify your key.
|
GnuPG needs to construct a user ID to identify your key.
|
||||||
@ -717,7 +728,7 @@ Finish by saving the keys.
|
|||||||
gpg> save
|
gpg> save
|
||||||
```
|
```
|
||||||
|
|
||||||
## Add extra emails
|
## Add extra emails (optional)
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> adduid
|
gpg> adduid
|
||||||
@ -868,10 +879,10 @@ Even worse, we cannot advertise this fact in any way to those that are using our
|
|||||||
In order to create the revoke certificate:
|
In order to create the revoke certificate:
|
||||||
|
|
||||||
``` console
|
``` console
|
||||||
gpg --output revoke.asc --gen-revoke $KEYID
|
$ gpg --gen-revoke $KEYID --output $GNUPGHOME/revoke.asc
|
||||||
```
|
```
|
||||||
|
|
||||||
The newly created `revoke.asc` file should be stored (or printed) in a place that allows us to retrieve it in case our backup strategy fails.
|
The `revoke.asc` certificate file should be stored (or printed) in a (secondary) place that allows retrieval in case the main backup fails.
|
||||||
|
|
||||||
# Backup
|
# Backup
|
||||||
|
|
||||||
@ -885,52 +896,61 @@ Attach another external storage device and check its label:
|
|||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo dmesg | tail
|
$ sudo dmesg | tail
|
||||||
usb-storage 4-2:1.0: USB Mass Storage device detected
|
mmc0: new high speed SDHC card at address a001
|
||||||
scsi host7: usb-storage 4-2:1.0
|
mmcblk0: mmc0:a001 SS16G 14.8 GiB
|
||||||
scsi 7:0:0:0: Direct-Access TS-RDF5 SD Transcend TS37 PQ: 0 ANSI: 6
|
|
||||||
sd 7:0:0:0: Attached scsi generic sg1 type 0
|
$ sudo fdisk -l /dev/mmcblk0
|
||||||
sd 7:0:0:0: [sdb] 31116288 512-byte logical blocks: (15.9 GB/14.8 GiB)
|
Disk /dev/mmcblk0: 14.9 GiB, 15931539456 bytes, 31116288 sectors
|
||||||
sd 7:0:0:0: [sdb] Write Protect is off
|
Units: sectors of 1 * 512 = 512 bytes
|
||||||
sd 7:0:0:0: [sdb] Mode Sense: 23 00 00 00
|
Sector size (logical/physical): 512 bytes / 512 bytes
|
||||||
sdb: sdb1
|
I/O size (minimum/optimal): 512 bytes / 512 bytes
|
||||||
sd 7:0:0:0: [sdb] Attached SCSI removable disk
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Write it with random data to prepare for encryption:
|
Write it with random data to prepare for encryption:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo dd if=/dev/urandom of=/dev/sdb bs=4M status=progress
|
$ sudo dd if=/dev/urandom of=/dev/mmcblk0 bs=4M status=progress
|
||||||
```
|
```
|
||||||
|
|
||||||
Erase and create a new partition table:
|
Erase and create a new partition table:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo fdisk /dev/sdb
|
$ sudo fdisk /dev/mmcblk0
|
||||||
|
|
||||||
Welcome to fdisk (util-linux 2.33.1).
|
Welcome to fdisk (util-linux 2.33.1).
|
||||||
|
Changes will remain in memory only, until you decide to write them.
|
||||||
|
Be careful before using the write command.
|
||||||
|
|
||||||
|
Device does not contain a recognized partition table.
|
||||||
|
Created a new DOS disklabel with disk identifier 0x3c1ad14a.
|
||||||
|
|
||||||
Command (m for help): o
|
Command (m for help): o
|
||||||
Created a new DOS disklabel with disk identifier 0xeac7ee35.
|
Created a new DOS disklabel with disk identifier 0xd756b789.
|
||||||
|
|
||||||
Command (m for help): w
|
Command (m for help): w
|
||||||
The partition table has been altered.
|
The partition table has been altered.
|
||||||
Calling ioctl() to re-read partition table.
|
Calling ioctl() to re-read partition table.
|
||||||
Syncing disks.
|
Syncing disks.
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Create a new partition with a 25 Megabyte size:
|
Create a new partition with a 25 Megabyte size:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo fdisk /dev/sdb
|
$ sudo fdisk /dev/mmcblk0
|
||||||
|
|
||||||
Welcome to fdisk (util-linux 2.33.1).
|
Welcome to fdisk (util-linux 2.33.1).
|
||||||
|
Changes will remain in memory only, until you decide to write them.
|
||||||
|
Be careful before using the write command.
|
||||||
|
|
||||||
Command (m for help): n
|
Command (m for help): n
|
||||||
Partition type
|
Partition type
|
||||||
p primary (0 primary, 0 extended, 4 free)
|
p primary (0 primary, 0 extended, 4 free)
|
||||||
e extended (container for logical partitions)
|
e extended (container for logical partitions)
|
||||||
Select (default p):
|
Select (default p): p
|
||||||
Partition number (1-4, default 1):
|
Partition number (1-4, default 1):
|
||||||
First sector (2048-62980095, default 2048):
|
First sector (2048-31116287, default 2048):
|
||||||
Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095): +25M
|
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31116287, default 31116287): +25M
|
||||||
|
|
||||||
Created a new partition 1 of type 'Linux' and of size 25 MiB.
|
Created a new partition 1 of type 'Linux' and of size 25 MiB.
|
||||||
|
|
||||||
@ -943,29 +963,29 @@ Syncing disks.
|
|||||||
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition:
|
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo cryptsetup luksFormat /dev/sdb1
|
$ sudo cryptsetup luksFormat /dev/mmcblk0p1
|
||||||
|
|
||||||
WARNING!
|
WARNING!
|
||||||
========
|
========
|
||||||
This will overwrite data on /dev/sdb1 irrevocably.
|
This will overwrite data on /dev/mmcblk0p1 irrevocably.
|
||||||
|
|
||||||
Are you sure? (Type uppercase yes): YES
|
Are you sure? (Type uppercase yes): YES
|
||||||
Enter passphrase:
|
Enter passphrase for /dev/mmcblk0p1:
|
||||||
Verify passphrase:
|
Verify passphrase:
|
||||||
```
|
```
|
||||||
|
|
||||||
Mount the partition:
|
Mount the partition:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo cryptsetup luksOpen /dev/sdb1 usb
|
$ sudo cryptsetup luksOpen /dev/mmcblk0p1 secret
|
||||||
Enter passphrase for /dev/sdb1:
|
Enter passphrase for /dev/mmcblk0p1:
|
||||||
```
|
```
|
||||||
|
|
||||||
Create a filesystem:
|
Create a filesystem:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo mkfs.ext2 /dev/mapper/usb -L usb
|
$ sudo mkfs.ext2 /dev/mapper/secret -L gpg-$(date +%F)
|
||||||
Creating filesystem with 10240 1k blocks and 2560 inodes
|
Creating filesystem with 9216 1k blocks and 2304 inodes
|
||||||
Superblock backups stored on blocks:
|
Superblock backups stored on blocks:
|
||||||
8193
|
8193
|
||||||
|
|
||||||
@ -977,17 +997,17 @@ Writing superblocks and filesystem accounting information: done
|
|||||||
Mount the filesystem and copy the temporary directory with the keyring:
|
Mount the filesystem and copy the temporary directory with the keyring:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo mkdir /mnt/encrypted-usb
|
$ sudo mkdir /mnt/encrypted-storage
|
||||||
|
|
||||||
$ sudo mount /dev/mapper/usb /mnt/encrypted-usb
|
$ sudo mount /dev/mapper/secret /mnt/encrypted-storage
|
||||||
|
|
||||||
$ sudo cp -avi $GNUPGHOME /mnt/encrypted-usb
|
$ sudo cp -avi $GNUPGHOME /mnt/encrypted-storage/
|
||||||
```
|
```
|
||||||
|
|
||||||
**Optional** Backup the OneRNG package:
|
**Optional** Backup the OneRNG package:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-usb
|
$ sudo cp onerng_3.6-1_all.deb /mnt/encrypted-storage/
|
||||||
```
|
```
|
||||||
|
|
||||||
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
Keep the backup mounted if you plan on setting up two or more keys as `keytocard` **will [delete](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html) the local copy** on save.
|
||||||
@ -995,9 +1015,9 @@ Keep the backup mounted if you plan on setting up two or more keys as `keytocard
|
|||||||
Unmount, close and disconnected the encrypted volume:
|
Unmount, close and disconnected the encrypted volume:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo umount /mnt/encrypted-usb
|
$ sudo umount /mnt/encrypted-storage/
|
||||||
|
|
||||||
$ sudo cryptsetup luksClose usb
|
$ sudo cryptsetup luksClose secret
|
||||||
```
|
```
|
||||||
|
|
||||||
Create another partition to store the public key, or skip this step if you plan on uploading it to a key server.
|
Create another partition to store the public key, or skip this step if you plan on uploading it to a key server.
|
||||||
@ -1005,7 +1025,7 @@ Create another partition to store the public key, or skip this step if you plan
|
|||||||
**Important** Without the *public* key, you will not be able to use GPG to encrypt, decrypt, nor sign messages. However, you will still be able to use YubiKey for SSH authentication.
|
**Important** Without the *public* key, you will not be able to use GPG to encrypt, decrypt, nor sign messages. However, you will still be able to use YubiKey for SSH authentication.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ sudo fdisk /dev/sdb
|
$ sudo fdisk /dev/mmcblk0
|
||||||
|
|
||||||
Command (m for help): n
|
Command (m for help): n
|
||||||
Partition type
|
Partition type
|
||||||
@ -1023,7 +1043,7 @@ The partition table has been altered.
|
|||||||
Calling ioctl() to re-read partition table.
|
Calling ioctl() to re-read partition table.
|
||||||
Syncing disks.
|
Syncing disks.
|
||||||
|
|
||||||
$ sudo mkfs.ext2 /dev/sdb2
|
$ sudo mkfs.ext2 /dev/mmcblk0p2
|
||||||
Creating filesystem with 10240 1k blocks and 2560 inodes
|
Creating filesystem with 10240 1k blocks and 2560 inodes
|
||||||
Superblock backups stored on blocks:
|
Superblock backups stored on blocks:
|
||||||
8193
|
8193
|
||||||
@ -1034,7 +1054,7 @@ Writing superblocks and filesystem accounting information: done
|
|||||||
|
|
||||||
$ sudo mkdir /mnt/public
|
$ sudo mkdir /mnt/public
|
||||||
|
|
||||||
$ sudo mount /dev/sdb2 /mnt/public/
|
$ sudo mount /dev/mmcblk0p2 /mnt/public/
|
||||||
|
|
||||||
$ gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).txt
|
$ gpg --armor --export $KEYID | sudo tee /mnt/public/$KEYID-$(date +%F).txt
|
||||||
```
|
```
|
||||||
@ -1299,7 +1319,9 @@ ssb rsa4096/0x3F29127E79649A3D
|
|||||||
|
|
||||||
## Signing
|
## Signing
|
||||||
|
|
||||||
Select and move the signature key. You will be prompted for the key passphrase and Admin PIN.
|
You will be prompted for the master key passphrase and Admin PIN.
|
||||||
|
|
||||||
|
Select and transfer the signature key.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> key 1
|
gpg> key 1
|
||||||
@ -1378,7 +1400,11 @@ gpg> keytocard
|
|||||||
Please select where to store the key:
|
Please select where to store the key:
|
||||||
(3) Authentication key
|
(3) Authentication key
|
||||||
Your selection? 3
|
Your selection? 3
|
||||||
|
```
|
||||||
|
|
||||||
|
Save and quit:
|
||||||
|
|
||||||
|
```console
|
||||||
gpg> save
|
gpg> save
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -1398,13 +1424,11 @@ ssb> rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
|
|||||||
ssb> rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
|
ssb> rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
|
||||||
```
|
```
|
||||||
|
|
||||||
# Multiple YubiKeys
|
# Multiple keys
|
||||||
|
|
||||||
If you have additional (e.g. backup) security devices, restore the USB backup and repeat the [Configure Smartcard](#configure-smartcard) steps.
|
To provision additional security keys, restore the master key backup and repeat the [Configure Smartcard](#configure-smartcard) procedure.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ cd
|
|
||||||
|
|
||||||
$ mv -vi $GNUPGHOME $GNUPGHOME.1
|
$ mv -vi $GNUPGHOME $GNUPGHOME.1
|
||||||
renamed '/tmp.FLZC0xcM' -> '/tmp.FLZC0xcM.1'
|
renamed '/tmp.FLZC0xcM' -> '/tmp.FLZC0xcM.1'
|
||||||
|
|
||||||
@ -1418,10 +1442,10 @@ $ cd $GNUPGHOME
|
|||||||
|
|
||||||
Ensure you have:
|
Ensure you have:
|
||||||
|
|
||||||
* Saved the encryption, signing and authentication sub-keys to YubiKey.
|
* Saved encryption, signing and authentication sub-keys to YubiKey (`gpg -K` should show `ssb>` for sub-keys).
|
||||||
* Saved the YubiKey PINs which you changed from defaults.
|
* Saved the YubiKey user and admin PINs which you changed from defaults.
|
||||||
* Saved the password to the master key.
|
* Saved the password to the GPG master key.
|
||||||
* Saved a copy of the master key, sub-keys and revocation certificates on an encrypted volume, to be stored offline.
|
* Saved a copy of the master key, sub-keys and revocation certificate on an encrypted volume, to be stored offline.
|
||||||
* Saved the password to that encrypted volume in a separate location.
|
* Saved the password to that encrypted volume in a separate location.
|
||||||
* Saved a copy of the public key somewhere easily accessible later.
|
* Saved a copy of the public key somewhere easily accessible later.
|
||||||
|
|
||||||
@ -1636,7 +1660,25 @@ Neither rotation method is superior and it's up to personal philosophy on identi
|
|||||||
|
|
||||||
### Initial setup for rotating keys or renewing sub-keys
|
### Initial setup for rotating keys or renewing sub-keys
|
||||||
|
|
||||||
To renew or rotate sub-keys, follow the same procedure to boot to a secure environment. Install required software and disconnect networking. Decrypt and mount the offline volume, then import the master key and configuration to a temporary working directory:
|
To renew or rotate sub-keys, follow the same process as generating keys: boot to a secure environment, install required software and disconnect networking.
|
||||||
|
|
||||||
|
Connect the offline secret storage device with the master keys and identify the disk label:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ sudo dmesg | tail
|
||||||
|
mmc0: new high speed SDHC card at address a001
|
||||||
|
mmcblk0: mmc0:a001 SS16G 14.8 GiB (ro)
|
||||||
|
mmcblk0: p1 p2
|
||||||
|
```
|
||||||
|
|
||||||
|
Decrypt and mount the offline volume:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ sudo cryptsetup luksOpen /dev/mmcblk0p1 secret
|
||||||
|
Enter passphrase for /dev/mmcblk0p1:
|
||||||
|
```
|
||||||
|
|
||||||
|
Import the master key and configuration to a temporary working directory:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ export GNUPGHOME=$(mktemp -d)
|
$ export GNUPGHOME=$(mktemp -d)
|
||||||
@ -2257,10 +2299,16 @@ scd apdu 00 44 00 00
|
|||||||
/echo Card has been successfully reset.
|
/echo Card has been successfully reset.
|
||||||
```
|
```
|
||||||
|
|
||||||
Or you may do it via `ykman` if installed:
|
Or use `ykman`:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ ykman openpgp reset
|
$ ykman openpgp reset
|
||||||
|
WARNING! This will delete all stored OpenPGP keys and data and restore factory settings? [y/N]: y
|
||||||
|
Resetting OpenPGP data, don't remove your YubiKey...
|
||||||
|
Success! All data has been cleared and default PINs are set.
|
||||||
|
PIN: 123456
|
||||||
|
Reset code: NOT SET
|
||||||
|
Admin PIN: 12345678
|
||||||
```
|
```
|
||||||
|
|
||||||
# Notes
|
# Notes
|
||||||
@ -2304,6 +2352,8 @@ $ ykman openpgp reset
|
|||||||
|
|
||||||
- If you receive the error, `Please insert the card with serial number: *` see [management of multiple keys](#multiple-keys).
|
- If you receive the error, `Please insert the card with serial number: *` see [management of multiple keys](#multiple-keys).
|
||||||
|
|
||||||
|
- If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`.
|
||||||
|
|
||||||
# Links
|
# Links
|
||||||
|
|
||||||
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
* https://alexcabal.com/creating-the-perfect-gpg-keypair/
|
||||||
|
Loading…
Reference in New Issue
Block a user