1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-01-08 22:10:57 +00:00

Merge pull request #399 from drduh/wip-15oct23

Remove ancient keyservers
This commit is contained in:
drduh 2023-10-15 21:04:02 -07:00 committed by GitHub
commit c41729520f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2,12 +2,12 @@ This is a guide to using [YubiKey](https://www.yubico.com/products/yubikey-hardw
Keys stored on YubiKey are [non-exportable](http://web.archive.org/web/20201125172759/https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-Duplicate-or-Back-Up-a-YubiKey-) (as opposed to file-based keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN. All signing and encryption operations happen on the card, rather than in OS memory. Keys stored on YubiKey are [non-exportable](http://web.archive.org/web/20201125172759/https://support.yubico.com/hc/en-us/articles/360016614880-Can-I-Duplicate-or-Back-Up-a-YubiKey-) (as opposed to file-based keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN. All signing and encryption operations happen on the card, rather than in OS memory.
**Tip** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey to securely store and read credentials. **Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs.
> **Security Note**: If you followed this guide before Jan 2021, your GPG *PIN* and *Admin PIN* may be set to their default values (`123456` and `12345678` respectively). This would allow an attacker to use your Yubikey or reset your PIN. Please see the [Change PIN](#change-pin) section for details on how to change your PINs.
If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub. If you have a comment or suggestion, please open an [Issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
**Tip** [drduh/Purse](https://github.com/drduh/Purse) is a password manager which uses GPG and YubiKey to securely store and read credentials.
- [Purchase](#purchase) - [Purchase](#purchase)
- [Prepare environment](#prepare-environment) - [Prepare environment](#prepare-environment)
- [Required software](#required-software) - [Required software](#required-software)
@ -132,7 +132,7 @@ Verify the signature of the hashes file with GPG:
```console ```console
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST gpg: Signature made Sat 07 Oct 2023 01:24:57 PM PDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key gpg: Can't check signature: No public key
@ -142,7 +142,7 @@ gpg: Total number processed: 1
gpg: imported: 1 gpg: imported: 1
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST gpg: Signature made Sat 07 Oct 2023 01:24:57 PM PDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
@ -160,7 +160,7 @@ Ensure the SHA512 hash of the live image matches the one in the signed file - if
```console ```console
$ grep $(sha512sum debian-live-*-amd64-xfce.iso) SHA512SUMS $ grep $(sha512sum debian-live-*-amd64-xfce.iso) SHA512SUMS
SHA512SUMS:f9976e2090a54667a26554267941792c293628cceb643963e425bf90449e3c0eeb616e8ededc187070910401c8ab0348fdbc3292b6d04e29dcfb472ac258a542 debian-live-11.6.0-amd64-xfce.iso SHA512SUMS:3c74715380c804798d892f55ebe4d2f79ae266be93df2468a066c192cfe1af6ddae3139e1937d5cbfa2fccb6fe291920148401de30f504c0876be2f141811ff1 debian-live-12.2.0-amd64-xfce.iso
``` ```
See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information. See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information.
@ -214,7 +214,9 @@ Open the terminal and install required software packages.
## Debian and Ubuntu ## Debian and Ubuntu
```console ```console
$ sudo apt update ; sudo apt -y upgrade $ sudo apt update
$ sudo apt -y upgrade
$ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization $ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
``` ```
@ -265,7 +267,9 @@ $ ~/.local/bin/ykman openpgp info
```console ```console
$ sudo dnf install wget $ sudo dnf install wget
$ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-38-1.noarch.rpm $ wget https://github.com/rpmsphere/noarch/raw/master/r/rpmsphere-release-38-1.noarch.rpm
$ sudo rpm -Uvh rpmsphere-release*rpm $ sudo rpm -Uvh rpmsphere-release*rpm
$ sudo dnf install gnupg2 dirmngr cryptsetup gnupg2-smime pcsc-tools opensc pcsc-lite secure-delete pgp-tools yubikey-personalization-gui $ sudo dnf install gnupg2 dirmngr cryptsetup gnupg2-smime pcsc-tools opensc pcsc-lite secure-delete pgp-tools yubikey-personalization-gui
@ -602,6 +606,7 @@ charset utf-8
fixed-list-mode fixed-list-mode
no-comments no-comments
no-emit-version no-emit-version
no-greeting
keyid-format 0xlong keyid-format 0xlong
list-options show-uid-validity list-options show-uid-validity
verify-options show-uid-validity verify-options show-uid-validity
@ -612,7 +617,7 @@ use-agent
throw-keyids throw-keyids
``` ```
**Important** Disable networking for the remainder of the setup. **Tip** Networking can be disabled for the remainder of the setup.
# Master key # Master key
@ -646,7 +651,6 @@ Do **not** set the master (certify) key to expire - see [Note #3](#notes).
```console ```console
$ gpg --expert --full-generate-key $ gpg --expert --full-generate-key
Please select what kind of key you want: Please select what kind of key you want:
(1) RSA and RSA (default) (1) RSA and RSA (default)
(2) DSA and Elgamal (2) DSA and Elgamal
@ -658,6 +662,7 @@ Please select what kind of key you want:
(10) ECC (sign only) (10) ECC (sign only)
(11) ECC (set your own capabilities) (11) ECC (set your own capabilities)
(13) Existing key (13) Existing key
(14) Existing key from card
Your selection? 8 Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate Possible actions for a RSA key: Sign Certify Encrypt Authenticate
@ -1408,14 +1413,16 @@ $ gpg -o \path\to\dir\pubkey.gpg --armor --export $KEYID
```console ```console
$ gpg --send-key $KEYID $ gpg --send-key $KEYID
$ gpg --keyserver pgp.mit.edu --send-key $KEYID
$ gpg --keyserver keys.gnupg.net --send-key $KEYID $ gpg --keyserver keys.gnupg.net --send-key $KEYID
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID
``` ```
After some time, the public key will propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index). Or if [uploading to keys.openpgp.org](https://keys.openpgp.org/about/usage):
```console
$ gpg --send-key $KEYID | curl -T - https://keys.openpgp.org
```
# Configure Smartcard # Configure Smartcard
@ -2321,8 +2328,6 @@ $ gpg --import pubkey.asc
N.B.: The `showpref` command can be issued to ensure that the notions were correctly added. N.B.: The `showpref` command can be issued to ensure that the notions were correctly added.
It is now possible to continue following the Keyoxide guide and upload the key to WKD or to keys.openpgp.org.
# SSH # SSH
**Tip** If you want to use a YubiKey for SSH only (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md). Yubico also recently announced support for resident ssh keys under OpenSSH 8.2+ on their blue "security key 5 nfc" as mentioned in their [blog post](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/)._ **Tip** If you want to use a YubiKey for SSH only (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md). Yubico also recently announced support for resident ssh keys under OpenSSH 8.2+ on their blue "security key 5 nfc" as mentioned in their [blog post](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/)._