arno/YubiKey-Guide
1
0
Fork 0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-04-28 07:09:12 +00:00
Code Issues Releases Wiki Activity

tidy formatting, align table

Browse Source
This commit is contained in:
drduh 2025-04-24 19:21:56 -07:00
parent 6552e8946d
commit dc9a0eb903
1 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@ -391,17 +391,18 @@ The following commands will generate a strong[^2] passphrase while avoiding cert
```console ```console
export CERTIFY_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ export CERTIFY_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \
tr -d "IOUS5" | \ tr -d "IOUS5" | \
fold -w ${PASS_FOLD:-4} | \ fold -w ${PASS_GROUPSIZE:-4} | \
paste -sd ${PASS_DELIM:--} - | \ paste -sd ${PASS_DELIMITER:--} - | \
head -c ${PASS_LENGTH:-29}) ; printf "\n$CERTIFY_PASS\n\n" head -c ${PASS_LENGTH:-29})
printf "\n$CERTIFY_PASS\n\n"
``` ```
To change the passphrase length, delimiting character or group sizes, export the respective variable(s) prior to running the passphrase generation command, for example: To change the passphrase length, delimiting character or group sizes, export the respective variable(s) prior to running the passphrase generation command, for example:
```console ```console
export PASS_GROUPSIZE=6
export PASS_DELIMITER=+
export PASS_LENGTH=48 export PASS_LENGTH=48
export PASS_FOLD=6
export PASS_DELIM=+
``` ```
Write the passphrase in a secure location - separate from the portable storage device used for key material, or memorize it. Write the passphrase in a secure location - separate from the portable storage device used for key material, or memorize it.
@ -427,16 +428,19 @@ Do not set an expiration date on the Certify key.
Generate the Certify key: Generate the Certify key:
```console ```console
echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 \ echo "$CERTIFY_PASS" | \
gpg --batch --passphrase-fd 0 \
--quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never --quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never
``` ```
Set and view the Certify key identifier and fingerprint for use later: Set and view the Certify key identifier and fingerprint for use later:
```console ```console
export KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }') export KEYID=$(gpg -k --with-colons "$IDENTITY" | \
awk -F: '/^pub:/ { print $5; exit }')
export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }') export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \
awk -F: '/^fpr:/ { print $10; exit }')
printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP"
``` ```
@ -466,7 +470,9 @@ Add the additional user IDs to the Certify key:
```console ```console
for uid in "${additional_uids[@]}" ; do \ for uid in "${additional_uids[@]}" ; do \
echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid" echo "$CERTIFY_PASS" | \
gpg --batch --passphrase-fd 0 \
--pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid"
done done
``` ```
@ -489,7 +495,8 @@ Generate Signature, Encryption and Authentication Subkeys using the previously c
```console ```console
for SUBKEY in sign encrypt auth ; do \ for SUBKEY in sign encrypt auth ; do \
echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ echo "$CERTIFY_PASS" | \
gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
--quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION" --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION"
done done
``` ```
@ -590,9 +597,10 @@ Generate another unique [Passphrase](#passphrase) (ideally different from the on
```console ```console
export LUKS_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ export LUKS_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \
tr -d "IOUS5" | \ tr -d "IOUS5" | \
fold -w ${PASS_FOLD:-4} | \ fold -w ${PASS_GROUPSIZE:-4} | \
paste -sd ${PASS_DELIM:--} - | \ paste -sd ${PASS_DELIMITER:--} - | \
head -c ${PASS_LENGTH:-29}) ; printf "\n$LUKS_PASS\n\n" head -c ${PASS_LENGTH:-29})
printf "\n$LUKS_PASS\n\n"
``` ```
This passphrase will also be used infrequently to access the Certify key and should be very strong. This passphrase will also be used infrequently to access the Certify key and should be very strong.
@ -806,8 +814,8 @@ If the card is locked, [Reset](#reset-yubikey) it.
YubiKey's [PGP](https://developers.yubico.com/PGP/) interface has its own PINs separate from other modules such as [PIV](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html): YubiKey's [PGP](https://developers.yubico.com/PGP/) interface has its own PINs separate from other modules such as [PIV](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html):
Name | Default value | Capability Name | Default | Capability
-----------|---------------|------------------------------------------------------------- :---: | :---: | ---
User PIN | `123456` | cryptographic operations (decrypt, sign, authenticate) User PIN | `123456` | cryptographic operations (decrypt, sign, authenticate)
Admin PIN | `12345678` | reset PIN, change Reset Code, add keys and owner information Admin PIN | `12345678` | reset PIN, change Reset Code, add keys and owner information
Reset Code | None | reset PIN ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055)) Reset Code | None | reset PIN ([more information](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055))