@ -108,7 +108,6 @@ To create cryptographic keys, a secure environment that can be reasonably assure
1. Separate hardened [Debian](https://www.debian.org/) or [OpenBSD](https://www.openbsd.org/) installation which can be dual booted
1. Live image, such as [Debian Live](https://www.debian.org/CD/live/) or [Tails](https://tails.boum.org/index.en.html)
1. Secure hardware/firmware ([Coreboot](https://www.coreboot.org/), [Intel ME removed](https://github.com/corna/me_cleaner))
1. Dedicated air-gapped system with no networking capabilities
This guide recommends using a bootable "live" Debian Linux image to provide such an environment, however, depending on your threat model, you may want to take fewer or more steps to secure it.
@ -127,7 +126,7 @@ Verify the signature of the hashes file with GPG:
```console
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 09 May 2020 05:17:57 PM PDT
gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
@ -137,7 +136,7 @@ gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 09 May 2020 05:17:57 PM PDT
gpg: Signature made Sat 17 Dec 2022 11:06:20 AM PST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
@ -151,11 +150,11 @@ If the public key cannot be received, try changing the DNS resolver and/or use a
You may additionally need (particularly for Ubuntu 18.04 and 20.04):
**Note** Live Ubuntu images [may require modification](https://github.com/drduh/YubiKey-Guide/issues/116) to `/etc/apt/sources.list` and may need additional packages:
@ -481,23 +470,18 @@ You may also need more recent versions of [yubikey-personalization](https://deve
Generating cryptographic keys requires high-quality [randomness](https://www.random.org/randomness/), measured as entropy.
To check the available entropy available on Linux:
```console
$ cat /proc/sys/kernel/random/entropy_avail
849
```
Most operating systems use software-based pseudorandom number generators. On newer machines there are CPU based hardware random number generators (HRNG) or you can use a separate hardware device like the White Noise or [OneRNG](https://onerng.info/onerng/) will [increase the speed](https://lwn.net/Articles/648550/) of entropy generation and possibly the quality.
From YubiKey firmware version 5.2.3 onwards - which introduces "Enhancements to OpenPGP 3.4 Support" - we can gather additional entropy from the YubiKey itself via the SmartCard interface.
YubiKey firmware version 5.2.3 introduced "Enhancements to OpenPGP 3.4 Support" - which can optionally gather additional entropy from YubiKey via the SmartCard interface.
## YubiKey
To feed the system's PRNG with entropy generated by the YubiKey itself, issue:
```console
$ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
```
This will seed the Linux kernel's PRNG with additional 512 bytes retrieved from the YubiKey.
## OneRNG
@ -531,22 +515,6 @@ $ sudo atd
$ sudo service rng-tools restart
```
Test by emptying `/dev/random` - the light on the device will dim briefly:
```console
$ cat /dev/random >/dev/null
[Press Control-C]
```
After a few seconds, verify the available entropy pool is quickly re-seeded:
```console
$ cat /proc/sys/kernel/random/entropy_avail
3049
```
An entropy pool value greater than 2000 is sufficient.
# Creating keys
## Temporary working directory
@ -592,7 +560,7 @@ use-agent
throw-keyids
```
Disable networking for the remainder of the setup.
**Important** Disable networking for the remainder of the setup.
**Important** Save this credential in a permanent, secure place as it will be needed to issue new sub-keys after expiration, and to provision additional YubiKeys.
**Important** Save this credential in a permanent, secure place as it will be needed to issue new sub-keys after expiration, and to provision additional YubiKeys, as well as to your Debian Live environment clipboard, as you'll need it several times throughout to generate keys.
**Tip** On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
Do not set the master key to expire - see [Note #3](#notes).
Do **not** set the master (certify) key to expire - see [Note #3](#notes).
```console
$ gpg --expert --full-generate-key
@ -683,7 +651,7 @@ Key does not expire at all
Is this correct? (y/N) y
```
Input any name and email address:
Input any name and email address (it doesn't have to be valid):
```console
GnuPG needs to construct a user ID to identify your key.
@ -1234,20 +1202,16 @@ Create a new partition with a 25 Megabyte size:
```console
$ sudo fdisk /dev/mmcblk0
Welcome to fdisk (util-linux 2.33.1).
Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-31116287, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31116287, default 31116287): +25M
Partition number (1-128, default 1):
First sector (2048-30261214, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-30261214, default 30261214): +25M
Created a new partition 1 of type 'Linux' and of size 25 MiB.
Created a new partition 1 of type 'Linux filesystem' and of size 25 MiB.
Command (m for help): w
The partition table has been altered.
@ -1255,7 +1219,7 @@ Calling ioctl() to re-read partition table.
Syncing disks.
```
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition:
Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition. Generate a different password which will be used to protect the filesystem:
**Note** If you plan on setting up multiple keys, keep the backup mounted or remember to terminate the gpg process before [saving](https://lists.gnupg.org/pipermail/gnupg-users/2016-July/056353.html).
@ -1410,16 +1367,16 @@ Create another partition on the removable storage device to store the public key
```console
$ sudo fdisk /dev/mmcblk0
Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p):
Partition number (2-4, default 2):
First sector (22528-31116287, default 22528):
Last sector, +sectors or +size{K,M,G,T,P} (22528-31116287, default 31116287): +25M
Partition number (2-128, default 2):
First sector (53248-30261214, default 53248):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (53248-30261214, default 30261214): +25M
Created a new partition 2 of type 'Linux' and of size 25 MiB.
Created a new partition 2 of type 'Linux filesystem' and of size 25 MiB.
Command (m for help): w
The partition table has been altered.
@ -1427,13 +1384,6 @@ Calling ioctl() to re-read partition table.
Syncing disks.
$ sudo mkfs.ext2 /dev/mmcblk0p2
Creating filesystem with 10240 1k blocks and 2560 inodes
Superblock backups stored on blocks:
8193
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
$ sudo mkdir /mnt/public
@ -1492,14 +1442,16 @@ Plug in a YubiKey and use GPG to configure it as a smartcard:
```console
$ gpg --card-edit
Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D2760001240102010006055532110000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 05553211
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
@ -1528,6 +1480,7 @@ Admin commands are allowed
Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this is not the similarly named older YubiKey NEO Manager) to enable CCID functionality.
## Enable KDF
Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. Note that this requires a relatively new version of GnuPG to work, and may not be compatible with other GPG clients (notably mobile clients). These incompatible clients will be unable to use the YubiKey GPG functions as the PIN will always be rejected. If you are not sure you will only be using your YubiKey on supported platforms, it may be better to skip this step.
```console
@ -1583,10 +1536,10 @@ Q - quit
Your selection? q
```
The number of retry attempts can be changed with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries):
**Note** The number of retry attempts can be changed later with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries):
```bash
ykman openpgp access set-retries 5 5 5 -f -a YOUR_ADMIN_PIN