arno/YubiKey-Guide
1
0
Fork 0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-05-09 12:08:45 +00:00
Code Issues Releases Wiki Activity

move revocation cert to footnotes

Browse Source
This commit is contained in:
drduh 2025-04-12 10:50:18 -07:00
parent 2cc0c10777
commit f008766778
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -343,7 +343,7 @@ export IDENTITY="YubiKey User <yubikey@example>"
Or use any attribute which will uniquely identity the key (this may be incompatible with certain use cases):
```console
export IDENTITY="My Cool YubiKey - 2024"
export IDENTITY="My Cool YubiKey - 2025"
```
## Key
@ -360,7 +360,7 @@ export KEY_TYPE=rsa4096
Determine the desired Subkey validity duration.
Setting a Subkey expiry forces identity and credential lifecycle management. However, setting an expiry on the Certify key is pointless, because it can just be used to extend itself. [Revocation certificates](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) should instead be used to revoke an identity.
Setting a Subkey expiry forces identity and credential lifecycle management. However, setting an expiry on the Certify key is pointless, because it can just be used to extend itself.[^1]
This guide recommends a two year expiration for Subkeys to balance security and usability, however longer durations are possible to reduce maintenance frequency.
@ -382,11 +382,11 @@ export EXPIRATION=2026-05-01
## Passphrase
Generate a passphrase for the Certify key. This credential will be used infrequently to manage Subkeys and should be very strong.
Generate a passphrase for the Certify key. This credential will be used to manage identity Subkeys.
To improve readability, this guide recommends a passphrase consisting only of uppercase letters and numbers.
The following commands will generate a strong[^1] passphrase while avoiding certain similar-looking characters:
The following commands will generate a strong[^2] passphrase while avoiding certain similar-looking characters:
```console
export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
@ -452,7 +452,7 @@ Define an array containing additional uids. As this is bash syntax, each array e
```console
declare -a additional_uids
additional_uids=("Super Cool YubiKey 2024" "uid 1 <uid1@example.org>")
additional_uids=("Super Cool YubiKey 2025" "uid 1 <uid1@example.org>")
```
Add the additional uids to the key:
@ -2279,4 +2279,5 @@ EOF
* [Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard (2014)](https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/)
* [Creating the perfect GPG keypair (2013)](https://alexcabal.com/creating-the-perfect-gpg-keypair/)
[^1]: See [issue 477](https://github.com/drduh/YubiKey-Guide/issues/477) for NIST guideline discussion.
[^1]: [Revocation certificates](https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386) should be used to revoke an identity.
[^2]: See [issue 477](https://github.com/drduh/YubiKey-Guide/issues/477) for NIST guideline discussion.

1
config/gpg-agent.conf
View File

@ -4,6 +4,7 @@ enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
# Select a valid program path for PIN entry prompt
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-gnome3
#pinentry-program /usr/bin/pinentry-tty