drduh
72eead099c
Should only have one identity loaded when renewing
2024-06-30 16:44:40 -07:00
drduh
778b292917
Renew expired subkeys, fix #442
2024-06-30 16:41:16 -07:00
drduh
b7baf0cbd0
Fix secret function
2024-06-30 16:28:39 -07:00
drduh
8458f76129
Export variables throughout
2024-06-30 15:08:49 -07:00
straysheep-dev
d64c75a45f
Move networking section to Optional hardening
2024-05-05 23:08:05 -07:00
straysheep-dev
bf1eef2c0d
Merge branch 'drduh:master' into patch-1
2024-05-05 22:37:21 -07:00
Manuel Thalmann
6cfb493f2b
Export the GNUPGHOME
variable
...
Merging this PR will fix #434
2024-05-03 02:23:00 +02:00
straysheep-dev
0f316de2d8
Add networking section to README.md
2024-04-18 18:59:50 -07:00
drduh
9a59d651b0
Tidy style and formatting
2024-03-29 08:17:24 -07:00
Will Stephenson
ada8ec6157
Fix broken 'SSH agent forwarding' internal links
2024-03-25 15:22:23 +01:00
drduh
197b92d098
Remove NEO (discontinued in 2018), sort troubleshooting
2024-03-24 10:08:30 -07:00
drduh
90292fe553
Update LUKS link, make commands consistent, more passphrase guidance
2024-03-24 09:47:01 -07:00
drduh
5a4884685d
Optional hardening section, additional validation steps
2024-03-24 08:11:10 -07:00
Will Stephenson
953bac8739
Fix typo in date command
2024-03-19 22:17:40 +01:00
drduh
30d5f3905f
Add command-line passphrase template
2024-03-17 18:34:53 -07:00
drduh
7a1039ab08
Replace mkdir commands
2024-03-17 17:28:53 -07:00
drduh
6272fc4181
Install yubikey-manager directly on Debian
2024-03-17 17:22:15 -07:00
drduh
a0fa35cf11
Simplify and automate fdisk commands
2024-03-17 17:04:48 -07:00
drduh
ac8ff82085
Stick with 6/8 digit PINs
2024-03-17 11:53:37 -07:00
drduh
38a6c057aa
Remove obsolete stuff, clean up intro
2024-03-17 10:16:32 -07:00
drduh
228ff7c7ca
Move keyserver instructions to later, more batch commands
2024-03-17 09:43:11 -07:00
drduh
a1081d20ac
Automate PIN and card operations
2024-03-16 21:43:21 -07:00
drduh
b2959d075b
Simplify instructions, reduce manual labor
2024-03-16 19:35:04 -07:00
drduh
12b232d28f
Merge pull request #423 from Xronophobe/fix/quick-add-key-with-fpr
...
update gpg --quick-add-key commands
2024-03-11 16:10:32 +00:00
drduh
c1b556c7c5
formatting fix
2024-03-10 14:22:32 -07:00
drduh
f0a0801a51
Workaround for Authenticate key issue
2024-03-10 14:20:00 -07:00
Csanad Beres
623a60cc83
update gpg --quick-add-key commands
...
it seems to be only accepting fingerprints and rejecting key ID-s
2024-03-07 15:17:14 +01:00
drduh
07e0fe71fd
few more standard terms
2024-02-12 11:32:26 -08:00
drduh
678e779b1f
typo
2024-02-12 11:28:49 -08:00
drduh
6e19ae4cc4
few more style nits
2024-02-12 11:24:27 -08:00
drduh
29563423c1
explicit keytocard instructions
2024-02-12 11:03:26 -08:00
drduh
0b24d77c18
simplify batch instructions
2024-02-12 10:51:55 -08:00
drduh
ca052604c3
standard names for subkeys
2024-02-12 10:45:38 -08:00
drduh
8e914a3a60
remove yubikey as rng
2024-02-12 10:02:58 -08:00
drduh
d6848d5440
remove multiple hosts
2024-02-12 09:33:22 -08:00
drduh
92d4212019
more grammar
2024-02-11 22:19:52 -08:00
drduh
c69295975c
few more cleanups
2024-02-11 21:48:35 -08:00
drduh
c6052c9028
simplify console output, use generic info
2024-02-11 21:09:11 -08:00
drduh
fbd7008a16
more grammar and formatting
2024-02-11 17:43:45 -08:00
drduh
152f7fb262
grammar and style
2024-02-11 15:37:31 -08:00
drduh
cfe0fa282d
grammar and standardize storage terminology
2024-02-11 13:56:32 -08:00
drduh
24ca007315
standardize Certify/Subkeys, easier command copy, organize links
2024-02-11 12:36:47 -08:00
drduh
c0b4ca6f78
Merge pull request #416 from Paraphraser/20240210-disable-ccid-master
...
add step to set `disable-ccid` in `scdaemon.conf`
2024-02-11 02:34:37 +00:00
Phill Kelley
5c3a4e8b18
fix rookie mistake
...
Add a one-liner that works. Then think about the context and decide to
recommend a rearrangement. And then muck up the consequential adjustment
of the original one-liner. I think I got a badge for that in the scouts.
Well spotted. Sorry.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2024-02-11 09:32:04 +11:00
drduh
b2d55a80de
Merge pull request #408 from jpickwell/patch-1
...
Quote Debian Live ISO URL, and add $ to AWK RegExp.
2024-02-10 17:21:32 +00:00
drduh
db9316a8ce
Merge pull request #411 from motiejus/motiejus-flake
...
NixOS Live Image: convert to a flake
2024-02-10 17:21:06 +00:00
Phill Kelley
f8fcb0c2d1
add step to set disable-ccid
in scdaemon.conf
...
Issue #404 reports "GPG acts like my YubiKey isn't plugged in".
With GnuPG 2.3 and later, the system can get into a loop where it
prompts for insertion of a YubiKey even though that YubiKey is already
connected.
The solution for this is to set `disable-ccid` in
`~/.gnupg/scdaemon.conf`.
Testing suggests setting `disable-ccid` does not interfere with earlier
versions of GnuPG (eg 2.2.27 on Debian Bullseye or 2.2.40 on Debian
Bookworm).
This problem has also been mentioned in #277 and #256 . Including a step
in the Guide to set `disable-ccid` may help minimise recurrence.
Also takes the opportunity to ensure `~/.gnupg` directory exists on a
new system before downloading `gpg.conf`.
References:
* Ludovic Rousseau
- [GnuPG and PC/SC conflicts](https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html )
* GnuPG.org:
- [Scdaemon Options](https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Options.html#index-disable_002dccid )
* YubiCo:
- [Resolving GPG's CCID conflicts](https://support.yubico.com/hc/en-us/articles/4819584884124-Resolving-GPG-s-CCID-conflicts )
- [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG )
* Closed issues:
- [277 pcscd: Error Reader Exclusive](https://github.com/drduh/YubiKey-Guide/issues/277 )
- [256 Update scdaemon.conf for gnupg 2.3 with MacOS (and possibly others)](https://github.com/drduh/YubiKey-Guide/issues/256 )
Fixes #404
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2024-02-10 14:11:33 +11:00
Motiejus Jakštys
84c9d9654d
NixOS Live Image: convert to a flake
...
Now `nixpkgs` will be pointing to a specific release, which has a much
smaller chance to unexpectedly break. Currently 23.11. The next one will
be 24.05, 24.11, etc.
NixOS *releases* receive security updates, but packages are upgraded
conservatively, thus don't generally break. As a result, we should need
to worry about NixOS upgrades every 6-12 months. The upgrade means "bump
the version number and try to build it". If it breaks, it will generally
break only then. Less reactive, more proactive surprises.
`flake.nix` was written by @thomaseizinger in
https://github.com/drduh/YubiKey-Guide/issues/406 . Changes from the
original:
- change Gnome to xfce. Now it loads with 384MB of RAM and works well
with the simplest graphics (hello qemu).
- less nasty workaround for hopenpgp-tools. Fixed upstream
(https://github.com/NixOS/nixpkgs/pull/279117 ).
- do not default `copytoram`, user can select this option in the
bootloader.
Here is how to test it:
```
$ nix run .#nixosConfigurations.yubikeyLive.x86_64-linux.config.system.build.vm
```
*Note for the maintainer*: it would be great if you could occasionally
run `nix flake update --commit-lock-file`, *especially* after updating
github.com/drduh/config.git.
Fixes #406
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2024-02-04 14:03:54 +02:00
Colin Grady
80a90f8813
Update link to genuine device check info
2024-01-25 08:28:01 -07:00
Jordan Pickwell
adf11bfdd5
Update README.md
...
Quote ISO URL, and add `$` RegExp end-of-string anchor to return only the ISO file and none of the other entries that contain `xfce.iso`.
This avoids unnecessary cURL errors.
2024-01-04 12:49:36 -06:00