├── README.md ├── yubi-key-reset └── yubikey-reset /README.md: -------------------------------------------------------------------------------- 1 | This is a practical guide to using [YubiKey](https://www.yubico.com/faq/yubikey/) as a [SmartCard](https://security.stackexchange.com/questions/38924/how-does-storing-gpg-ssh-private-keys-on-smart-cards-compare-to-plain-usb-drives) for storing GPG encryption and signing keys. An authentication key can also be created for SSH and used with [gpg-agent](https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work/188813#188813). 2 | 3 | Keys stored on a smartcard like YubiKey are more secure than ones stored on disk and are convenient enough for everyday use. 4 | 5 | Instructions written for OSX using YubiKey 4 in OTP+CCID mode. Note, older YubiKeys are limited to 2048 bit RSA keys. The following has been tested on OSX 10.11.4. 6 | 7 | The information provided below is a combination of work from Keith Swett (keith.swett@wheniwork.com), Dr Duh (https://github.com/drduh/YubiKey-Guide) and the Freenode #yubikey community. Thanks for all the help! :) 8 | 9 | - [Install required software](#install-required-software) 10 | - [Configure smartcard](#configure-smartcard) 11 | - [Change PINs](#change-pins) 12 | - [Set card information](#set-card-information) 13 | - [Creating keys](#creating-keys) 14 | - [Create temporary working directory for GPG](#create-temporary-working-directory-for-gpg) 15 | - [Create configuration](#create-configuration) 16 | - [Create master key](#create-master-key) 17 | - [Save Key ID](#save-key-id) 18 | - [Create revocation certificate](#create-revocation-certificate) 19 | - [Back up master key](#back-up-master-key) 20 | - [Create subkeys](#create-subkeys) 21 | - [Signing key](#signing-key) 22 | - [Encryption key](#encryption-key) 23 | - [Authentication key](#authentication-key) 24 | - [Check your work](#check-your-work) 25 | - [Export subkeys](#export-subkeys) 26 | - [Back up everything](#back-up-everything) 27 | - [Configure YubiKey](#configure-yubikey) 28 | - [Transfer keys](#transfer-keys) 29 | - [Signature key](#signature-key) 30 | - [Encryption key](#encryption-key-1) 31 | - [Authentication key](#authentication-key-1) 32 | - [Check your work](#check-your-work-1) 33 | - [Export public key](#export-public-key) 34 | - [Finish](#finish) 35 | - [Using keys](#using-keys) 36 | - [Create GPG configuration](#create-gpg-configuration) 37 | - [Import public key](#import-public-key) 38 | - [Insert YubiKey](#insert-yubikey) 39 | - [GnuPG](#gnupg) 40 | - [Trust master key](#trust-master-key) 41 | - [Encryption](#encryption) 42 | - [Decryption](#decryption) 43 | - [Signing](#signing) 44 | - [Verifying signature](#verifying-signature) 45 | - [SSH](#ssh) 46 | - [Update configuration](#update-configuration) 47 | - [Replace ssh-agent with gpg-agent](#replace-ssh-agent-with-gpg-agent) 48 | - [Copy public key to server](#copy-public-key-to-server) 49 | - [Connect with public key authentication](#connect-with-public-key-authentication) 50 | - [Troubleshooting](#troubleshooting) 51 | - [References](#references) 52 | 53 | # Install required software 54 | 55 | You will need to install the following software: 56 | 57 | Homebrew, an alternative package manager for OSX: 58 | 59 | $ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" 60 | 61 | Once homebrew has been installed, run: 62 | 63 | $ brew update 64 | 65 | Install the necessary packages: 66 | 67 | $ brew install git-crypt yubikey-personalization socat 68 | $ brew install gpg-agent gnupg2 69 | $ brew install Caskroom/cask/yubikey-neo-manager 70 | $ brew install Caskroom/cask/yubikey-personalization-gui 71 | $ brew install Caskroom/cask/gpgtools 72 | 73 | # Configure the Yubikey 74 | 75 | Once the packages have been installed, we need to modify the Yubikey configuration to run in OTP and CCID mode. To do this, run the following command: 76 | 77 | $ ykpersonalize -m82 78 | Firmware version 4.3.1 Touch level 517 Program sequence 1 79 | 80 | The USB mode will be set to: 0x82 81 | 82 | Commit? (y/n) [n]: y 83 | 84 | # Creating keys 85 | 86 | ## Create temporary working directory for GPG 87 | 88 | Create a temporary directory which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared): 89 | 90 | $ export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME 91 | `/var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.4dMGGCBi` 92 | 93 | ## Create configuration 94 | 95 | Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash) into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration: 96 | 97 | $ cat << EOF > $GNUPGHOME/gpg.conf 98 | default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAMELLIA256 CAMELLIA192 CAMELLIA128 TWOFISH 99 | cert-digest-algo SHA512 100 | keyid-format 0xlong 101 | use-agent 102 | lock-never 103 | EOF 104 | 105 | ## Create master key 106 | 107 | Generate a new key with GPG, selecting RSA (sign only), the appropriate keysize (4096), and no expiration date. The following procedure will also prompt to create and confirm a unique passphrase. 108 | 109 | $ gpg --gen-key 110 | 111 | Please select what kind of key you want: 112 | (1) RSA and RSA (default) 113 | (2) DSA and Elgamal 114 | (3) DSA (sign only) 115 | (4) RSA (sign only) 116 | Your selection? 4 117 | RSA keys may be between 1024 and 4096 bits long. 118 | What keysize do you want? (2048) 4096 119 | Requested keysize is 4096 bits 120 | Please specify how long the key should be valid. 121 | 0 = key does not expire 122 | = key expires in n days 123 | w = key expires in n weeks 124 | m = key expires in n months 125 | y = key expires in n years 126 | Key is valid for? (0) 0 127 | Key does not expire at all 128 | Is this correct? (y/N) y 129 | 130 | GnuPG needs to construct a user ID to identify your key. 131 | 132 | Real name: Firstname Lastname 133 | Email address: firstname.lastname@wheniwork.com 134 | Comment: 135 | You selected this USER-ID: 136 | "Firstname Lastname " 137 | 138 | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o 139 | You need a Passphrase to protect your secret key. 140 | 141 | We need to generate a lot of random bytes. It is a good idea to perform 142 | some other action (type on the keyboard, move the mouse, utilize the 143 | disks) during the prime generation; this gives the random number 144 | generator a better chance to gain enough entropy. 145 | gpg: /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/trustdb.gpg: trustdb created 146 | gpg: key 0xF932D46EFBBF395C marked as ultimately trusted 147 | public and secret key created and signed. 148 | 149 | gpg: checking the trustdb 150 | gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model 151 | gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u 152 | pub 4096R/0xF932D46EFBBF395C 2016-08-03 153 | Key fingerprint = AA88 FC68 946B 42FF E1CC 0EBD F932 D46E FBBF 395C 154 | uid [ultimate] Firstname Lastname 155 | 156 | Note that this key cannot be used for encryption. You may want to use 157 | the command "--edit-key" to generate a subkey for this purpose. 158 | 159 | Keep this passphrase handy as you'll need it throughout. 160 | 161 | ## Save Key ID 162 | 163 | Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) for use throughout the configuration process: 164 | 165 | $ KEYID=0xF932D46EFBBF395C 166 | 167 | ## Add a photo 168 | 169 | Next you will want a real picture of you and shouldn't be bigger than 240x288 and limit it to less then 14KB. Use the following commands to add the photo. 170 | 171 | $ gpg --edit-key $KEYID 172 | 173 | gpg (GnuPG/MacGPG2) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc. 174 | This is free software: you are free to change and redistribute it. 175 | There is NO WARRANTY, to the extent permitted by law. 176 | 177 | Secret key is available. 178 | 179 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 180 | trust: ultimate validity: ultimate 181 | [ultimate] (1). Firstname Lastname 182 | 183 | gpg> addphoto 184 | 185 | Pick an image to use for your photo ID. The image must be a JPEG file. 186 | Remember that the image is stored within your public key. If you use a 187 | very large picture, your key will become very large as well! 188 | Keeping the image close to 240x288 is a good size to use. 189 | 190 | Enter JPEG filename for photo ID: /Users/firstnamelastname/Desktop/photo.jpg 191 | Is this photo correct (y/N/q)? y 192 | 193 | You need a passphrase to unlock the secret key for 194 | user: "Firstname Lastname " 195 | 4096-bit RSA key, ID 0xF932D46EFBBF395C, created 2016-08-03 196 | 197 | 198 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 199 | trust: ultimate validity: ultimate 200 | [ultimate] (1). Firstname Lastname 201 | [ unknown] (2) [jpeg image of size 2750] 202 | 203 | gpg> save 204 | 205 | ## Create revocation certificate 206 | 207 | Create a way to revoke your keys in case of loss or compromise, an explicit reason being optional: 208 | 209 | $ gpg --gen-revoke $KEYID > $GNUPGHOME/revoke.txt 210 | 211 | sec 4096R/0xF932D46EFBBF395C 2016-05-24 Firstname Lastname 212 | 213 | Create a revocation certificate for this key? (y/N) y 214 | Please select the reason for the revocation: 215 | 0 = No reason specified 216 | 1 = Key has been compromised 217 | 2 = Key is superseded 218 | 3 = Key is no longer used 219 | Q = Cancel 220 | (Probably you want to select 1 here) 221 | Your decision? 1 222 | Enter an optional description; end it with an empty line: 223 | > 224 | Reason for revocation: Key has been compromised 225 | (No description given) 226 | Is this okay? (y/N) y 227 | 228 | You need a passphrase to unlock the secret key for 229 | user: "Firstname Lastname " 230 | 4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24 231 | 232 | ASCII armored output forced. 233 | Revocation certificate created. 234 | 235 | Please move it to a medium which you can hide away; if Mallory gets 236 | access to this certificate he can use it to make your key unusable. 237 | It is smart to print this certificate and store it away, just in case 238 | your media become unreadable. But have some caution: The print system of 239 | your machine might store the data and make it available to others! 240 | 241 | ## Back up master key 242 | 243 | Save a copy of the private key block: 244 | 245 | $ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/master.key 246 | 247 | ## Create subkeys 248 | 249 | Edit the key to add subkeys: 250 | 251 | $ gpg --expert --edit-key $KEYID 252 | 253 | gpg (GnuPG/MacGPG2) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc. 254 | This is free software: you are free to change and redistribute it. 255 | There is NO WARRANTY, to the extent permitted by law. 256 | 257 | Secret key is available. 258 | 259 | gpg: checking the trustdb 260 | gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model 261 | gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u 262 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 263 | trust: ultimate validity: ultimate 264 | [ultimate] (1). Firstname Lastname 265 | [ultimate] (2) [jpeg image of size 2750] 266 | 267 | gpg> 268 | 269 | ### Signing key 270 | 271 | First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only): 272 | 273 | gpg> addkey 274 | Key is protected. 275 | 276 | You need a passphrase to unlock the secret key for 277 | user: "Firstname Lastname " 278 | 4096-bit RSA key, ID 0xF932D46EFBBF395C, created 2016-08-03 279 | 280 | Please select what kind of key you want: 281 | (3) DSA (sign only) 282 | (4) RSA (sign only) 283 | (5) Elgamal (encrypt only) 284 | (6) RSA (encrypt only) 285 | (7) DSA (set your own capabilities) 286 | (8) RSA (set your own capabilities) 287 | Your selection? 4 288 | RSA keys may be between 1024 and 4096 bits long. 289 | What keysize do you want? (2048) 290 | Requested keysize is 2048 bits 291 | Please specify how long the key should be valid. 292 | 0 = key does not expire 293 | = key expires in n days 294 | w = key expires in n weeks 295 | m = key expires in n months 296 | y = key expires in n years 297 | Key is valid for? (0) 0 298 | Key expires at Fri Nov 11 11:29:52 2016 CST 299 | Is this correct? (y/N) y 300 | Really create? (y/N) y 301 | We need to generate a lot of random bytes. It is a good idea to perform 302 | some other action (type on the keyboard, move the mouse, utilize the 303 | disks) during the prime generation; this gives the random number 304 | generator a better chance to gain enough entropy. 305 | 306 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 307 | trust: ultimate validity: ultimate 308 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 309 | [ultimate] (1). Firstname Lastname 310 | [ultimate] (2) [jpeg image of size 2750] 311 | 312 | gpg> 313 | 314 | ### Encryption key 315 | 316 | Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only): 317 | 318 | gpg> addkey 319 | Key is protected. 320 | 321 | You need a passphrase to unlock the secret key for 322 | user: "Firstname Lastname " 323 | 4096-bit RSA key, ID 0xF932D46EFBBF395C, created 2016-08-03 324 | 325 | Please select what kind of key you want: 326 | (3) DSA (sign only) 327 | (4) RSA (sign only) 328 | (5) Elgamal (encrypt only) 329 | (6) RSA (encrypt only) 330 | (7) DSA (set your own capabilities) 331 | (8) RSA (set your own capabilities) 332 | Your selection? 6 333 | RSA keys may be between 1024 and 4096 bits long. 334 | What keysize do you want? (2048) 335 | Requested keysize is 2048 bits 336 | Please specify how long the key should be valid. 337 | 0 = key does not expire 338 | = key expires in n days 339 | w = key expires in n weeks 340 | m = key expires in n months 341 | y = key expires in n years 342 | Key is valid for? (0) 0 343 | Key expires at Fri Nov 11 11:32:21 2016 CST 344 | Is this correct? (y/N) y 345 | Really create? (y/N) y 346 | We need to generate a lot of random bytes. It is a good idea to perform 347 | some other action (type on the keyboard, move the mouse, utilize the 348 | disks) during the prime generation; this gives the random number 349 | generator a better chance to gain enough entropy. 350 | 351 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 352 | trust: ultimate validity: ultimate 353 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 354 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 355 | [ultimate] (1). Firstname Lastname 356 | [ultimate] (2) [jpeg image of size 2750] 357 | 358 | gpg> 359 | 360 | ### Authentication key 361 | 362 | Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for), selecting RSA (set your own capabilities): 363 | 364 | gpg> addkey 365 | Key is protected. 366 | 367 | You need a passphrase to unlock the secret key for 368 | user: "Firstname Lastname " 369 | 4096-bit RSA key, ID 0xF932D46EFBBF395C, created 2016-08-03 370 | 371 | Please select what kind of key you want: 372 | (3) DSA (sign only) 373 | (4) RSA (sign only) 374 | (5) Elgamal (encrypt only) 375 | (6) RSA (encrypt only) 376 | (7) DSA (set your own capabilities) 377 | (8) RSA (set your own capabilities) 378 | Your selection? 8 379 | 380 | Possible actions for a RSA key: Sign Encrypt Authenticate 381 | Current allowed actions: Sign Encrypt 382 | 383 | (S) Toggle the sign capability 384 | (E) Toggle the encrypt capability 385 | (A) Toggle the authenticate capability 386 | (Q) Finished 387 | 388 | Your selection? s 389 | 390 | Possible actions for a RSA key: Sign Encrypt Authenticate 391 | Current allowed actions: Encrypt 392 | 393 | (S) Toggle the sign capability 394 | (E) Toggle the encrypt capability 395 | (A) Toggle the authenticate capability 396 | (Q) Finished 397 | 398 | Your selection? e 399 | 400 | Possible actions for a RSA key: Sign Encrypt Authenticate 401 | Current allowed actions: 402 | 403 | (S) Toggle the sign capability 404 | (E) Toggle the encrypt capability 405 | (A) Toggle the authenticate capability 406 | (Q) Finished 407 | 408 | Your selection? a 409 | 410 | Possible actions for a RSA key: Sign Encrypt Authenticate 411 | Current allowed actions: Authenticate 412 | 413 | (S) Toggle the sign capability 414 | (E) Toggle the encrypt capability 415 | (A) Toggle the authenticate capability 416 | (Q) Finished 417 | 418 | Your selection? q 419 | RSA keys may be between 1024 and 4096 bits long. 420 | What keysize do you want? (2048) 421 | Requested keysize is 2048 bits 422 | Please specify how long the key should be valid. 423 | 0 = key does not expire 424 | = key expires in n days 425 | w = key expires in n weeks 426 | m = key expires in n months 427 | y = key expires in n years 428 | Key is valid for? (0) 0 429 | Key expires at Fri Nov 11 11:33:21 2016 CST 430 | Is this correct? (y/N) y 431 | Really create? (y/N) y 432 | We need to generate a lot of random bytes. It is a good idea to perform 433 | some other action (type on the keyboard, move the mouse, utilize the 434 | disks) during the prime generation; this gives the random number 435 | generator a better chance to gain enough entropy. 436 | 437 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 438 | trust: ultimate validity: ultimate 439 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 440 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 441 | sub 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: 2016-11-11 usage: A 442 | [ultimate] (1). Firstname Lastname 443 | [ultimate] (2) [jpeg image of size 2750] 444 | 445 | gpg> save 446 | 447 | ## Check your work 448 | 449 | List your new secret keys: 450 | 451 | $ gpg --list-secret-keys 452 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/secring.gpg 453 | ------------------------------------------------------------------------- 454 | sec 4096R/0xF932D46EFBBF395C 2016-08-03 455 | uid Firstname Lastname 456 | uid [jpeg image of size 2750] 457 | ssb 2048R/0x1E7E95EA22108AE7 2016-08-03 458 | ssb 2048R/0xAF6A01035CFD7DF0 2016-08-03 459 | ssb 2048R/0x6B41354877FC08DA 2016-08-03 460 | 461 | ## Export subkeys 462 | 463 | Save a copy of your subkeys: 464 | 465 | $ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key 466 | 467 | $ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key 468 | 469 | ## Back up everything 470 | 471 | Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made a backup before proceeding. 472 | 473 | Insert the USB thumbdrive you were provided by WIW and backup the temporary GPG working directory: 474 | 475 | $ cp -avi $GNUPGHOME /Volumes/WIW_USB_THUMBDRIVE/ 476 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy 477 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/gpg.conf -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/gpg.conf 478 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/master.key -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/master.key 479 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/mastersub.key -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/mastersub.key 480 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/private-keys-v1.d -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/private-keys-v1.d 481 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/pubring.gpg -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/pubring.gpg 482 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/pubring.gpg~ -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/pubring.gpg~ 483 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/random_seed -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/random_seed 484 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/revoke.txt -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/revoke.txt 485 | cp: /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/S.gpg-agent: Operation not supported on socket 486 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/secring.gpg -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/secring.gpg 487 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/sub.key -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/sub.key 488 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/trustdb.gpg -> /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/trustdb.gpg 489 | 490 | ## Configure YubiKey 491 | 492 | Plug in your YubiKey and configure it: 493 | 494 | $ ykpersonalize -m82 495 | Firmware version 4.2.7 Touch level 527 Program sequence 4 496 | 497 | The USB mode will be set to: 0x82 498 | 499 | Commit? (y/n) [n]: y 500 | 501 | > The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card. Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it. 502 | 503 | https://www.yubico.com/2012/12/yubikey-neo-openpgp/ 504 | 505 | ## Configure smartcard 506 | 507 | Use GPG to configure YubiKey as a smartcard: 508 | 509 | $ gpg --card-edit 510 | 511 | Application ID ...: D2760001240102010006055532110000 512 | Version ..........: 2.1 513 | Manufacturer .....: unknown 514 | Serial number ....: 05553211 515 | Name of cardholder: [not set] 516 | Language prefs ...: [not set] 517 | Sex ..............: unspecified 518 | URL of public key : [not set] 519 | Login data .......: [not set] 520 | Private DO 1 .....: [not set] 521 | Private DO 2 .....: [not set] 522 | Signature PIN ....: not forced 523 | Key attributes ...: 2048R 2048R 2048R 524 | Max. PIN lengths .: 127 127 127 525 | PIN retry counter : 3 0 3 526 | Signature counter : 0 527 | Signature key ....: [none] 528 | Encryption key....: [none] 529 | Authentication key: [none] 530 | General key info..: [none] 531 | 532 | ### Change PINs 533 | 534 | The default PIN codes are: 535 | admin: `12345678` 536 | user: `123456` 537 | 538 | Note: the user PIN code *MUST* be *at LEAST* 6 digits. 539 | 540 | gpg/card> admin 541 | Admin commands are allowed 542 | 543 | gpg/card> passwd 544 | gpg: OpenPGP card no. D2760001240102010006055532110000 detected 545 | 546 | 1 - change PIN 547 | 2 - unblock PIN 548 | 3 - change Admin PIN 549 | 4 - set the Reset Code 550 | Q - quit 551 | 552 | Your selection? 1 553 | PIN changed. 554 | 555 | 1 - change PIN 556 | 2 - unblock PIN 557 | 3 - change Admin PIN 558 | 4 - set the Reset Code 559 | Q - quit 560 | 561 | Your selection? 3 562 | PIN changed. 563 | 564 | 1 - change PIN 565 | 2 - unblock PIN 566 | 3 - change Admin PIN 567 | 4 - set the Reset Code 568 | Q - quit 569 | 570 | Your selection? 4 571 | Reset Code set. 572 | 573 | 1 - change PIN 574 | 2 - unblock PIN 575 | 3 - change Admin PIN 576 | 4 - set the Reset Code 577 | Q - quit 578 | 579 | Your selection? q 580 | 581 | gpg/card> 582 | 583 | ### Set card information 584 | 585 | Set up the optional fields: 586 | 587 | gpg/card> name 588 | Cardholder's surname: Lastname 589 | Cardholder's given name: Firstname 590 | 591 | gpg/card> lang 592 | Language preferences: en 593 | 594 | gpg/card> sex 595 | Sex ((M)ale, (F)emale or space): m 596 | 597 | gpg/card> 598 | 599 | Verify the card information: 600 | 601 | gpg/card> (Press Enter) 602 | 603 | Application ID ...: D2760001240102010006049421930000 604 | Version ..........: 2.1 605 | Manufacturer .....: Yubico 606 | Serial number ....: 04942193 607 | Name of cardholder: Firstname Lastname 608 | Language prefs ...: en 609 | Sex ..............: male 610 | URL of public key : [not set] 611 | Login data .......: [not set] 612 | Signature PIN ....: not forced 613 | Key attributes ...: 2048R 2048R 2048R 614 | Max. PIN lengths .: 127 127 127 615 | PIN retry counter : 3 3 3 616 | Signature counter : 0 617 | Signature key ....: [none] 618 | Encryption key....: [none] 619 | Authentication key: [none] 620 | General key info..: [none] 621 | 622 | gpg/card> quit 623 | 624 | ## Transfer keys 625 | 626 | Transfering keys to YubiKey hardware is a one-way operation only, so make sure you've made a backup before proceeding: 627 | 628 | $ gpg --edit-key $KEYID 629 | gpg (GnuPG/MacGPG2) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc. 630 | This is free software: you are free to change and redistribute it. 631 | There is NO WARRANTY, to the extent permitted by law. 632 | 633 | Secret key is available. 634 | 635 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 636 | trust: ultimate validity: ultimate 637 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 638 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 639 | sub 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: 2016-11-11 usage: A 640 | [ultimate] (1). Firstname Lastname 641 | [ultimate] (2) [jpeg image of size 2750] 642 | 643 | Toggle to the secret key listings: 644 | 645 | gpg> toggle 646 | 647 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 648 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 649 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 650 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 651 | (1) Firstname Lastname 652 | (2) [jpeg image of size 2750] 653 | 654 | gpg> 655 | 656 | ### Signature key 657 | 658 | Select the signature key. 659 | 660 | gpg> key 1 661 | 662 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 663 | ssb* 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 664 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 665 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 666 | (1) Firstname Lastname 667 | (2) [jpeg image of size 2750] 668 | 669 | gpg> 670 | 671 | Move the signature key (you will be prompted for the key passphrase and admin PIN): 672 | 673 | gpg> keytocard 674 | Signature key ....: [none] 675 | Encryption key....: [none] 676 | Authentication key: [none] 677 | 678 | Please select where to store the key: 679 | (1) Signature key 680 | (3) Authentication key 681 | Your selection? 1 682 | 683 | You need a passphrase to unlock the secret key for 684 | user: "Firstname Lastname " 685 | 2048-bit RSA key, ID 0x1E7E95EA22108AE7, created 2016-08-03 686 | 687 | 688 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 689 | ssb* 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 690 | card-no: 0006 04942193 691 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 692 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 693 | (1) Firstname Lastname 694 | (2) [jpeg image of size 2750] 695 | 696 | gpg> 697 | 698 | Type `key 1` again to deselect the signature key. 699 | 700 | gpg> key 1 701 | 702 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 703 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 704 | card-no: 0006 04942193 705 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 706 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 707 | (1) Firstname Lastname 708 | (2) [jpeg image of size 2750] 709 | 710 | gpg> 711 | 712 | ### Encryption key 713 | 714 | Type `key 2` to select the next key: 715 | 716 | gpg> key 2 717 | 718 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 719 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 720 | card-no: 0006 04942193 721 | ssb* 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 722 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 723 | (1) Firstname Lastname 724 | (2) [jpeg image of size 2750] 725 | 726 | gpg> 727 | 728 | Move the encryption key to the card (you will be prompted for the key passphrase): 729 | 730 | gpg> keytocard 731 | Signature key ....: C488 2B4E 29E2 95D8 66D2 37DF 1E7E 95EA 2210 8AE7 732 | Encryption key....: [none] 733 | Authentication key: [none] 734 | 735 | Please select where to store the key: 736 | (2) Encryption key 737 | Your selection? 2 738 | 739 | You need a passphrase to unlock the secret key for 740 | user: "Firstname Lastname " 741 | 2048-bit RSA key, ID 0xAF6A01035CFD7DF0, created 2016-08-03 742 | 743 | 744 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 745 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 746 | card-no: 0006 04942193 747 | ssb* 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 748 | card-no: 0006 04942193 749 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 750 | (1) Firstname Lastname 751 | (2) [jpeg image of size 2750] 752 | 753 | gpg> 754 | 755 | Type `key 2` to deselect the encryption key. 756 | 757 | gpg> key 2 758 | 759 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 760 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 761 | card-no: 0006 04942193 762 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 763 | card-no: 0006 04942193 764 | ssb 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 765 | (1) Firstname Lastname 766 | (2) [jpeg image of size 2750] 767 | 768 | gpg> 769 | 770 | ### Authentication key 771 | 772 | Type `key 3` to select the next key: 773 | 774 | gpg> key 3 775 | 776 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 777 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 778 | card-no: 0006 04942193 779 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 780 | card-no: 0006 04942193 781 | ssb* 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 782 | (1) Firstname Lastname 783 | (2) [jpeg image of size 2750] 784 | 785 | gpg> 786 | 787 | Move the authentication key to card (you will be prompted for the key passphrase): 788 | 789 | gpg> keytocard 790 | Signature key ....: C488 2B4E 29E2 95D8 66D2 37DF 1E7E 95EA 2210 8AE7 791 | Encryption key....: 5CE0 F585 0226 DF12 8813 05CF AF6A 0103 5CFD 7DF0 792 | Authentication key: [none] 793 | 794 | Please select where to store the key: 795 | (3) Authentication key 796 | Your selection? 3 797 | 798 | You need a passphrase to unlock the secret key for 799 | user: "Firstname Lastname " 800 | 2048-bit RSA key, ID 0x6B41354877FC08DA, created 2016-08-03 801 | 802 | 803 | sec 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never 804 | ssb 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: never 805 | card-no: 0006 04942193 806 | ssb 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: never 807 | card-no: 0006 04942193 808 | ssb* 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: never 809 | card-no: 0006 04942193 810 | (1) Firstname Lastname 811 | (2) [jpeg image of size 2750] 812 | 813 | gpg> 814 | 815 | Save and quit: 816 | 817 | gpg> save 818 | 819 | ## Check your work 820 | 821 | `ssb>` indicates a stub to the private key on smartcard: 822 | 823 | $ gpg --list-secret-keys 824 | /var/folders/m_/t3y0ptl111zd0kbs6590gw_40000gn/T/tmp.LXjFxkDy/secring.gpg 825 | ------------------------------------------------------------------------- 826 | sec 4096R/0xF932D46EFBBF395C 2016-08-03 827 | uid Firstname Lastname 828 | uid [jpeg image of size 2750] 829 | ssb> 2048R/0x1E7E95EA22108AE7 2016-08-03 830 | ssb> 2048R/0xAF6A01035CFD7DF0 2016-08-03 831 | ssb> 2048R/0x6B41354877FC08DA 2016-08-03 832 | 833 | 834 | ## Back up the remaining stubs. 835 | 836 | $ gpg -a --export-secret-keys $KEYID > $GNUPGHOME/masterstubs.txt 837 | $ gpg -a --export-secret-subkeys $KEYID > $GNUPGHOME/subkeystubs.txt 838 | $ gpg -a --export $KEYID > $GNUPGHOME/publickey.txt 839 | 840 | ## Export public key 841 | 842 | This file should be publicly shared: 843 | 844 | $ gpg2 --armor --export firstname.lastname@wheniwork.com > firstname.lastname@wheniwork.com--master.asc 845 | 846 | ## Back up the new exports 847 | 848 | $ cp -an $GNUPGHOME /Volumes/WIW_USB_THUMBDRIVE/ 849 | 850 | ## Finish 851 | 852 | If all went well, you should now reboot or remove `$GNUPGHOME`. 853 | 854 | $ unset $GNUPGHOME 855 | 856 | # Using keys 857 | 858 | ## Create GPG configuration 859 | 860 | Paste the following text into a terminal window to create the recommended GPG configuration. 861 | 862 | gpg.conf: 863 | 864 | $ cat << EOF > ~/.gnupg/gpg.conf 865 | default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAMELLIA256 CAMELLIA192 CAMELLIA128 TWOFISH 866 | cert-digest-algo SHA512 867 | use-agent 868 | lock-never 869 | keyid-format 0xlong 870 | EOF 871 | 872 | gpg-agent.conf: 873 | 874 | $ cat << EOF > ~/.gnupg/gpg-agent.conf 875 | pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac 876 | enable-ssh-support 877 | write-env-file 878 | use-standard-socket 879 | default-cache-ttl 600 880 | max-cache-ttl 7200 881 | debug-level advanced 882 | log-file /var/log/gpg-agent.log 883 | EOF 884 | 885 | ## Import public key 886 | 887 | Import it from a file: 888 | 889 | $ gpg --import < /Volumes/WIW_USB_THUMBDRIVE/tmp.LXjFxkDy/publickey.txt 890 | gpg: /Users/firstnamelastname/.gnupg/trustdb.gpg: trustdb created 891 | gpg: key FBBF395C: public key "Firstname Lastname " imported 892 | gpg: Total number processed: 1 893 | gpg: imported: 1 (RSA: 1) 894 | 895 | ## Insert YubiKey 896 | 897 | Check the card's status: 898 | 899 | $ gpg --card-status 900 | Application ID ...: D2760001240102010006049421930000 901 | Version ..........: 2.1 902 | Manufacturer .....: Yubico 903 | Serial number ....: 04942193 904 | Name of cardholder: Firstname Lastname 905 | Language prefs ...: en 906 | Sex ..............: male 907 | URL of public key : [not set] 908 | Login data .......: [not set] 909 | Signature PIN ....: not forced 910 | Key attributes ...: 2048R 2048R 2048R 911 | Max. PIN lengths .: 127 127 127 912 | PIN retry counter : 3 3 3 913 | Signature counter : 0 914 | Signature key ....: C488 2B4E 29E2 95D8 66D2 37DF 1E7E 95EA 2210 8AE7 915 | created ....: 2016-08-03 17:29:31 916 | Encryption key....: 5CE0 F585 0226 DF12 8813 05CF AF6A 0103 5CFD 7DF0 917 | created ....: 2016-08-03 17:32:14 918 | Authentication key: 2172 7812 1277 2743 DB3E CD68 6B41 3548 77FC 08DA 919 | created ....: 2016-08-03 17:33:06 920 | General key info..: sub 2048R/22108AE7 2016-08-03 Firstname Lastname 921 | sec# 4096R/FBBF395C created: 2016-08-03 expires: never 922 | ssb> 2048R/22108AE7 created: 2016-08-03 expires: 2016-11-11 923 | card-no: 0006 04942193 924 | ssb> 2048R/5CFD7DF0 created: 2016-08-03 expires: 2016-11-11 925 | card-no: 0006 04942193 926 | ssb> 2048R/77FC08DA created: 2016-08-03 expires: 2016-11-11 927 | card-no: 0006 04942193 928 | 929 | `sec#` indicates master key is not available (as it should be stored encrypted offline). 930 | 931 | ## GnuPG 932 | 933 | ### Trust master key 934 | 935 | Edit the imported key to assign it ultimate trust. the KEYID is the one listed under 'General card info': 936 | 937 | $ gpg --edit-key 0x1E7E95EA22108AE7 938 | gpg (GnuPG/MacGPG2) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc. 939 | This is free software: you are free to change and redistribute it. 940 | There is NO WARRANTY, to the extent permitted by law. 941 | 942 | Secret key is available. 943 | 944 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 945 | trust: unknown validity: unknown 946 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 947 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 948 | sub 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: 2016-11-11 usage: A 949 | [ unknown] (1). Firstname Lastname 950 | [ unknown] (2) [jpeg image of size 2750] 951 | 952 | gpg> trust 953 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 954 | trust: unknown validity: unknown 955 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 956 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 957 | sub 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: 2016-11-11 usage: A 958 | [ unknown] (1). Firstname Lastname 959 | [ unknown] (2) [jpeg image of size 2750] 960 | 961 | Please decide how far you trust this user to correctly verify other users' keys 962 | (by looking at passports, checking fingerprints from different sources, etc.) 963 | 964 | 1 = I don't know or won't say 965 | 2 = I do NOT trust 966 | 3 = I trust marginally 967 | 4 = I trust fully 968 | 5 = I trust ultimately 969 | m = back to the main menu 970 | 971 | Your decision? 5 972 | Do you really want to set this key to ultimate trust? (y/N) y 973 | 974 | pub 4096R/0xF932D46EFBBF395C created: 2016-08-03 expires: never usage: SC 975 | trust: ultimate validity: unknown 976 | sub 2048R/0x1E7E95EA22108AE7 created: 2016-08-03 expires: 2016-11-11 usage: S 977 | sub 2048R/0xAF6A01035CFD7DF0 created: 2016-08-03 expires: 2016-11-11 usage: E 978 | sub 2048R/0x6B41354877FC08DA created: 2016-08-03 expires: 2016-11-11 usage: A 979 | [ unknown] (1). Firstname Lastname 980 | [ unknown] (2) [jpeg image of size 2750] 981 | Please note that the shown key validity is not necessarily correct 982 | unless you restart the program. 983 | 984 | gpg> quit 985 | 986 | ### Encryption 987 | 988 | Encrypt some sample text: 989 | 990 | $ echo "$(uname -a)" | gpg --encrypt --armor --recipient 0xFF3E7D88647EBCDB 991 | -----BEGIN PGP MESSAGE----- 992 | 993 | hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h 994 | PSSt3I8Ac0ctwyMnenZvBEbHMqdRnfZJsj5pHidKcAZrhgs+he+B1tdZ/KPa8inx 995 | NIGqd8W1OraVSFmPEdC1kQ5he6R/WCDH1NNel9+fvLtQDCBQaFae/s3yXCSSQU6q 996 | HKCJLyHK8K9hDvgFmXOY8j1qTknBvDbmYdcCKVE1ejgpUCi3WatusobpWozsp0+b 997 | 6DN8bXyfxLPYm1PTLfW7v4kwddktB8eVioV8A45lndJZvliSqDwxhrwyE5VGsArS 998 | NmqzBkCaOHQFr0ofL91xgwpCI5kM2ukIR5SxUO4hvzlHn58QVL9GfAyCHMFtJs3o 999 | Q9eiR0joo9TjTwR8XomVhRJShrrcPeGgu3YmIak4u7OndyBFpu2E79RQ0ehpl2gY 1000 | tSECB6mNd/gt0Wy3y15ccaFI4CVP6jrMN6q3YhXqNC7GgI/OWkVZIAgUFYnbmIQe 1001 | tQ3z3wlbvFFngeFy5IlhsPduK8T9XgPnOtgQxHaepKz0h3m2lJegmp4YZ4CbS9h6 1002 | kcBTUjys5Vin1SLuqL4PhErzmlAZgVzG2PANsnHYPe2hwN4NlFtOND1wgBCtBFBs 1003 | 1pqz1I0O+jmyId+jVlAK076c2AwdkVbokKUcIT/OcTc0nwHjOUttJGmkUHlbt/nS 1004 | iAFNniSfzf6fwAFHgsvWiRJMa3keolPiqoUdh0tBIiI1zxOMaiTL7C9BFdpnvzYw 1005 | Krj0pDc7AlF4spWhm58WgAW20P8PGcVQcN6mSTG8jKbXVSP3bvgPXkpGAOLKMV/i 1006 | pLORcRPbauusBqovgaBWU/i3pMYrbhZ+LQbVEaJlvblWu6xe8HhS/jo= 1007 | =pzkv 1008 | -----END PGP MESSAGE----- 1009 | 1010 | ### Decryption 1011 | 1012 | Decrypt the sample text by running the following command: 1013 | 1014 | $ gpg --decrypt --armor 1015 | 1016 | Paste in the encrypted message generated above: 1017 | 1018 | -----BEGIN PGP MESSAGE----- 1019 | 1020 | hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h 1021 | PSSt3I8Ac0ctwyMnenZvBEbHMqdRnfZJsj5pHidKcAZrhgs+he+B1tdZ/KPa8inx 1022 | NIGqd8W1OraVSFmPEdC1kQ5he6R/WCDH1NNel9+fvLtQDCBQaFae/s3yXCSSQU6q 1023 | HKCJLyHK8K9hDvgFmXOY8j1qTknBvDbmYdcCKVE1ejgpUCi3WatusobpWozsp0+b 1024 | 6DN8bXyfxLPYm1PTLfW7v4kwddktB8eVioV8A45lndJZvliSqDwxhrwyE5VGsArS 1025 | NmqzBkCaOHQFr0ofL91xgwpCI5kM2ukIR5SxUO4hvzlHn58QVL9GfAyCHMFtJs3o 1026 | Q9eiR0joo9TjTwR8XomVhRJShrrcPeGgu3YmIak4u7OndyBFpu2E79RQ0ehpl2gY 1027 | tSECB6mNd/gt0Wy3y15ccaFI4CVP6jrMN6q3YhXqNC7GgI/OWkVZIAgUFYnbmIQe 1028 | tQ3z3wlbvFFngeFy5IlhsPduK8T9XgPnOtgQxHaepKz0h3m2lJegmp4YZ4CbS9h6 1029 | kcBTUjys5Vin1SLuqL4PhErzmlAZgVzG2PANsnHYPe2hwN4NlFtOND1wgBCtBFBs 1030 | 1pqz1I0O+jmyId+jVlAK076c2AwdkVbokKUcIT/OcTc0nwHjOUttJGmkUHlbt/nS 1031 | iAFNniSfzf6fwAFHgsvWiRJMa3keolPiqoUdh0tBIiI1zxOMaiTL7C9BFdpnvzYw 1032 | Krj0pDc7AlF4spWhm58WgAW20P8PGcVQcN6mSTG8jKbXVSP3bvgPXkpGAOLKMV/i 1033 | pLORcRPbauusBqovgaBWU/i3pMYrbhZ+LQbVEaJlvblWu6xe8HhS/jo= 1034 | =pzkv 1035 | -----END PGP MESSAGE----- 1036 | 1037 | You should now be prompted to enter your PIN. Output: 1038 | 1039 | gpg: encrypted with 4096-bit RSA key, ID 0x5912A795E90DD2CF, created 1040 | 2016-05-24 1041 | "Firstname Lastname " 1042 | 1043 | Press Control-D twice. Output: 1044 | 1045 | Darwin Your-MBP 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64 1046 | 1047 | ### Signing 1048 | 1049 | Sign some sample text: 1050 | 1051 | $ echo "$(uname -a)" | gpg --armor --clearsign --default-key 0xFF3E7D88647EBCDB 1052 | -----BEGIN PGP SIGNED MESSAGE----- 1053 | Hash: SHA256 1054 | 1055 | Darwin Your-MBP 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64 1056 | -----BEGIN PGP SIGNATURE----- 1057 | Version: GnuPG/MacGPG2 v2 1058 | 1059 | iQEcBAEBCAAGBQJXqCSPAAoJEB5+leoiEIrnZP4IAKeLKo+rhrdSN8q50xY4LHYA 1060 | F94k/emaSWdgBKMkbEbuSnBwtYkZl7YzFjmYWqQ6rbvwZI9JQzBp03cAaJ6Os3GC 1061 | fQUNznVS0HXYl/7i0kFvuLfkSxd2zuJzaLZifL3pvZVmpDtZH1K+XZkuQDPmiFRi 1062 | FnZAxYlTXiTlgRzEU4F9ZAd3ssBjp3KQmVuLoVV4rgMmMTFPKsDYurZTyalE63nk 1063 | oCbdZtLu4INnbOOGB+F5yk0BcoYu5WVQJevAFirSWqEqYmxD+QDxYPj1LC55TIYe 1064 | 3b/zMA1YaWikwmC64G3SHu219nDB1fJcLnKhBjuLLpx+bY0qZJrGvN/Cmyz3qio= 1065 | =fMOU 1066 | -----END PGP SIGNATURE----- 1067 | 1068 | ### Verifying signature 1069 | 1070 | Verify the previous signature by running the following command: 1071 | 1072 | $ gpg 1073 | gpg: Go ahead and type your message ... 1074 | 1075 | Paste in the signed message and signature created above. 1076 | 1077 | -----BEGIN PGP SIGNATURE----- 1078 | Version: GnuPG/MacGPG2 v2 1079 | 1080 | iQEcBAEBCAAGBQJXqCSPAAoJEB5+leoiEIrnZP4IAKeLKo+rhrdSN8q50xY4LHYA 1081 | F94k/emaSWdgBKMkbEbuSnBwtYkZl7YzFjmYWqQ6rbvwZI9JQzBp03cAaJ6Os3GC 1082 | fQUNznVS0HXYl/7i0kFvuLfkSxd2zuJzaLZifL3pvZVmpDtZH1K+XZkuQDPmiFRi 1083 | FnZAxYlTXiTlgRzEU4F9ZAd3ssBjp3KQmVuLoVV4rgMmMTFPKsDYurZTyalE63nk 1084 | oCbdZtLu4INnbOOGB+F5yk0BcoYu5WVQJevAFirSWqEqYmxD+QDxYPj1LC55TIYe 1085 | 3b/zMA1YaWikwmC64G3SHu219nDB1fJcLnKhBjuLLpx+bY0qZJrGvN/Cmyz3qio= 1086 | =fMOU 1087 | -----END PGP SIGNATURE-----Darwin Your-MBP 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64 1088 | 1089 | Press Control-D twice. Output: 1090 | 1091 | gpg: Signature made Sun Aug 7 23:19:59 2016 PDT 1092 | gpg: using RSA key 0x1E7E95EA22108AE7 1093 | gpg: Good signature from "Firstname Lastname " [ultimate] 1094 | gpg: aka "[jpeg image of size 2750]" [ultimate] 1095 | 1096 | Putting it all together: 1097 | 1098 | $ echo "$(uname -a)" | gpg --encrypt --sign --armor --default-key 0xF932D46EFBBF395C --recipient 0x1E7E95EA22108AE7 | gpg --decrypt --armor 1099 | gpg: encrypted with 2048-bit RSA key, ID 0xAF6A01035CFD7DF0, created 2016-08-03 1100 | "Firstname Lastname " 1101 | Darwin Your-MBP 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64 1102 | gpg: Signature made Sun Aug 7 23:32:40 2016 PDT 1103 | gpg: using RSA key 0x1E7E95EA22108AE7 1104 | gpg: Good signature from "Firstname Lastname " [ultimate] 1105 | gpg: aka "[jpeg image of size 2750]" [ultimate] 1106 | 1107 | ## SSH 1108 | 1109 | ### Update configuration 1110 | 1111 | Paste the following text into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg-agent.conf) GPG agent configuration: 1112 | 1113 | $ cat << EOF > ~/.gnupg/gpg-agent.conf 1114 | pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac 1115 | enable-ssh-support 1116 | write-env-file 1117 | use-standard-socket 1118 | default-cache-ttl 600 1119 | max-cache-ttl 7200 1120 | debug-level advanced 1121 | log-file /var/log/gpg-agent.log 1122 | EOF 1123 | 1124 | ### Replace ssh-agent with gpg-agent 1125 | 1126 | $ pkill ssh-agent 1127 | $ pkill gpg-agent 1128 | $ eval $(gpg-agent --daemon --enable-ssh-support --use-standard-socket --log-file ~/.gnupg/gpg-agent.log --write-env-file) 1129 | 1130 | ### Copy public key to server 1131 | 1132 | Copy and paste the following output to the server authorized keys file: 1133 | 1134 | $ ssh-add -L 1135 | ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211 1136 | 1137 | ### Connect with public key authentication 1138 | 1139 | Run the following command. 1140 | 1141 | $ ssh -T git@github.com -vvv 1142 | 1143 | You will be prompted to enter your PIN. Output: 1144 | 1145 | [...] 1146 | debug2: key: cardno:000605553211 (0x1234567890), 1147 | debug1: Authentications that can continue: publickey 1148 | debug3: start over, passed a different list publickey 1149 | debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 1150 | debug3: authmethod_lookup publickey 1151 | debug3: remaining preferred: keyboard-interactive,password 1152 | debug3: authmethod_is_enabled publickey 1153 | debug1: Next authentication method: publickey 1154 | debug1: Offering RSA public key: cardno:000605553211 1155 | debug3: send_pubkey_test 1156 | debug2: we sent a publickey packet, wait for reply 1157 | debug1: Server accepts key: pkalg ssh-rsa blen 535 1158 | debug2: input_userauth_pk_ok: fp e5:de:a5:74:b1:3e:96:9b:85:46:e7:28:53:b4:82:c3 1159 | debug3: sign_and_send_pubkey: RSA e5:de:a5:74:b1:3e:96:9b:85:46:e7:28:53:b4:82:c3 1160 | debug1: Authentication succeeded (publickey). 1161 | [...] 1162 | 1163 | 1164 | 1165 | # Share your public keys 1166 | 1167 | Run the following clone command to get the gpg keys public repo. 1168 | 1169 | git clone https://github.com/wheniwork/public_gpg_keys 1170 | 1171 | Add your key: 1172 | 1173 | git 1174 | 1175 | # Setup Git for signing 1176 | 1177 | You will want to use the following command to make git use the signing key: 1178 | 1179 | git config --global user.signingkey 1180 | 1181 | To sign a commit, use the following command: 1182 | 1183 | git commit -a -S -m "" 1184 | 1185 | # Yubikey Touch Password Disable 1186 | 1187 | To disable the single password touch feature. On MacOS you will need to download yubiswitch from Download here You will need to find the product id using the ioreg tool. Using brew you will need to install the following packages: 1188 | 1189 | brew update && brew tap jlhonora/lsusb && brew install lsusb 1190 | 1191 | Once those are installed run the following command and find to find idProduct. 1192 | 1193 | ioreg -p IOUSB -l -w 0 -x | grep Yubikey -A10 | grep Product 1194 | 1195 | which will output something like this: 1196 | 1197 | "idProduct" = 0x405 1198 | "iProduct" = 0x2 1199 | "USB Product Name" = "Yubikey 4 OTP+CCID" 1200 | 1201 | Once you have yubiswitch installed and launched. Go to the preferences and set Yubikey ProductID to what the ioreg command returned for a value. Once you do that you can now enable and disable the yubikey using this. This disables the touch password feature. This shouldn't effect the gpg keys that you use for ssh and git signing. 1202 | 1203 | # Troubleshooting 1204 | 1205 | - If you don't understand some option, read `man gpg`. 1206 | 1207 | - If you encounter problems connecting to YubiKey with GPG, simply try unplugging and re-inserting your YubiKey, and restarting the `gpg-agent` process. 1208 | 1209 | - If you receive the error, `gpg: decryption failed: secret key not available` - you likely need to install GnuPG version 2.x. 1210 | 1211 | - If you receive the error, `Yubikey core error: no yubikey present` - you likely need to install newer versions of yubikey-personalize as outlined in [Install required software](#install-required-software). 1212 | 1213 | - If you receive the error, `Yubikey core error: write error` - YubiKey is likely locked. Install and run yubikey-personalization-gui to unlock it. 1214 | 1215 | - If you receive the error, `Key does not match the card's capability` - you likely need to use 2048 bit RSA key sizes. 1216 | 1217 | - If you totally screw up, you can [reset the card](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html). 1218 | 1219 | # References 1220 | 1221 | 1222 | 1223 | 1224 | 1225 | 1226 | 1227 | 1228 | 1229 | 1230 | 1231 | 1232 | 1233 | 1234 | 1235 | 1236 | 1237 | 1238 | 1239 | 1240 | 1241 | 1242 | 1243 | 1244 | 1245 | 1246 | 1247 | 1248 | -------------------------------------------------------------------------------- /yubi-key-reset: -------------------------------------------------------------------------------- 1 | Follow this for yubi key reset 2 | https://developers.yubico.com/ykneo-openpgp/ResetApplet.html 3 | 4 | gpg-connect-agent -r yubikey-reset 5 | 6 | -------------------------------------------------------------------------------- /yubikey-reset: -------------------------------------------------------------------------------- 1 | /hex 2 | scd serialno 3 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 4 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 5 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 6 | scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 7 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 8 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 9 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 10 | scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 11 | scd apdu 00 e6 00 00 12 | scd apdu 00 44 00 00 13 | /echo Card has been successfully reset. 14 | --------------------------------------------------------------------------------