transfered existing blog into a new hugo project
This commit is contained in:
Eric Phillips
@@ -0,0 +1,120 @@
|
||||
---
|
||||
title: Setup and maintain gpg on yubikey
|
||||
slug: gpg-on-yubikey
|
||||
date: 2018-04-29T12:10:29-06:00
|
||||
.. tags: gpg security openpgp howto linux encryption yubikey smartcard
|
||||
.. category:
|
||||
.. link:
|
||||
.. description:
|
||||
draft: false
|
||||
---
|
||||
|
||||
I have a [yubikey 4 nano](https://www.yubico.com/product/yubikey-4-series/#yubikey-4-nano) that I got specifically for the smartcard feature. This allows me to generate openpgp keys on the yubikey and the private key is usable yet unretrievable with software. This also allows me to store my master key on a USB stick that only gets plugged into a computer once a year when new keys need generating. For the initial setup I used this excellent guide from Eric Severance [PGP on a Yubikey](https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/). I'm going to outline the steps here that are required to create new signature and auth keys on the yubikey since they exprire every year.
|
||||
<!--more-->
|
||||
|
||||
#insert and mount the usb key with master key on it, then we move
|
||||
#.gnupg to .gnupg.orig and symlink the usb gnupg to .gnupg
|
||||
mv .gnupg .gnupg.orig
|
||||
ln -s path/to/secure/gpg .gnupg
|
||||
|
||||
I'm following Eric's advice here and clearing my secret key and reimporting to make sure that everything is present.
|
||||
|
||||
# Refresh gnupg secret key
|
||||
gpg --delete-secret-key keyID
|
||||
gpg --import < /path/to/secure/gpg/keyID.pgp
|
||||
|
||||
gpg --edit-key keyID
|
||||
|
||||
# Create a new signing key
|
||||
gpg> addcardkey
|
||||
|
||||
Signature key ....: [none]
|
||||
Encryption key....: [none]
|
||||
Authentication key: [none]
|
||||
|
||||
Please select the type of key to generate:
|
||||
(1) Signature key
|
||||
(2) Encryption key
|
||||
(3) Authentication key
|
||||
Your selection? 1
|
||||
|
||||
Please specify how long the key should be valid.
|
||||
0 = key does not expire
|
||||
= key expires in n days
|
||||
w = key expires in n weeks
|
||||
m = key expires in n months
|
||||
y = key expires in n years
|
||||
Key is valid for? (0) 1y
|
||||
Key expires at
|
||||
Is this correct? (y/N) y
|
||||
Really create? (y/N) y
|
||||
|
||||
# repeat for the authentication key
|
||||
|
||||
gpg> addcardkey
|
||||
|
||||
Signature key ....: [none]
|
||||
Encryption key....: [none]
|
||||
Authentication key: [none]
|
||||
|
||||
Please select the type of key to generate:
|
||||
(1) Signature key
|
||||
(2) Encryption key
|
||||
(3) Authentication key
|
||||
Your selection? 3
|
||||
|
||||
Please specify how long the key should be valid.
|
||||
0 = key does not expire
|
||||
= key expires in n days
|
||||
w = key expires in n weeks
|
||||
m = key expires in n months
|
||||
y = key expires in n years
|
||||
Key is valid for? (0) 1y
|
||||
Key expires at
|
||||
Is this correct? (y/N) y
|
||||
Really create? (y/N) y
|
||||
|
||||
gpg> save
|
||||
|
||||
Repeat the above for all yubikeys that you want associated with the master key. For encryption I generated the key in software and then added it to the yubikey, this way if I ever lose the key or use multiple keys I always have the encryption key somewhere. The procedure for generating and adding to the yubikey is as follows:
|
||||
|
||||
# Use toggle and key to select the private encryption key
|
||||
gpg> edit-key keyID
|
||||
gpg> toggle
|
||||
gpg> key 1
|
||||
gpg> keytocard
|
||||
|
||||
Please select where to store the key:
|
||||
(2) Encryption key
|
||||
Your selection? 2
|
||||
gpg> save
|
||||
|
||||
The final step, and one which I keep forgetting hence this guide, is to export the public key, upload to the keyserver URL(specified on the yubikey), and then refresh everything.
|
||||
|
||||
gpg --edit-key keyID
|
||||
gpg> showpref #this will show the keyserver
|
||||
|
||||
#backup the public key
|
||||
gpg --armor --export keyID > keyID.asc
|
||||
|
||||
#upload
|
||||
scp keyID user@server:path/to/file
|
||||
|
||||
Remove the master key and restore the original gpg directory. Next we fetch the new public keys and refresh everything so that gpg knows where the keys are and everything works.
|
||||
|
||||
gpg --card-edit
|
||||
gpg/card> fetch
|
||||
gpg/card> quit
|
||||
gpg --card-status
|
||||
|
||||
That's it, everything should now work.
|
||||
|
||||
update:
|
||||
|
||||
Since I keep forgetting things, here's some tips for troubleshooting keys after creating new ones.
|
||||
|
||||
1) did you upload and move the public keys to the url location?
|
||||
|
||||
2) if gpg is showing old keys and you did 1, then delete the key to force and update
|
||||
|
||||
gpg --delete-keys keyID (make sure the offline usb is not plugged in)
|
||||
Reference in New Issue
Block a user