ewpt3ch/blog.ewpt3ch.dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
128bedeb6ad7a2171dbacf50fdbcf003567a9cfa
blog.ewpt3ch.dev/content/posts/gpg-on-yubikey.md
T
Eric Phillips 7486c791c9 transfered existing blog into a new hugo project
2025-12-19 22:14:51 -07:00

121 lines
4.1 KiB
Markdown
Raw Blame History

---
title: Setup and maintain gpg on yubikey
slug: gpg-on-yubikey
date: 2018-04-29T12:10:29-06:00
.. tags: gpg security openpgp howto linux encryption yubikey smartcard
.. category:
.. link:
.. description:
draft: false
---
I have a [yubikey 4 nano](https://www.yubico.com/product/yubikey-4-series/#yubikey-4-nano) that I got specifically for the smartcard feature. This allows me to generate openpgp keys on the yubikey and the private key is usable yet unretrievable with software. This also allows me to store my master key on a USB stick that only gets plugged into a computer once a year when new keys need generating. For the initial setup I used this excellent guide from Eric Severance [PGP on a Yubikey](https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/). I'm going to outline the steps here that are required to create new signature and auth keys on the yubikey since they exprire every year.
<!--more-->
#insert and mount the usb key with master key on it, then we move
#.gnupg to .gnupg.orig and symlink the usb gnupg to .gnupg
mv .gnupg .gnupg.orig
ln -s path/to/secure/gpg .gnupg
I'm following Eric's advice here and clearing my secret key and reimporting to make sure that everything is present.
# Refresh gnupg secret key
gpg --delete-secret-key keyID
gpg --import < /path/to/secure/gpg/keyID.pgp
gpg --edit-key keyID
# Create a new signing key
gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at
Is this correct? (y/N) y
Really create? (y/N) y
# repeat for the authentication key
gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 3
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at
Is this correct? (y/N) y
Really create? (y/N) y
gpg> save
Repeat the above for all yubikeys that you want associated with the master key. For encryption I generated the key in software and then added it to the yubikey, this way if I ever lose the key or use multiple keys I always have the encryption key somewhere. The procedure for generating and adding to the yubikey is as follows:
# Use toggle and key to select the private encryption key
gpg> edit-key keyID
gpg> toggle
gpg> key 1
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg> save
The final step, and one which I keep forgetting hence this guide, is to export the public key, upload to the keyserver URL(specified on the yubikey), and then refresh everything.
gpg --edit-key keyID
gpg> showpref #this will show the keyserver
#backup the public key
gpg --armor --export keyID > keyID.asc
#upload
scp keyID user@server:path/to/file
Remove the master key and restore the original gpg directory. Next we fetch the new public keys and refresh everything so that gpg knows where the keys are and everything works.
gpg --card-edit
gpg/card> fetch
gpg/card> quit
gpg --card-status
That's it, everything should now work.
update:
Since I keep forgetting things, here's some tips for troubleshooting keys after creating new ones.
1) did you upload and move the public keys to the url location?
2) if gpg is showing old keys and you did 1, then delete the key to force and update
gpg --delete-keys keyID (make sure the offline usb is not plugged in)
Reference in New Issue View Git Blame Copy Permalink