aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authordragon788 <dragon788@users.noreply.github.com>2020-09-02 13:57:38 -0500
committerGitHub <noreply@github.com>2020-09-02 13:57:38 -0500
commit94a753d4a16258952be9eef30328b3a6eed4bd64 (patch)
tree31fb9dffb81908068a4c7f872b31953f65c6c903
parentMerge branch 'master' into update-python-refs (diff)
parentMerge branch 'Amolith-master' (diff)
downloadYubiKey-Guide-94a753d4a16258952be9eef30328b3a6eed4bd64.tar.gz
Merge branch 'master' into update-python-refs
Diffstat (limited to '')
-rw-r--r--.github/FUNDING.yml1
-rw-r--r--README.md51
2 files changed, 49 insertions, 3 deletions
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..92cbba9
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [drduh]
diff --git a/README.md b/README.md
index 3ed1f46..7374c54 100644
--- a/README.md
+++ b/README.md
@@ -321,6 +321,18 @@ $ cat /proc/sys/kernel/random/entropy_avail
Most operating systems use software-based pseudorandom number generators. On newer machines there are CPU based hardware random number generators (HRNG) or you can use a separate hardware device like the White Noise or [OneRNG](https://onerng.info/onerng/) will [increase the speed](https://lwn.net/Articles/648550/) of entropy generation and possibly the quality.
+From YubiKey firmware version 5.2.3 onwards - which introduces "Enhancements to OpenPGP 3.4 Support" - we can gather additional entropy from the YubiKey itself via the SmartCard interface.
+
+## YubiKey
+
+To feed the system's PRNG with entropy generated by the YubiKey itself, issue:
+```console
+$ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
+```
+This will seed the Linux kernel's PRNG with additional 512 bytes retrieved from the YubiKey.
+
+## OneRNG
+
Install [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software:
```console
@@ -2293,21 +2305,53 @@ To require a touch for each key operation, install [YubiKey Manager](https://dev
Authentication:
```console
-$ ykman openpgp set-touch aut fixed
+$ ykman openpgp set-touch aut on
```
Signing:
```console
-$ ykman openpgp set-touch sig fixed
+$ ykman openpgp set-touch sig on
```
Encryption:
```console
-$ ykman openpgp set-touch enc fixed
+$ ykman openpgp set-touch enc on
```
+Depending on how the YubiKey is going to be used, you may want to look at the policy options for each of these and adjust the above commands accordingly. They can be viewed with the following command:
+
+```
+$ ykman openpgp set-touch -h
+Usage: ykman openpgp set-touch [OPTIONS] KEY POLICY
+
+ Set touch policy for OpenPGP keys.
+
+ KEY Key slot to set (sig, enc, aut or att).
+ POLICY Touch policy to set (on, off, fixed, cached or cached-fixed).
+
+ The touch policy is used to require user interaction for all operations using the private key on the YubiKey. The touch policy is set indivdually for each key slot. To see the current touch policy, run
+
+ $ ykman openpgp info
+
+ Touch policies:
+
+ Off (default) No touch required
+ On Touch required
+ Fixed Touch required, can't be disabled without a full reset
+ Cached Touch required, cached for 15s after use
+ Cached-Fixed Touch required, cached for 15s after use, can't be disabled
+ without a full reset
+
+Options:
+ -a, --admin-pin TEXT Admin PIN for OpenPGP.
+ -f, --force Confirm the action without prompting.
+ -h, --help Show this message and exit.
+```
+
+If the YubiKey is going to be used within an email client that opens and verifies encrypted mail, `Cached` or `Cached-Fixed` may be desirable.
+
YubiKey will blink when it is waiting for a touch. On Linux you can also use [yubikey-touch-detector](https://github.com/maximbaz/yubikey-touch-detector) to have an indicator or notification that YubiKey is waiting for a touch.
# Email
@@ -2455,3 +2499,4 @@ Admin PIN: 12345678
* https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
* https://mlohr.com/gpg-agent-forwarding/
* https://www.ingby.com/?p=293
+* https://support.yubico.com/support/solutions/articles/15000027139-yubikey-5-2-3-enhancements-to-openpgp-3-4-support