aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/README.md
diff options
context:
space:
mode:
authordrduh <drduh@users.noreply.github.com>2016-05-25 02:25:07 +0000
committerdrduh <drduh@users.noreply.github.com>2016-05-25 02:25:07 +0000
commit3964cd9e5f8ffabcbceae619acc31c24e6964437 (patch)
tree66f5f08b2e5055d0615c057ce8a5c7782bcf4a31 /README.md
parentMerge pull request #1 from victorso/patch-1 (diff)
downloadYubiKey-Guide-3964cd9e5f8ffabcbceae619acc31c24e6964437.tar.gz
Followed my own guide to make new keys; refresh
Diffstat (limited to '')
-rw-r--r--README.md758
1 files changed, 507 insertions, 251 deletions
diff --git a/README.md b/README.md
index 578c898..89a2e87 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,14 @@
-This is a guide to using YubiKey as a SmartCard for storing GPG keys.
+This is a practical guide to using [YubiKey](https://www.yubico.com/faq/yubikey/) as a [SmartCard](https://security.stackexchange.com/questions/38924/how-does-storing-gpg-ssh-private-keys-on-smart-cards-compare-to-plain-usb-drives) for storing GPG encryption and signing keys.
-An authentication key can also be created for SSH using gpg-agent.
+An authentication key can also be created for SSH and used with [gpg-agent](https://unix.stackexchange.com/questions/188668/how-does-gpg-agent-work/188813#188813).
Keys stored on a smartcard like YubiKey seem more difficult to steal than ones stored on disk, and are convenient for everyday use.
-Instructions written on Debian GNU/Linux 8 (jessie) using YubiKey 4 in OTP+CCID mode.
+Instructions written for Debian GNU/Linux 8 (jessie) using YubiKey 4 in OTP+CCID mode. Note, older YubiKeys are limited to 2048 bit RSA keys.
-Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB keys.
+Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB drives.
+
+Programming YubiKey for GPG keys still lets you use its two slots - [OTP](https://www.yubico.com/faq/what-is-a-one-time-password-otp/) and [static password](https://www.yubico.com/products/services-software/personalization-tools/static-password/) modes, for example.
If you have a comment or suggestion, please open an [issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
@@ -29,27 +31,30 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
- [Configure YubiKey](#configure-yubikey)
- [Configure smartcard](#configure-smartcard)
- [Change PINs](#change-pins)
- - [Set optional card information](#set-optional-card-information)
+ - [Set card information](#set-card-information)
- [Transfer keys](#transfer-keys)
- [Signature key](#signature-key)
- [Encryption key](#encryption-key-1)
- [Authentication key](#authentication-key-1)
- [Check your work](#check-your-work-1)
- [Export public key](#export-public-key)
+ - [Finish](#finish)
- [Using keys](#using-keys)
- - [Insert YubiKey](#insert-yubikey)
+ - [Create GPG configuration](#create-gpg-configuration)
- [Import public key](#import-public-key)
- - [Trust master key](#trust-master-key)
+ - [Insert YubiKey](#insert-yubikey)
- [GnuPG](#gnupg)
- - [Create configuration](#create-configuration-1)
- - [Encryption/decryption](#encryptiondecryption)
+ - [Trust master key](#trust-master-key)
+ - [Encryption](#encryption)
+ - [Decryption](#decryption)
- [Signing](#signing)
+ - [Verifying signature](#verifying-signature)
- [SSH](#ssh)
- [Update configuration](#update-configuration)
- [Replace ssh-agent with gpg-agent](#replace-ssh-agent-with-gpg-agent)
- [Copy public key to server](#copy-public-key-to-server)
- [Connect with public key authentication](#connect-with-public-key-authentication)
-- [Notes](#notes)
+- [Troubleshooting](#troubleshooting)
- [References](#references)
# Purchase YubiKey
@@ -60,13 +65,77 @@ https://www.yubico.com/store/
https://www.amazon.com/Yubico/b/ref=bl_dp_s_web_10358012011?ie=UTF8&node=10358012011
-Consider purchasing a pair and programming both in case of loss or damage to oneof them.
+Consider purchasing a pair and programming both in case of loss or damage to one of them.
# Install required software
- $ sudo apt-get install gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization
+You will need to install the following software:
+
+ $ sudo apt-get install -y gnupg2 gnupg-agent pinentry-curses scdaemon pcscd yubikey-personalization libusb-1.0-0-dev
+
+You may also need to download and install more recent versions of [yubikey-personalization](https://developers.yubico.com/yubikey-personalization/Releases/) and [yubico-c](https://developers.yubico.com/yubico-c/Releases/):
+
+ $ curl -sO https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.17.3.tar.gz
+
+ $ !!.sig
+ curl -sO https://developers.yubico.com/yubikey-personalization/Releases/ykpers-1.17.3.tar.gz.sig
+
+ $ gpg ykpers*sig
+ gpg: assuming signed data in `ykpers-1.17.3.tar.gz'
+ gpg: Signature made Mon 28 Dec 2015 11:56:41 AM UTC
+ gpg: using RSA key 0xBCA00FD4B2168C0A
+ gpg: Can't check signature: public key not found
+
+ $ gpg --recv 0xBCA00FD4B2168C0A
+ gpg: requesting key 0xBCA00FD4B2168C0A from hkps server hkps.pool.sks-keyservers.net
+ mp/2.3
+ [...]
+ gpg: key 0xBCA00FD4B2168C0A: public key "Klas Lindfors <klas@yubico.com>" imported
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ gpg: Total number processed: 1
+ gpg: imported: 1 (RSA: 1)
+
+ $ gpg ykpers*sig
+ gpg: assuming signed data in `ykpers-1.17.3.tar.gz'
+ gpg: Signature made Mon 28 Dec 2015 11:56:41 AM UTC
+ gpg: using RSA key 0xBCA00FD4B2168C0A
+ gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
+ gpg: WARNING: This key is not certified with a trusted signature!
+ gpg: There is no indication that the signature belongs to the owner.
+ Primary key fingerprint: 0A3B 0262 BCA1 7053 07D5 FF06 BCA0 0FD4 B216 8C0A
+
+ $ curl -sO https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz
+
+ $ !!.sig
+ curl -sO https://developers.yubico.com/yubico-c/Releases/libyubikey-1.13.tar.gz.sig
+
+ $ gpg libyubi*sig
+ gpg: assuming signed data in `libyubikey-1.13.tar.gz'
+ gpg: Signature made Thu 05 Mar 2015 11:51:51 AM UTC
+ gpg: using RSA key 0xBCA00FD4B2168C0A
+ gpg: Good signature from "Klas Lindfors <klas@yubico.com>" [unknown]
+ gpg: WARNING: This key is not certified with a trusted signature!
+ gpg: There is no indication that the signature belongs to the owner.
+ Primary key fingerprint: 0A3B 0262 BCA1 7053 07D5 FF06 BCA0 0FD4 B216 8C0A
+
+ $ tar xf libyubikey-1.13.tar.gz
+
+ $ cd libyubikey-1.13
+
+ $ ./configure && make && sudo make install
+
+ $ cd ..
+
+ $ tar xf ykpers-1.17.3.tar.gz
-If on Tails, you also need to install libykpers-1-1 from the testing repository. This is a temporary fix suggested on [securedrop issues page](https://github.com/freedomofpress/securedrop/issues/1035).
+ $ cd ykpers-1.17.3
+
+ $ ./configure && make && sudo make install
+
+ $ sudo ldconfig
+
+If on [Tails](https://tails.boum.org/), you also need to install libykpers-1-1 from the testing repository. This is a temporary fix suggested on a [securedrop issue](https://github.com/freedomofpress/securedrop/issues/1035):
$ sudo apt-get install -t testing libykpers-1-1
@@ -74,12 +143,16 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
## Create temporary working directory for GPG
+Create a directory in `/tmp` which won't survive a [reboot](https://serverfault.com/questions/377348/when-does-tmp-get-cleared):
+
$ export GNUPGHOME=$(mktemp -d) ; echo $GNUPGHOME
- /tmp/tmp.EBbMfyVDDt
+ /tmp/tmp.aaiTTovYgo
## Create configuration
- $ cat > $GNUPGHOME/gpg.conf
+Paste the following [text](https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash) into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
+
+ $ cat << EOF > $GNUPGHOME/gpg.conf
use-agent
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
@@ -94,10 +167,12 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
- ^D (Press Control-D)
+ EOF
## Create master key
+Generate a new key with GPG, selecting RSA (sign only) and the appropriate keysize, optionally specifying an expiry:
+
$ gpg --gen-key
Please select what kind of key you want:
@@ -123,43 +198,43 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
- Real name: Doctor Duh
- Email address: drduh@users.noreply.github.com
+ Real name: Dr Duh
+ Email address: doc@duh.to
Comment:
You selected this USER-ID:
- "Doctor Duh <drduh@users.noreply.github.com>"
+ "Dr Duh <doc@duh.to>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
-
- gpg: /tmp/tmp.eBbMfyVDDt/trustdb.gpg: trustdb created
- gpg: key 0x47FE984F98EE7407 marked as ultimately trusted
+ gpg: key 0xFF3E7D88647EBCDB marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
- pub 4096R/0x47FE984F98EE7407 2016-01-30
- Key fingerprint = 044C ABD0 9043 F1E0 3785 3979 47FE 984F 98EE 7407
- uid [ultimate] Doctor Duh <drduh@users.noreply.github.com>
+ pub 4096R/0xFF3E7D88647EBCDB 2016-05-24
+ Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
+ uid [ultimate] Dr Duh <doc@duh.to>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
+Keep this passphrase handy as you'll need it throughout.
+
## Save Key ID
- $ KEYID=0x47FE984F98EE7407
+Export the key ID as a [variable](https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231) for use throughout:
+
+ $ KEYID=0xFF3E7D88647EBCDB
## Create revocation certificate
+Create a way to revoke your keys in case of loss or compromise, an explicit reason being optional:
+
$ gpg --gen-revoke $KEYID > $GNUPGHOME/revoke.txt
- sec 4096R/0x47FE984F98EE7407 2016-01-30 Doctor Duh <drduh@users.noreply.github.com>
+ sec 4096R/0xFF3E7D88647EBCDB 2016-05-24 Dr Duh <doc@duh.to>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
@@ -177,8 +252,8 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x47FE984F98EE7407, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
ASCII armored output forced.
Revocation certificate created.
@@ -191,27 +266,32 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
## Back up master key
+Save a copy of the private key block:
+
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/master.key
## Create subkeys
+Edit the key to add subkeys:
+
$ gpg --expert --edit-key $KEYID
Secret key is available.
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: ultimate
- [ultimate] (1). Doctor Duh <drduh@users.noreply.github.com>
+ [ultimate] (1). Dr Duh <doc@duh.to>
### Signing key
+First, create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623), selecting RSA (sign only):
+
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x47FE984F98EE7407, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
Please select what kind of key you want:
(3) DSA (sign only)
@@ -238,24 +318,25 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
- .....+++++
- .+++++
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
+ ...................+++++
+ ..+++++
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: ultimate
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- [ultimate] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ [ultimate] (1). Dr Duh <doc@duh.to>
### Encryption key
+Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php), selecting RSA (encrypt only):
+
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x47FE984F98EE7407, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
Please select what kind of key you want:
(3) DSA (sign only)
@@ -286,24 +367,23 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
.+++++
...........+++++
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: ultimate
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- [ultimate] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ [ultimate] (1). Dr Duh <doc@duh.to>
### Authentication key
+Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for), selecting RSA (set your own capabilities):
+
gpg> addkey
Key is protected.
-
+
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x47FE984F98EE7407, created 2016-01-30
-
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
+
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
@@ -373,33 +453,33 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
+++++
.....+++++
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: ultimate
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- sub 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never usage: A
-
- [ultimate] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ sub 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never usage: A
+ [ultimate] (1). Dr Duh <doc@duh.to>
gpg> save
## Check your work
+List your new secret keys:
+
$ gpg --list-secret-keys
- /tmp/tmp.eBbMfyVDDt/secring.gpg
+ /tmp/tmp.aaiTTovYgo/secring.gpg
-------------------------------
- sec 4096R/0x47FE984F98EE7407 2016-01-30
- Key fingerprint = 044C ABD0 9043 F1E0 3785 3979 47FE 984F 98EE 7407
- uid Doctor Duh <drduh@users.noreply.github.com>
- ssb 4096R/0xE8E7855AA5AE79A7 2016-01-30
- ssb 4096R/0x39988E0390CB4B0C 2016-01-30
- ssb 4096R/0x218BCF996C7A6E31 2016-01-30
+ sec 4096R/0xFF3E7D88647EBCDB 2016-05-24
+ Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
+ uid Dr Duh <doc@duh.to>
+ ssb 4096R/0xBECFA3C1AE191D15 2016-05-24
+ ssb 4096R/0x5912A795E90DD2CF 2016-05-24
+ ssb 4096R/0x3F29127E79649A3D 2016-05-24
## Export subkeys
+Save a copy of your subkeys:
+
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
$ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
@@ -408,7 +488,7 @@ If on Tails, you also need to install libykpers-1-1 from the testing repository.
Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
-To use a USB drive, attach it and check its label:
+To create an encrypted USB drive, first attach it and check its label:
$ dmesg | tail
[ 7667.607011] scsi8 : usb-storage 2-1:1.0
@@ -443,7 +523,7 @@ Erase and create a new partition table:
Calling ioctl() to re-read partition table.
Syncing disks.
-Remove and reinsert the USB drive, then create a new partition:
+Remove and reinsert the USB drive, then create a new partition, selecting defaults::
$ sudo fdisk /dev/sde
@@ -466,7 +546,7 @@ Remove and reinsert the USB drive, then create a new partition:
Calling ioctl() to re-read partition table.
Syncing disks.
-Use LUKS to encrypt the new partition:
+Use [LUKS](https://askubuntu.com/questions/97196/how-secure-is-an-encrypted-luks-filesystem) to encrypt the new partition:
$ sudo cryptsetup luksFormat /dev/sde1
@@ -478,11 +558,13 @@ Use LUKS to encrypt the new partition:
Enter passphrase:
Verify passphrase:
-Mount the partition and create a filesystem:
+Mount the partition:
$ sudo cryptsetup luksOpen /dev/sde1 encrypted-usb
Enter passphrase for /dev/sde1:
-
+
+Create a filesystem:
+
$ sudo mkfs.ext4 /dev/mapper/encrypted-usb -L encrypted-usb
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 7871744 4k blocks and 1970416 inodes
@@ -503,14 +585,27 @@ Mount the filesystem:
Finally, copy files to it:
$ sudo cp -avi $GNUPGHOME /mnt/usb
-
-Make sure the files were copied, then disconnected the USB drive:
+ ‘/tmp/tmp.aaiTTovYgo’ -> ‘/mnt/usb/tmp.aaiTTovYgo’
+ ‘/tmp/tmp.aaiTTovYgo/revoke.txt’ -> ‘/mnt/usb/tmp.aaiTTovYgo/revoke.txt’
+ ‘/tmp/tmp.aaiTTovYgo/gpg.conf’ -> ‘/mnt/usb/tmp.aaiTTovYgo/gpg.conf’
+ ‘/tmp/tmp.aaiTTovYgo/trustdb.gpg’ -> ‘/mnt/usb/tmp.aaiTTovYgo/trustdb.gpg’
+ ‘/tmp/tmp.aaiTTovYgo/random_seed’ -> ‘/mnt/usb/tmp.aaiTTovYgo/random_seed’
+ ‘/tmp/tmp.aaiTTovYgo/master.key’ -> ‘/mnt/usb/tmp.aaiTTovYgo/master.key’
+ ‘/tmp/tmp.aaiTTovYgo/secring.gpg’ -> ‘/mnt/usb/tmp.aaiTTovYgo/secring.gpg’
+ ‘/tmp/tmp.aaiTTovYgo/mastersub.key’ -> ‘/mnt/usb/tmp.aaiTTovYgo/mastersub.key’
+ ‘/tmp/tmp.aaiTTovYgo/sub.key’ -> ‘/mnt/usb/tmp.aaiTTovYgo/sub.key’
+ ‘/tmp/tmp.aaiTTovYgo/pubring.gpg~’ -> ‘/mnt/usb/tmp.aaiTTovYgo/pubring.gpg~’
+ ‘/tmp/tmp.aaiTTovYgo/pubring.gpg’ -> ‘/mnt/usb/tmp.aaiTTovYgo/pubring.gpg’
+
+Make sure the correct files were copied, then unmount and disconnected the encrypted USB drive:
$ sudo umount /mnt/usb
$ sudo cryptsetup luksClose encrypted-usb
## Configure YubiKey
+Plug in your YubiKey and configure it:
+
$ ykpersonalize -m82
Firmware version 4.2.7 Touch level 527 Program sequence 4
@@ -524,6 +619,8 @@ https://www.yubico.com/2012/12/yubikey-neo-openpgp/
## Configure smartcard
+Use GPG to configure YubiKey as a smartcard:
+
$ gpg --card-edit
Application ID ...: D2760001240102010006055532110000
@@ -549,7 +646,7 @@ https://www.yubico.com/2012/12/yubikey-neo-openpgp/
### Change PINs
-The default PIN codes are `12345678` and `123456`
+The default PIN codes are `12345678` and `123456`.
gpg/card> admin
Admin commands are allowed
@@ -589,7 +686,9 @@ The default PIN codes are `12345678` and `123456`
Your selection? q
-### Set optional card information
+### Set card information
+
+Some fields are optional:
gpg/card> name
Cardholder's surname: Duh
@@ -599,9 +698,9 @@ The default PIN codes are `12345678` and `123456`
Language preferences: en
gpg/card> login
- Login data (account name): drduh@users.noreply.github.com
+ Login data (account name): doc@duh.to
- gpg/card>
+ gpg/card> (Press Enter)
Application ID ...: D2760001240102010006055532110000
Version ..........: 2.1
@@ -611,7 +710,7 @@ The default PIN codes are `12345678` and `123456`
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
- Login data .......: drduh@users.noreply.github.com
+ Login data .......: doc@duh.to
Private DO 4 .....: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
@@ -627,41 +726,39 @@ The default PIN codes are `12345678` and `123456`
## Transfer keys
-Transfering keys to YubiKey is a one-way operation only: make sure you've made a backup before proceeding!
+Transfering keys to YubiKey hardware is a one-way operation only, so make sure you've made a backup before proceeding:
$ gpg --edit-key $KEYID
Secret key is available.
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: ultimate
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- sub 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never usage: A
-
- [ultimate] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ sub 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never usage: A
+ [ultimate] (1). Dr Duh <doc@duh.to>
gpg> toggle
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
gpg> key 1
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb* 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb* 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
### Signature key
+Move the signature key (you will be prompted for the key passphrase and admin PIN):
+
gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
@@ -673,41 +770,43 @@ Transfering keys to YubiKey is a one-way operation only: make sure you've made a
Your selection? 1
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0xE8E7855AA5AE79A7, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0xBECFA3C1AE191D15, created 2016-05-24
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb* 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb* 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
### Encryption key
-Type `key 1` again to deselect and `key 2` to switch to the next key.
+Type `key 1` again to deselect and `key 2` to select the next key:
gpg> key 1
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
gpg> key 2
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb* 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb* 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
+
+Move the encryption key to card:
gpg> keytocard
- Signature key ....: 04CB BB4B 1D99 3398 A0B1 4C4B E8E7 855A A5AE 79A7
+ Signature key ....: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
Encryption key....: [none]
Authentication key: [none]
@@ -716,43 +815,46 @@ Type `key 1` again to deselect and `key 2` to switch to the next key.
Your selection? 2
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x39988E0390CB4B0C, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0x5912A795E90DD2CF, created 2016-05-24
-
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb* 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
+ ssb* 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
### Authentication key
+Type `key 2` again to deselect and `key 3` to select the next key:
+
gpg> key 2
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
gpg> key 3
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb* 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ ssb* 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
+ (1) Dr Duh <doc@duh.to>
+
+Move the authentication key to card:
gpg> keytocard
- Signature key ....: 04CB BB4B 1D99 3398 A0B1 4C4B E8E7 855A A5AE 79A7
- Encryption key....: 8AB0 607B A1C1 0F19 2627 6EA6 3998 8E03 90CB 4B0C
+ Signature key ....: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
+ Encryption key....: 6F26 6F46 845B BEB8 BDF3 7E9B 5912 A795 E90D D2CF
Authentication key: [none]
Please select where to store the key:
@@ -760,107 +862,166 @@ Type `key 1` again to deselect and `key 2` to switch to the next key.
Your selection? 3
You need a passphrase to unlock the secret key for
- user: "Doctor Duh <drduh@users.noreply.github.com>"
- 4096-bit RSA key, ID 0x218BCF996C7A6E31, created 2016-01-30
+ user: "Dr Duh <doc@duh.to>"
+ 4096-bit RSA key, ID 0x3F29127E79649A3D, created 2016-05-24
-
- sec 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ sec 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
+ ssb 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb* 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
+ ssb* 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
card-no: 0006 05553211
- (1) Doctor Duh <drduh@users.noreply.github.com>
+ (1) Dr Duh <doc@duh.to>
+
+Save and quit:
gpg> save
## Check your work
+`ssb>` indicates a stub to the private key on smartcard:
+
$ gpg --list-secret-keys
- /tmp/tmp.eBbMfyVDDt/secring.gpg
+ /tmp/tmp.aaiTTovYgo/secring.gpg
-------------------------------
- sec 4096R/0x47FE984F98EE7407 2016-01-30
- Key fingerprint = 044C ABD0 9043 F1E0 3785 3979 47FE 984F 98EE 7407
- uid Doctor Duh <drduh@users.noreply.github.com>
- ssb> 4096R/0xE8E7855AA5AE79A7 2016-01-30
- ssb> 4096R/0x39988E0390CB4B0C 2016-01-30
- ssb> 4096R/0x218BCF996C7A6E31 2016-01-30
-
-`ssb>` indicates a stub to the private key on smartcard.
+ sec 4096R/0xFF3E7D88647EBCDB 2016-05-24
+ Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
+ uid Dr Duh <doc@duh.to>
+ ssb> 4096R/0xBECFA3C1AE191D15 2016-05-24
+ ssb> 4096R/0x5912A795E90DD2CF 2016-05-24
+ ssb> 4096R/0x3F29127E79649A3D 2016-05-24
## Export public key
- $ gpg --armor --export $KEYID > /mnt/public-usb-key/pubkey.asc
+This file should be publicly shared:
+
+ $ gpg --armor --export $KEYID > /mnt/public-usb-key/pubkey.txt
+
+Optionally, it may be uploaded to a [public keyserver](https://debian-administration.org/article/451/Submitting_your_GPG_key_to_a_keyserver):
+
+ $ gpg --send-key $KEYID
+ gpg: sending key 0xFF3E7D88647EBCDB to hkps server hkps.pool.sks-keyservers.net
+ [...]
+
+After a little while, it ought to propagate to [other](https://pgp.key-server.io/pks/lookup?search=doc%40duh.to&fingerprint=on&op=vindex) [servers](https://pgp.mit.edu/pks/lookup?search=doc%40duh.to&op=index).
+
+## Finish
+
+If all went well, you should now reboot or [securely delete](http://srm.sourceforge.net/) `$GNUPGHOME`.
# Using keys
+## Create GPG configuration
+
+Paste the following text into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg.conf) GPG configuration:
+
+ $ cat << EOF > ~/.gnupg/gpg.conf
+ auto-key-locate keyserver
+ keyserver hkps://hkps.pool.sks-keyservers.net
+ keyserver-options no-honor-keyserver-url
+ keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem
+ keyserver-options no-honor-keyserver-url
+ keyserver-options debug
+ keyserver-options verbose
+ personal-cipher-preferences AES256 AES192 AES CAST5
+ personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+ default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+ cert-digest-algo SHA512
+ s2k-digest-algo SHA512
+ charset utf-8
+ fixed-list-mode
+ no-comments
+ no-emit-version
+ keyid-format 0xlong
+ list-options show-uid-validity
+ verify-options show-uid-validity
+ with-fingerprint
+ use-agent
+ EOF
+
+To install the keyservers CA file:
+
+ $ sudo curl -s "https://sks-keyservers.net/sks-keyservers.netCA.pem" -o /etc/sks-keyservers.netCA.pem
+
+## Import public key
+
+Import it from a file:
+
+ $ gpg --import < /mnt/public-usb-key/pubkey.txt
+ gpg: key 0xFF3E7D88647EBCDB: public key "Dr Duh <doc@duh.to>" imported
+ gpg: Total number processed: 1
+ gpg: imported: 1 (RSA: 1)
+
+Or download from a keyserver:
+
+ $ gpg --recv 0xFF3E7D88647EBCDB
+ gpg: requesting key 0xFF3E7D88647EBCDB from hkps server hkps.pool.sks-keyservers.net
+ [...]
+ gpg: key 0xFF3E7D88647EBCDB: public key "Dr Duh <doc@duh.to>" imported
+ gpg: Total number processed: 1
+ gpg: imported: 1 (RSA: 1)
+
## Insert YubiKey
+Check the card's status:
+
$ gpg --card-status
Application ID ...: D2760001240102010006055532110000
Version ..........: 2.1
- Manufacturer .....: unknown
+ Manufacturer .....: Yubico
Serial number ....: 05553211
Name of cardholder: Dr Duh
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
- Login data .......: drduh@users.noreply.github.com
+ Login data .......: doc@duh.to
Signature PIN ....: not forced
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
- Signature key ....: 04CB BB4B 1D99 3398 A0B1 4C4B E8E7 855A A5AE 79A7
- created ....: 2016-01-30 16:36:40
- Encryption key....: 8AB0 607B A1C1 0F19 2627 6EA6 3998 8E03 90CB 4B0C
- created ....: 2016-01-30 16:42:29
- Authentication key: 3B81 E129 B7C3 26F4 2EA1 2F19 218B CF99 6C7A 6E31
- created ....: 2016-01-30 16:44:48
- General key info..: pub 4096R/0xE8E7855AA5AE79A7 2016-01-30 Doctor Duh <drduh@users.noreply.github.com>
- sec# 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never
- ssb> 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never
+ Signature key ....: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
+ created ....: 2016-05-24 23:22:01
+ Encryption key....: 6F26 6F46 845B BEB8 BDF3 7E9B 5912 A795 E90D D2CF
+ created ....: 2016-05-24 23:29:03
+ Authentication key: 82BE 7837 6A3F 2E7B E556 5E35 3F29 127E 7964 9A3D
+ created ....: 2016-05-24 23:36:40
+ General key info..: pub 4096R/0xBECFA3C1AE191D15 2016-05-24 Dr Duh <doc@duh.to>
+ sec# 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never
+ ssb> 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb> 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never
+ ssb> 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never
card-no: 0006 05553211
- ssb> 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never
+ ssb> 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never
card-no: 0006 05553211
-`sec#` indicates master key is not available (as it should be stored encrypted and offline).
+`sec#` indicates master key is not available (as it should be stored encrypted offline).
-## Import public key
+## GnuPG
- $ gpg --import < /mnt/public-usb-key/pubkey.txt
+### Trust master key
-## Trust master key
+Edit the imported key to assign it ultimate trust:
- $ gpg --edit-key $KEYID
+ $ gpg --edit-key 0xFF3E7D88647EBCDB
Secret key is available.
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: unknown validity: unknown
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- sub 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never usage: A
-
- [ unknown] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ sub 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never usage: A
+ [ unknown] (1). Dr Duh <doc@duh.to>
gpg> trust
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: unknown validity: unknown
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- sub 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never usage: A
-
- [ unknown] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ sub 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never usage: A
+ [ unknown] (1). Dr Duh <doc@duh.to>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
@@ -875,87 +1036,169 @@ Type `key 1` again to deselect and `key 2` to switch to the next key.
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
- pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
-
+ pub 4096R/0xFF3E7D88647EBCDB created: 2016-05-24 expires: never usage: SC
trust: ultimate validity: unknown
- sub 4096R/0xE8E7855AA5AE79A7 created: 2016-01-30 expires: never usage: S
-
- sub 4096R/0x39988E0390CB4B0C created: 2016-01-30 expires: never usage: E
-
- sub 4096R/0x218BCF996C7A6E31 created: 2016-01-30 expires: never usage: A
-
- [ unknown] (1). Doctor Duh <drduh@users.noreply.github.com>
+ sub 4096R/0xBECFA3C1AE191D15 created: 2016-05-24 expires: never usage: S
+ sub 4096R/0x5912A795E90DD2CF created: 2016-05-24 expires: never usage: E
+ sub 4096R/0x3F29127E79649A3D created: 2016-05-24 expires: never usage: A
+ [ unknown] (1). Dr Duh <doc@duh.to>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
-## GnuPG
-
-### Create configuration
-
- $ cat > ~/.gnupg/gpg.conf
- use-agent
- personal-cipher-preferences AES256 AES192 AES CAST5
- personal-digest-preferences SHA512 SHA384 SHA256 SHA224
- default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
- cert-digest-algo SHA512
- s2k-digest-algo SHA512
- charset utf-8
- fixed-list-mode
- no-comments
- no-emit-version
- keyid-format 0xlong
- list-options show-uid-validity
- verify-options show-uid-validity
- with-fingerprint
- ^D (Press Control-D)
+### Encryption
-### Encryption/decryption
+Encrypt some sample text:
- $ echo "$(uname -a)" | gpg --encrypt --armor -r $KEYID | gpg --decrypt --armor
+ $ echo "$(uname -a)" | gpg --encrypt --armor --recipient 0xFF3E7D88647EBCDB
+ -----BEGIN PGP MESSAGE-----
- Please enter the PIN
- gpg: encrypted with 4096-bit RSA key, ID 0x39988E0390CB4B0C, created 2016-01-30
- "Doctor Duh <drduh@users.noreply.github.com>"
- Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
+ hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h
+ PSSt3I8Ac0ctwyMnenZvBEbHMqdRnfZJsj5pHidKcAZrhgs+he+B1tdZ/KPa8inx
+ NIGqd8W1OraVSFmPEdC1kQ5he6R/WCDH1NNel9+fvLtQDCBQaFae/s3yXCSSQU6q
+ HKCJLyHK8K9hDvgFmXOY8j1qTknBvDbmYdcCKVE1ejgpUCi3WatusobpWozsp0+b
+ 6DN8bXyfxLPYm1PTLfW7v4kwddktB8eVioV8A45lndJZvliSqDwxhrwyE5VGsArS
+ NmqzBkCaOHQFr0ofL91xgwpCI5kM2ukIR5SxUO4hvzlHn58QVL9GfAyCHMFtJs3o
+ Q9eiR0joo9TjTwR8XomVhRJShrrcPeGgu3YmIak4u7OndyBFpu2E79RQ0ehpl2gY
+ tSECB6mNd/gt0Wy3y15ccaFI4CVP6jrMN6q3YhXqNC7GgI/OWkVZIAgUFYnbmIQe
+ tQ3z3wlbvFFngeFy5IlhsPduK8T9XgPnOtgQxHaepKz0h3m2lJegmp4YZ4CbS9h6
+ kcBTUjys5Vin1SLuqL4PhErzmlAZgVzG2PANsnHYPe2hwN4NlFtOND1wgBCtBFBs
+ 1pqz1I0O+jmyId+jVlAK076c2AwdkVbokKUcIT/OcTc0nwHjOUttJGmkUHlbt/nS
+ iAFNniSfzf6fwAFHgsvWiRJMa3keolPiqoUdh0tBIiI1zxOMaiTL7C9BFdpnvzYw
+ Krj0pDc7AlF4spWhm58WgAW20P8PGcVQcN6mSTG8jKbXVSP3bvgPXkpGAOLKMV/i
+ pLORcRPbauusBqovgaBWU/i3pMYrbhZ+LQbVEaJlvblWu6xe8HhS/jo=
+ =pzkv
+ -----END PGP MESSAGE-----
-### Signing
+### Decryption
- $ echo "$(uname -a)" | gpg --encrypt --armor --sign -r $KEYID
- gpg: signatures created so far: 0
+Decrypt the sample text by pasting it:
- Please enter the PIN
- [sigs done: 0]
+ $ gpg --decrypt --armor
-----BEGIN PGP MESSAGE-----
- hQIMAzmYjgOQy0sMAQ//bG8YyEinTOFzL/aL/BN54/PAFzBZj6B//dEFXYu5NlHJ
- [...]
- sjLN5ZhJkQKJeUWIVdGeuZN+pIeIRWQHeKD7xRUgij6/nC7qCfPPkHFYxQ==
- =jztu
+ hQIMA1kSp5XpDdLPAQ/+JyYfLaUS/+llEzQaKDb5mWhG4HlUgD99dNJUXakm085h
+ PSSt3I8Ac0ctwyMnenZvBEbHMqdRnfZJsj5pHidKcAZrhgs+he+B1tdZ/KPa8inx
+ NIGqd8W1OraVSFmPEdC1kQ5he6R/WCDH1NNel9+fvLtQDCBQaFae/s3yXCSSQU6q
+ HKCJLyHK8K9hDvgFmXOY8j1qTknBvDbmYdcCKVE1ejgpUCi3WatusobpWozsp0+b
+ 6DN8bXyfxLPYm1PTLfW7v4kwddktB8eVioV8A45lndJZvliSqDwxhrwyE5VGsArS
+ NmqzBkCaOHQFr0ofL91xgwpCI5kM2ukIR5SxUO4hvzlHn58QVL9GfAyCHMFtJs3o
+ Q9eiR0joo9TjTwR8XomVhRJShrrcPeGgu3YmIak4u7OndyBFpu2E79RQ0ehpl2gY
+ tSECB6mNd/gt0Wy3y15ccaFI4CVP6jrMN6q3YhXqNC7GgI/OWkVZIAgUFYnbmIQe
+ tQ3z3wlbvFFngeFy5IlhsPduK8T9XgPnOtgQxHaepKz0h3m2lJegmp4YZ4CbS9h6
+ kcBTUjys5Vin1SLuqL4PhErzmlAZgVzG2PANsnHYPe2hwN4NlFtOND1wgBCtBFBs
+ 1pqz1I0O+jmyId+jVlAK076c2AwdkVbokKUcIT/OcTc0nwHjOUttJGmkUHlbt/nS
+ iAFNniSfzf6fwAFHgsvWiRJMa3keolPiqoUdh0tBIiI1zxOMaiTL7C9BFdpnvzYw
+ Krj0pDc7AlF4spWhm58WgAW20P8PGcVQcN6mSTG8jKbXVSP3bvgPXkpGAOLKMV/i
+ pLORcRPbauusBqovgaBWU/i3pMYrbhZ+LQbVEaJlvblWu6xe8HhS/jo=
+ =pzkv
-----END PGP MESSAGE-----
+ gpg: encrypted with 4096-bit RSA key, ID 0x5912A795E90DD2CF, created
+ 2016-05-24
+ "Dr Duh <doc@duh.to>"
+
+ (Press Control-D)
+
+ Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
+
+### Signing
+
+Sign some sample text:
+
+ $ echo "$(uname -a)" | gpg --armor --clearsign --default-key 0xFF3E7D88647EBCDB
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Hash: SHA512
+
+ Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
+ -----BEGIN PGP SIGNATURE-----
+
+ iQIcBAEBCgAGBQJXRPo8AAoJEL7Po8GuGR0Vh8wP/jYXTR8SAZIZSMVCOyAjH37f
+ k6JxB0rF928WDYPihjo/d0Jd+XpoV1g+oipDRjP78xqR9H/CJZlE10IPQbNaomFs
+ +3RGxA3Zr085cVFoixI8rxYOSu0Vs2cAzAbJHNcOcD7vXxTHcX4T8kfKoF9A4U1u
+ XTJ42eEjpO0fX76tFX2/Uzxl43ES0dO7Y82ho7xcnaYwakVUEcWfUpfDAroLKZOs
+ wCZGr8Z64QDQzxQ9L45Zc61wMx9JEIWD4BnagllfeOYrEwTJfYG8uhDDNYx0jjJp
+ j1PBHn5d556aX6DHUH05kq3wszvQ4W40RctLgAA3l1VnEKebhBKjLZA/EePAvQV4
+ QM7MFUV1X/pi2zlyoZSnHkVl8b5Q7RU5ZtRpq9fdkDDepeiUo5PNBUMJER1gn4bm
+ ri8DtavkwTNWBRLnVR2gHBmVQNN7ZDOkHcfyqR4I9chx6TMpfcxk0zATAHh8Donp
+ FVPKySifuXpunn+0MwdZl5XkhHGdpdYQz4/LAZUGhrA9JTnFtc4cl4JrTzufF8Sr
+ c3JJumMsyGvw9OQKQHF8gHme4PBu/4P31LpfX9wzPOTpJaI31Sg5kdJLTo9M9Ppo
+ uvkmJS7ETjLQZOsRyAEn7gcEKZQGPQcNAgfEgQPoepS/KvvI68u+JMJm4n24k2kQ
+ fEkp501u8kAZkWauhiL+
+ =+ylJ
+ -----END PGP SIGNATURE-----
+
+### Verifying signature
+
+Verify the previous signature:
+
+ $ gpg
+ gpg: Go ahead and type your message ...
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Hash: SHA512
+
+ Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
+ -----BEGIN PGP SIGNATURE-----
+
+ iQIcBAEBCgAGBQJXRPo8AAoJEL7Po8GuGR0Vh8wP/jYXTR8SAZIZSMVCOyAjH37f
+ +3RGxA3Zr085cVFoixI8rxYOSu0Vs2cAzAbJHNcOcD7vXxTHcX4T8kfKoF9A4U1u
+ XTJ42eEjpO0fX76tFX2/Uzxl43ES0dO7Y82ho7xcnaYwakVUEcWfUpfDAroLKZOs
+ wCZGr8Z64QDQzxQ9L45Zc61wMx9JEIWD4BnagllfeOYrEwTJfYG8uhDDNYx0jjJp
+ j1PBHn5d556aX6DHUH05kq3wszvQ4W40RctLgAA3l1VnEKebhBKjLZA/EePAvQV4
+ QM7MFUV1X/pi2zlyoZSnHkVl8b5Q7RU5ZtRpq9fdkDDepeiUo5PNBUMJER1gn4bm
+ ri8DtavkwTNWBRLnVR2gHBmVQNN7ZDOkHcfyqR4I9chx6TMpfcxk0zATAHh8Donp
+ FVPKySifuXpunn+0MwdZl5XkhHGdpdYQz4/LAZUGhrA9JTnFtc4cl4JrTzufF8Sr
+ c3JJumMsyGvw9OQKQHF8gHme4PBu/4P31LpfX9wzPOTpJaI31Sg5kdJLTo9M9Ppo
+ uvkmJS7ETjLQZOsRyAEn7gcEKZQGPQcNAgfEgQPoepS/KvvI68u+JMJm4n24k2kQ
+ fEkp501u8kAZkWauhiL+
+ =+ylJ
+ -----END PGP SIGNATURE-----
+
+ (Press Control-D)
+
+ gpg: Signature made Wed 25 May 2016 00:00:00 AM UTC
+ gpg: using RSA key 0xBECFA3C1AE191D15
+ gpg: Good signature from "Dr Duh <doc@duh.to>" [ultimate]
+ Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
+ Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
+
+Putting it all together:
+
+ $ echo "$(uname -a)" | gpg --encrypt --sign --armor --default-key 0xFF3E7D88647EBCDB --recipient 0xBECFA3C1AE191D15 | gpg --decrypt --armor
+ gpg: encrypted with 4096-bit RSA key, ID 0x5912A795E90DD2CF, created 2016-05-24
+ "Dr Duh <doc@duh.to>"
+ Linux workstation 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
+ gpg: Signature made Wed 25 May 2016 01:00:00 AM UTC
+ gpg: using RSA key 0xBECFA3C1AE191D15
+ gpg: Good signature from "Dr Duh <doc@duh.to>" [ultimate]
+ Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
+ Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
## SSH
### Update configuration
- $ cat > ~/.gnupg/gpg-agent.conf
+Paste the following text into a terminal window to create a [recommended](https://github.com/drduh/config/blob/master/gpg-agent.conf) GPG agent configuration:
+
+ $ cat << EOF > ~/.gnupg/gpg-agent.conf
enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 60
max-cache-ttl 120
write-env-file
use-standard-socket
- ^D (Press Control-D)
+ EOF
### Replace ssh-agent with gpg-agent
- $ pkill ssh-agent ; \
+ $ pkill ssh-agent ; pkill gpg-agent ; \
eval $(gpg-agent --daemon --enable-ssh-support --use-standard-socket \
--log-file ~/.gnupg/gpg-agent.log --write-env-file)
### Copy public key to server
+Copy and paste the following output to the server authorized keys file:
+
$ ssh-add -L
ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211
@@ -980,13 +1223,21 @@ Type `key 1` again to deselect and `key 2` to switch to the next key.
debug1: Authentication succeeded (publickey).
[...]
-# Notes
+# Troubleshooting
+
+- If you don't understand some option, read `man gpg`.
+
+- If you encounter problems connecting to YubiKey with GPG, simply try unplugging and re-inserting your YubiKey, and restarting the `gpg-agent` process.
+
+- If you receive the error, `gpg: decryption failed: secret key not available` - you likely need to install GnuPG version 2.x.
+
+- If you receive the error, `Yubikey core error: no yubikey present` - you likely need to install newer versions of yubikey-personalize as outlined in [Install required software](#install-required-software).
-- Don't write to drduh@users.noreply.github.com, open an issue on GitHub instead.
-- Programming YubiKey for GPG keys still lets you use its two slots - OTP and static password modes, for example.
-- If you encounter problems, simply try unplugging and re-inserting your YubiKey, and restarting the `gpg-agent` process.
-- ECC may be preferred to RSA 4096, but the 1.4.x branch of GnuPG does not support it.
-- Try installing and using the newer, more feature-rich [GnuPG 2.x](https://superuser.com/questions/655246/are-gnupg-1-and-gnupg-2-compatible-with-each-other) with `sudo apt-get install gnupg2`
+- If you receive the error, `Yubikey core error: write error` - YubiKey is likely locked. Install and run yubikey-personalization-gui to unlock it.
+
+- If you receive the error, `Key does not match the card's capability` - you likely need to use 2048 bit RSA key sizes.
+
+- If you totally screw up, you can [reset the card](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html).
# References
@@ -1011,3 +1262,8 @@ Type `key 1` again to deselect and `key 2` to switch to the next key.
<http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ssh-agent-setup/>
<https://help.riseup.net/en/security/message-security/openpgp/best-practices>
+
+<https://alexcabal.com/creating-the-perfect-gpg-keypair/>
+
+<https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/>
+
generated by cgit, for Dennis Eriksen