aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README.md31
-rw-r--r--switch-to-backup-yubikey23
2 files changed, 51 insertions, 3 deletions
diff --git a/README.md b/README.md
index bca7263..221e213 100644
--- a/README.md
+++ b/README.md
@@ -86,7 +86,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
# Purchase
-All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
+All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). Yubico have also just released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details.
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
@@ -263,7 +263,7 @@ Generate a NixOS LiveCD image with the given config:
let
config = { pkgs, ... }:
with pkgs; {
- imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix> ];
+ imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix> ];
boot.kernelPackages = linuxPackages_latest;
@@ -1523,6 +1523,31 @@ $ cp -avi /mnt/encrypted-storage/tmp.XXX $GNUPGHOME
$ cd $GNUPGHOME
```
+## Switching between two or more Yubikeys.
+
+When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key form your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number).
+
+However, when you do this same operation for a second Yubikey, the stub in your keyring is overwritten by the *keytocard* operation and now the stub points to your second Yubikey. Adding more repeats this overwriting operation.
+
+In other words, the stub will point ONLY to the LAST Yubikey written to.
+
+When using GPG key operations with the GPG key you placed onto the Yubikeys, GPG will request a specific Yubikey asking that you insert a Yubikey with a given serial number (referenced by the stub). GPG will not recognise another Yubikey with a different serial number without manual intervention.
+
+You can force GPG to scan the card and re-create the stubs to point to another Yubikey.
+
+Having created two (or more Yubikeys) with the same GPG key (as described above) where the stubs are pointing to the second Yubikey:
+
+Insert the first Yubikey (which has a different serial numnber) and run the following command:
+
+```console
+$ gpg-connect-agent "scd serialno" "learn --force" /bye
+```
+GPG will then scan your first Yubikey for GPG keys and recreate the stubs to point to the GPG keyID and Yubikey Serial number of this first Yubikey.
+
+To return to using the second Yubikey just repeat (insert other Yubikey and re-run command).
+
+Obviously this command is not easy to remember so it is recommended to either create a script or a shell alias to make this more user friendly.
+
# Cleanup
Ensure you have:
@@ -1960,7 +1985,7 @@ It is now possible to continue following the Keyoxide guide and upload the key t
# SSH
-_Note that if you want to use a **YubiKey ONLY for SSH** (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [e.g. in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md)._
+_Note that if you want to use a **YubiKey ONLY for SSH** (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [e.g. in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md). Yubico also recently announced support for resident ssh keys under OpenSSH 8.2+ on their blue "security key 5 nfc" as mentioned in their [blog post](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/)._
[gpg-agent](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`), as well as Putty's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them - persistently - as GPG keys and then makes them available to ssh clients. Any existing ssh private keys that you'd like to keep in `gpg-agent` should be deleted after they've been imported to the GPG agent.
diff --git a/switch-to-backup-yubikey b/switch-to-backup-yubikey
new file mode 100644
index 0000000..e4d877a
--- /dev/null
+++ b/switch-to-backup-yubikey
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# To make a duplicate Yubikey for GPG keys
+# 1. Insert Yubikey1
+# 2. Create keys/subkeys
+# 3. Run keytocard to transfer keys to Yubikey1
+# 4. QUIT WITHOUT SAVING!!!!!
+#
+# This will leave the keys on the Yubikey but NOT change the
+# GPG keyring to point to the Yubikey1 with a stub
+#
+# 5. Insert Yubikey2
+# 6. Run keytocard to transfer keys to Yubikey2
+# 7. QUIT and SAVE to make GPG point it's stubs to Yubikey2
+#
+# Running any decrypt, auth or sign will now ask you to insert Yubikey2
+# To switch to Yubikey1 at any time run this script to force GPG
+# to repoint the key stubs to the inserted Yubikey
+
+read -p "Insert the Yubikey you want to use .... " ignore
+echo "Switching GPG to backup Yubikey ..."
+
+gpg-connect-agent "scd serialno" "learn --force" /bye