diff options
-rw-r--r-- | README.md | 31 | ||||
-rw-r--r-- | switch-to-backup-yubikey | 23 |
2 files changed, 51 insertions, 3 deletions
@@ -86,7 +86,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d # Purchase -All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). +All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). Yubico have also just released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details. To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic. @@ -263,7 +263,7 @@ Generate a NixOS LiveCD image with the given config: let config = { pkgs, ... }: with pkgs; { - imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix> ]; + imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix> ]; boot.kernelPackages = linuxPackages_latest; @@ -1523,6 +1523,31 @@ $ cp -avi /mnt/encrypted-storage/tmp.XXX $GNUPGHOME $ cd $GNUPGHOME ``` +## Switching between two or more Yubikeys. + +When you add a GPG key to a Yubikey using the *keytocard* command, GPG deletes the key form your keyring and adds a *stub* pointing to that exact Yubikey (the stub identifies the GPG KeyID and the Yubikey's serial number). + +However, when you do this same operation for a second Yubikey, the stub in your keyring is overwritten by the *keytocard* operation and now the stub points to your second Yubikey. Adding more repeats this overwriting operation. + +In other words, the stub will point ONLY to the LAST Yubikey written to. + +When using GPG key operations with the GPG key you placed onto the Yubikeys, GPG will request a specific Yubikey asking that you insert a Yubikey with a given serial number (referenced by the stub). GPG will not recognise another Yubikey with a different serial number without manual intervention. + +You can force GPG to scan the card and re-create the stubs to point to another Yubikey. + +Having created two (or more Yubikeys) with the same GPG key (as described above) where the stubs are pointing to the second Yubikey: + +Insert the first Yubikey (which has a different serial numnber) and run the following command: + +```console +$ gpg-connect-agent "scd serialno" "learn --force" /bye +``` +GPG will then scan your first Yubikey for GPG keys and recreate the stubs to point to the GPG keyID and Yubikey Serial number of this first Yubikey. + +To return to using the second Yubikey just repeat (insert other Yubikey and re-run command). + +Obviously this command is not easy to remember so it is recommended to either create a script or a shell alias to make this more user friendly. + # Cleanup Ensure you have: @@ -1960,7 +1985,7 @@ It is now possible to continue following the Keyoxide guide and upload the key t # SSH -_Note that if you want to use a **YubiKey ONLY for SSH** (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [e.g. in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md)._ +_Note that if you want to use a **YubiKey ONLY for SSH** (and don't really care about PGP/GPG), then [since OpenSSH v8.2](https://www.openssh.com/txt/release-8.2) you alternatively can simply `ssh-keygen -t ed25519-sk` (without requiring anything else from this guide!), as explained [e.g. in this guide](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md). Yubico also recently announced support for resident ssh keys under OpenSSH 8.2+ on their blue "security key 5 nfc" as mentioned in their [blog post](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/)._ [gpg-agent](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`), as well as Putty's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them - persistently - as GPG keys and then makes them available to ssh clients. Any existing ssh private keys that you'd like to keep in `gpg-agent` should be deleted after they've been imported to the GPG agent. diff --git a/switch-to-backup-yubikey b/switch-to-backup-yubikey new file mode 100644 index 0000000..e4d877a --- /dev/null +++ b/switch-to-backup-yubikey @@ -0,0 +1,23 @@ +#!/bin/sh +# +# To make a duplicate Yubikey for GPG keys +# 1. Insert Yubikey1 +# 2. Create keys/subkeys +# 3. Run keytocard to transfer keys to Yubikey1 +# 4. QUIT WITHOUT SAVING!!!!! +# +# This will leave the keys on the Yubikey but NOT change the +# GPG keyring to point to the Yubikey1 with a stub +# +# 5. Insert Yubikey2 +# 6. Run keytocard to transfer keys to Yubikey2 +# 7. QUIT and SAVE to make GPG point it's stubs to Yubikey2 +# +# Running any decrypt, auth or sign will now ask you to insert Yubikey2 +# To switch to Yubikey1 at any time run this script to force GPG +# to repoint the key stubs to the inserted Yubikey + +read -p "Insert the Yubikey you want to use .... " ignore +echo "Switching GPG to backup Yubikey ..." + +gpg-connect-agent "scd serialno" "learn --force" /bye |