aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README.md194
1 files changed, 167 insertions, 27 deletions
diff --git a/README.md b/README.md
index 4bad649..ee25016 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
# Purchase
-All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). In May 2021, Yubico also released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details.
+All YubiKeys except the blue "security key" model and the "Bio Series - FIDO Edition" are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). A list of the YubiKeys compatible with OpenPGP is available [here](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP). In May 2021, Yubico also released a press release and blog post about supporting resident ssh keys on their Yubikeys including blue "security key 5 NFC" with OpenSSH 8.2 or later, see [here](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/) for details.
To verify a YubiKey is genuine, open a [browser with U2F support](https://support.yubico.com/support/solutions/articles/15000009591-how-to-confirm-your-yubico-device-is-genuine-with-u2f) to [https://www.yubico.com/genuine/](https://www.yubico.com/genuine/). Insert a Yubico device, and select *Verify Device* to begin the process. Touch the YubiKey when prompted, and if asked, allow it to see the make and model of the device. If you see *Verification complete*, the device is authentic.
@@ -268,53 +268,192 @@ $ sudo yum install -y gnupg2 pinentry-curses pcsc-lite pcsc-lite-libs gnupg2-smi
## NixOS
-Generate a NixOS LiveCD image with the given config:
+Generate an air-gapped NixOS LiveCD image with the given config:
```nix
# yubikey-installer.nix
-{ nixpkgs ? <nixpkgs>, system ? "x86_64-linux" } :
-
let
- config = { pkgs, ... }:
- with pkgs; {
- imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix> ];
-
- boot.kernelPackages = linuxPackages_latest;
-
- services.pcscd.enable = true;
- services.udev.packages = [ yubikey-personalization ];
+ configuration = { config, lib, pkgs, ... }:
+ with pkgs;
+ let
+ src = fetchGit "https://github.com/drduh/YubiKey-Guide";
+
+ guide = "${src}/README.md";
+
+ contrib = "${src}/contrib";
+
+ drduhConfig = fetchGit "https://github.com/drduh/config";
+
+ gpg-conf = "${drduhConfig}/gpg.conf";
+
+ xserverCfg = config.services.xserver;
+
+ pinentryFlavour = if xserverCfg.desktopManager.lxqt.enable || xserverCfg.desktopManager.plasma5.enable then
+ "qt"
+ else if xserverCfg.desktopManager.xfce.enable then
+ "gtk2"
+ else if xserverCfg.enable || config.programs.sway.enable then
+ "gnome3"
+ else
+ "curses";
+
+ # Instead of hard-coding the pinentry program, chose the appropriate one
+ # based on the environment of the image the user has chosen to build.
+ gpg-agent-conf = runCommand "gpg-agent.conf" {} ''
+ sed '/pinentry-program/d' ${drduhConfig}/gpg-agent.conf > $out
+ echo "pinentry-program ${pinentry.${pinentryFlavour}}/bin/pinentry" >> $out
+ '';
+
+ view-yubikey-guide = writeShellScriptBin "view-yubikey-guide" ''
+ viewer="$(type -P xdg-open || true)"
+ if [ -z "$viewer" ]; then
+ viewer="${glow}/bin/glow -p"
+ fi
+ exec $viewer "${guide}"
+ '';
+
+ shortcut = makeDesktopItem {
+ name = "yubikey-guide";
+ icon = "${yubikey-manager-qt}/share/ykman-gui/icons/ykman.png";
+ desktopName = "drduh's YubiKey Guide";
+ genericName = "Guide to using YubiKey for GPG and SSH";
+ comment = "Open the guide in a reader program";
+ categories = [ "Documentation" ];
+ exec = "${view-yubikey-guide}/bin/view-yubikey-guide";
+ };
- environment.systemPackages = [ gnupg pinentry-curses pinentry-qt paperkey wget ];
+ yubikey-guide = symlinkJoin {
+ name = "yubikey-guide";
+ paths = [ view-yubikey-guide shortcut ];
+ };
- programs = {
- ssh.startAgent = false;
- gnupg.agent = {
- enable = true;
- enableSSHSupport = true;
+ in {
+ nixpkgs.config = { allowBroken = true; };
+
+ isoImage.isoBaseName = lib.mkForce "nixos-yubikey";
+ # Uncomment this to disable compression and speed up image creation time
+ #isoImage.squashfsCompression = "gzip -Xcompression-level 1";
+
+ boot.kernelPackages = linuxPackages_latest;
+ # Always copytoram so that, if the image is booted from, e.g., a
+ # USB stick, nothing is mistakenly written to persistent storage.
+ boot.kernelParams = [ "copytoram" ];
+ # Secure defaults
+ boot.cleanTmpDir = true;
+ boot.kernel.sysctl = { "kernel.unprivileged_bpf_disabled" = 1; };
+
+ services.pcscd.enable = true;
+ services.udev.packages = [ yubikey-personalization ];
+
+ programs = {
+ ssh.startAgent = false;
+ gnupg.agent = {
+ enable = true;
+ enableSSHSupport = true;
+ };
};
+
+ environment.systemPackages = [
+ # Tools for backing up keys
+ paperkey
+ pgpdump
+ parted
+ cryptsetup
+
+ # Yubico's official tools
+ yubikey-manager
+ yubikey-manager-qt
+ yubikey-personalization
+ yubikey-personalization-gui
+ yubico-piv-tool
+ yubioath-desktop
+
+ # Testing
+ ent
+ (haskell.lib.justStaticExecutables haskellPackages.hopenpgp-tools)
+
+ # Password generation tools
+ diceware
+ pwgen
+
+ # Miscellaneous tools that might be useful beyond the scope of the guide
+ cfssl
+ pcsctools
+
+ # This guide itself (run `view-yubikey-guide` on the terminal to open it
+ # in a non-graphical environment).
+ yubikey-guide
+ ];
+
+ # Disable networking so the system is air-gapped
+ # Comment all of these lines out if you'll need internet access
+ boot.initrd.network.enable = false;
+ networking.dhcpcd.enable = false;
+ networking.dhcpcd.allowInterfaces = [];
+ networking.interfaces = {};
+ networking.firewall.enable = true;
+ networking.useDHCP = false;
+ networking.useNetworkd = false;
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = lib.mkForce false;
+
+ # Unset history so it's never stored
+ # Set GNUPGHOME to an ephemeral location and configure GPG with the
+ # guide's recommended settings.
+ environment.interactiveShellInit = ''
+ unset HISTFILE
+ export GNUPGHOME="/run/user/$(id -u)/gnupg"
+ if [ ! -d "$GNUPGHOME" ]; then
+ echo "Creating \$GNUPGHOME…"
+ install --verbose -m=0700 --directory="$GNUPGHOME"
+ fi
+ [ ! -f "$GNUPGHOME/gpg.conf" ] && cp --verbose ${gpg-conf} "$GNUPGHOME/gpg.conf"
+ [ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp --verbose ${gpg-agent-conf} "$GNUPGHOME/gpg-agent.conf"
+ echo "\$GNUPGHOME is \"$GNUPGHOME\""
+ '';
+
+ # Copy the contents of contrib to the home directory, add a shortcut to
+ # the guide on the desktop, and link to the whole repo in the documents
+ # folder.
+ system.activationScripts.yubikeyGuide = let
+ homeDir = "/home/nixos/";
+ desktopDir = homeDir + "Desktop/";
+ documentsDir = homeDir + "Documents/";
+ in ''
+ mkdir -p ${desktopDir} ${documentsDir}
+ chown nixos ${homeDir} ${desktopDir} ${documentsDir}
+
+ cp -R ${contrib}/* ${homeDir}
+ ln -sf ${yubikey-guide}/share/applications/yubikey-guide.desktop ${desktopDir}
+ ln -sfT ${src} ${documentsDir}/YubiKey-Guide
+ '';
};
- };
- evalNixos = configuration: import <nixpkgs/nixos> {
- inherit system configuration;
+ nixos = import <nixpkgs/nixos/release.nix> {
+ inherit configuration;
+ supportedSystems = [ "x86_64-linux" ];
};
+ # Choose the one you like:
+ #nixos-yubikey = nixos.iso_minimal; # No graphical environment
+ #nixos-yubikey = nixos.iso_gnome;
+ nixos-yubikey = nixos.iso_plasma5;
+
in {
- iso = (evalNixos config).config.system.build.isoImage;
+ inherit nixos-yubikey;
}
```
Build the installer and copy it to a USB drive.
```console
-$ nix build -f yubikey-installer.nix --out-link installer
+$ nix build -f yubikey-installer.nix -o installer nixos-yubikey
$ sudo cp -v installer/iso/*.iso /dev/sdb; sync
-'installer/iso/nixos-20.03.git.c438ce1-x86_64-linux.iso' -> '/dev/sdb'
+'installer/iso/nixos-yubikey-22.05beta-248980.gfedcba-x86_64-linux.iso' -> '/dev/sdb'
```
-On NixOS, ensure that you have `pinentry-program /run/current-system/sw/bin/pinentry-curses` in your `$GNUPGHOME/gpg-agent.conf` before running any `gpg` commands.
-
+With this image, you won't need to manually create a [temporary working directory](#temporary-working-directory) or [harden the configuration](#harden-configuration), as it was done when creating the image.
## OpenBSD
@@ -1442,7 +1581,7 @@ Your selection? q
The number of retry attempts can be changed with the following command, documented [here](https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-access-set-retries-options-pin-retries-reset-code-retries-admin-pin-retries):
```bash
-ykman openpgp set-pin-retries 5 5 5
+ykman openpgp access set-retries 5 5 5 -f -a YOUR_ADMIN_PIN
```
## Set information
@@ -2864,3 +3003,4 @@ Before you unmount your backup, ask yourself if you should make another one just
* https://mlohr.com/gpg-agent-forwarding/
* https://www.ingby.com/?p=293
* https://support.yubico.com/support/solutions/articles/15000027139-yubikey-5-2-3-enhancements-to-openpgp-3-4-support
+* https://github.com/dhess/nixos-yubikey