diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 36 |
1 files changed, 23 insertions, 13 deletions
@@ -52,10 +52,10 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d * [Create configuration](#create-configuration) * [Replace agents](#replace-agents) * [Copy public key](#copy-public-key) - * [(Optional) Save public key for identity file configuration](#-optional--save-public-key-for-identity-file-configuration) + * [(Optional) Save public key for identity file configuration](#optional-save-public-key-for-identity-file-configuration) * [Connect with public key authentication](#connect-with-public-key-authentication) * [Import SSH keys](#import-ssh-keys) - * [Remote Machines (Agent Forwarding)](#remote-machines--agent-forwarding-) + * [Remote Machines (Agent Forwarding)](#remote-machines-agent-forwarding) + [Steps for older distributions](#steps-for-older-distributions) * [GitHub](#github) * [OpenBSD](#openbsd-1) @@ -101,11 +101,11 @@ This guide recommends using a bootable "live" Debian Linux image to provide such To use Debian Live, download the latest image: ```console -$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-10.4.0-amd64-xfce.iso - $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign + +$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/$(awk '/xfce.iso/ {print $2}' SHA512SUMS) ``` Verify the signature of the hashes file with GPG: @@ -139,8 +139,8 @@ $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv DF9B9C49EAA9298432589D7 Ensure the SHA512 hash of the live image matches the one in the signed file. ```console -$ grep $(sha512sum debian-live-10.4.0-amd64-xfce.iso) SHA512SUMS -SHA512SUMS:2920f398c5e9036fcec8f71b2f28b0f2a85e3ab805e66088192dc56f679e5f59f26634e8bbde70badc3cf7ce353f54a2757b2017cbc3d3df9fb2b2065b3c1041 debian-live-10.4.0-amd64-xfce.iso +$ grep $(sha512sum debian-live-*-amd64-xfce.iso) SHA512SUMS +SHA512SUMS:799ec1fdb098caa7b60b71ed1fdb1f6390a1c6717b4314265e7042fa271c84f67fff0d0380297f60c4bcd0c1001e08623ab3d2a2ad64079d83d1795c40eb7a0a debian-live-10.5.0-amd64-xfce.iso ``` See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information. @@ -212,11 +212,12 @@ $ wget https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/README.md To install and use the `ykman` utility: ```console -$ sudo apt -y install python-pip python-pyscard +$ sudo apt -y install python3-pip python3-pyscard -$ pip install PyOpenSSL +$ pip3 install PyOpenSSL + +$ pip3 install yubikey-manager -$ pip install yubikey-manager $ sudo service pcscd start @@ -318,7 +319,7 @@ $ cat /proc/sys/kernel/random/entropy_avail 849 ``` -Most operating systems use software-based pseudorandom number generators. A hardware random number generator like [OneRNG](https://onerng.info/onerng/) will [increase the speed](https://lwn.net/Articles/648550/) of entropy generation and possibly the quality. +Most operating systems use software-based pseudorandom number generators. On newer machines there are CPU based hardware random number generators (HRNG) or you can use a separate hardware device like the White Noise or [OneRNG](https://onerng.info/onerng/) will [increase the speed](https://lwn.net/Articles/648550/) of entropy generation and possibly the quality. From YubiKey firmware version 5.2.3 onwards - which introduces "Enhancements to OpenPGP 3.4 Support" - we can gather additional entropy from the YubiKey itself via the SmartCard interface. @@ -332,11 +333,18 @@ This will seed the Linux kernel's PRNG with additional 512 bytes retrieved from ## OneRNG -Install and configure OneRNG software: +Install [rng-tools](https://wiki.archlinux.org/index.php/Rng-tools) software: ```console -$ sudo apt -y install at rng-tools python-gnupg openssl +$ sudo apt -y install at rng-tools python3-gnupg openssl +``` +If you have a hardware device other than the CPU based one, install the accompany software and point rng-tools to its `/dev/` device. + +OneRNG specific example: + +``` +$ sudo apt -y install python-gnupg $ wget https://github.com/OneRNG/onerng.github.io/raw/master/sw/onerng_3.6-1_all.deb $ sha256sum onerng_3.6-1_all.deb @@ -1500,6 +1508,8 @@ Reboot or [securely delete](http://srm.sourceforge.net/) `$GNUPGHOME` and remove $ sudo srm -r $GNUPGHOME || sudo rm -rf $GNUPGHOME $ gpg --delete-secret-key $KEYID + +$ unset GNUPGHOME ``` **Important** Make sure you have securely erased all generated keys and revocation certificates if an ephemeral enviroment was not used! @@ -2395,7 +2405,7 @@ Finally, install the [Mailvelope extension](https://chrome.google.com/webstore/d If PIN attempts are exceeded, the card is locked and must be [reset](https://developers.yubico.com/ykneo-openpgp/ResetApplet.html) and set up again using the encrypted backup. -Copy the following script to a file and run `gpg-connect-agent -R $file` to lock and terminate the card. Then re-insert YubiKey to reset. +Copy the following script to a file and run `gpg-connect-agent --run $file` to lock and terminate the card. Then re-insert YubiKey to reset. ```console /hex |