Using Yubikey with GPG encryption
Let me try to show my experience in using Yubikey as a Smartcard for storing signing and GPG encryption keys. There are a lot of information in the internet about that, but that my first try in configuring yubikey for such purposes.
Firstly we need to install necessary packages on our mac by doing the following command, I’m using brew:
$ brew install gnupg yubikey-personalization
This will allow us to program our Yubikey.
The next step is we need to create a new keys for further usage.
Generate a key
Let’s do a temporary directory:
export GNUPGHOME=$(mktemp -d)
And create a GPG configuration:
$ cat << EOF > $GNUPGHOME/gpg.conf use-agent personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint EOF
Generate a master key
During creation a new master key, we will need to choose RSA (sign only) key and I would go with 4096 bits. And you’ll be asked to enter a passphrase, try to enter something unique and strong 🙂
VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Valerii
Email address: [email protected]
Comment:
You selected this USER-ID:
"Valerii <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
public and secret key created and signed.
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub rsa4096/0xA2B71234247579BE 2018-01-28 [SC]
Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99
uid Valerii <[email protected]>
Export a new key
export KEYID=0xA2B71234247579BE
Create subkeys
VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
sec rsa4096/0xA2B71234247579BE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Valerii <[email protected]>
During a creating a new subkeys enter the passphrase you entered during making a master key. In the following example I selected to generate a key with expiration in 1 year.
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:13:38 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xA1289348BA3879AE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xA1CDBEFBA21203A4
created: 2018-01-28 expires: 2019-01-28 usage: S
[ultimate] (1). Valerii <[email protected]>
Next, let’s create n encryption key by selecting RSA (encrypt only) – number 6
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:16:29 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xA1289348BA3879AE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xA1CDBEFBA21203A4
created: 2018-01-28 expires: 2019-01-28 usage: S
ssb rsa4096/0x181FFBA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: E
[ultimate] (1). Valerii <[email protected]>
I selected to create 4096 bit RSA encrypt only key which is going to be valid for 365 days only.
And let’s create an authentification key now.
read more…
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:20:11 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Don’t forget to save it
gpg> save
Export and backup our keys
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/master.key $ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
That will require to enter your passphrase for master key again.
Configure Yubikey
VKAFEDZH-M-2R3C:~ val$ gpg --card-edit Reader ...........: Yubico Yubikey 4 OTP U2F CCID Application ID ...: F1760095270102331226071222510019 Version ..........: 2.1 Manufacturer .....: Yubico Serial number ....: 12720751 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> passwd 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3 PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1 PIN changed. 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? q gpg/card> quit
Let’s transfer keys from our mac to yubikey
Move keys to yubikey
VKAFEDZH-M-2R3C:~ val$ gpg --edit-key $KEYID
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/0xA1289348BA3879AE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xA1CDBEFBA21203A4
created: 2018-01-28 expires: 2019-01-28 usage: S
ssb rsa4096/0x181FFBA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: E
ssb rsa4096/0x181FFBA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: A
[ultimate] (1). Valerii <[email protected]>
gpg> key 1
sec rsa4096/0xA1289348BA3879AE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
ssb* rsa4096/0xA1CDBEFBA21203A4
created: 2018-01-28 expires: 2019-01-28 usage: S
ssb rsa4096/0x181FAAA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: E
ssb rsa4096/0x181FFBA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: A
[ultimate] (1). Valerii <[email protected]>
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
sec rsa4096/0xA1289348BA3879AE
created: 2018-01-28 expires: never usage: SC
trust: ultimate validity: ultimate
ssb* rsa4096/0xA1CDBEFBA21203A4
created: 2018-01-28 expires: 2019-01-28 usage: S
ssb rsa4096/0x181FAAA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: E
ssb rsa4096/0x181FFBA2120AA342
created: 2018-01-28 expires: 2019-01-28 usage: A
[ultimate] (1). Valerii <[email protected]>
Now for each key do *keytocard* command, before proceeding with a new key, you will need to deselect previous key by entering the same command, eg. key 1 again will deselect the key 1, then entry key 2 to select it.
Verify
VKAFEDZH-M-2R3C:~ val$ gpg --list-secret-keys
/var/folders/yy/0gn/T/tmp.Tb4gb/pubring.kbx
-------------------------------------------------------------------------
sec rsa4096/0xA1289348BA3879AE 2018-01-28 [SC]
Key fingerprint =1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99
uid [ultimate] Valerii <[email protected]>
ssb> rsa4096/0xA1289348BA3879AE 2018-01-28 [S] [expires: 2019-01-28]
ssb> rsa4096/0xA1CDBEFBA21203A4 2018-01-28 [E] [expires: 2019-01-28]
ssb> rsa4096/0x181FFBA2120AA342 2018-01-28 [A] [expires: 2019-01-28]
Export public key
$ gpg --armor --export $KEYID > ~/pubkey.txt
You may want to upload your public key to public keyserver:
$ gpg --send-key $KEYID gpg: sending key0xA2B71234247579BE to hkps://hkps.pool.sks-keyservers.net
In next posts I’ll try to use those keys for encryption/decryption and signing.