> Could you share how you gpg'd up your yubikey? > > - [tj] Aye. Other people may want context:
I have moved my Debian signing GPG key to a yubikey for portability and convenience. Because I have an 'Authentication key' in place, I can use my yubikey as a travelling SSH authenticator too - I can use the device to ssh to my build server, build Debian packages and sign them on my local machine using the signing key stored on the yubikey. Useful reading is: https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ https://github.com/drduh/YubiKey-Guide https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/ https://wiki.debian.org/Smartcards/YubiKey4#OpenPGP I leaned on the DrDuh, ESEV, and Debian links most. Important things I did/lessons learned: Backed up my entire .gnupg directory before I started. I have that buried away somewhere secure in case this all turns out to be a catastrophically shit idea. I have recorded my admin pin and user pin in my password store using a different GPG key for encryption. If you want to use the SSH Authentication feature, ensure you have the correct subkeys. As far as I can tell, the Yubikey has 3 slots for keys. 1x Master, 2x Subkeys to fulfill the following roles: * Signature * Encryption * Authentication If you haven't already, generate keys following*: https://github.com/drduh/YubiKey-Guide#create-subkeys There is ongoing anxiety regarding the security of cryptographic generation of numbers on yubikeys, so probably do this on your PC. Also, keys generated on yubikeys are hard (impossible?) to get off. You want to keep your life portable. Act with caution following the guide here - I have not (yet) published the Authentication key on keyservers as I'm not sure how the gnupg-agent generates the ssh key. I want to read up on that /before/ I potentially give folks easy access to my private bits. Configure the yubikey, then smartcard settings: https://github.com/drduh/YubiKey-Guide#configure-yubikey In the 'configure smartcard' section of Drduh guide, https://github.com/drduh/YubiKey-Guide#configure-smartcard, I didn't notice it was the admin pin I was setting first, and had to fanny about with unblocking and resetting pins. Don't do this. Read and consider what you are doing to minimise time wasted. Use a unique pin, for each and it must be at least 8 numbers long. The admin pin allows for control over the device configuration. The user pin provides 2FA (the button on the device must be pressed /and/ the pin must be entered). I transferrred the keys using key2card as mentioned in the drduh guide: https://github.com/drduh/YubiKey-Guide#transfer-keys For SSH authentication, by default the yubikey will not wait for you to touch it to authenticate. I dislike this as it means any rogue program/user can use it to authenticate with $server in my terminal history. To require touch input for each approval, I used this script: https://github.com/a-dma/yubitouch But if you have the yubikey manager installed, follow https://github.com/drduh/YubiKey-Guide#requiring-touch-to-authenticate It takes a little while to recognise the flashes the yubikey is doing - sometimes I don't realise till after the operation has failed it actually wanted my input. Keep an eye on it and learn to understand the "I'm busy being edited" blink and the "I want you to touch me" blink -- Hibby d...@vehibberd.com MM3ZRZ _______________________________________________ 57north-discuss mailing list 57north-discuss@lists.57north.co http://lists.57north.co/listinfo/57north-discuss