diff --git a/Yubikey.md b/Yubikey.md index f70f883..85b055e 100644 --- a/Yubikey.md +++ b/Yubikey.md @@ -32,18 +32,179 @@ notes) [helpful-youtube-video](https://www.youtube.com/watch?v=xGsixSh6sC4) The `GPG-Suite` application needs to be installed on macOS in order to interact with the yubikey. + +```bash +brew install gpg-suite-no-mail +``` + This then gives you access to use the `gpg --card-edit` command that allows you to add gpg-keys to the yubikey itself. +The yubikey only stores the private parts of the sub-keys, so the public portions need to still be +on the machine or downloaded from a key server. + +[URL of public key](https://keys.openpgp.org/vks/v1/by-fingerprint/B86F487BF0A715D016DB140A37F1B52C60D8C24B) + ### Default PIN's for yubikey (need changed below). 1. User: 123456 1. Admin: 12345678 -### Sequence (from memory, may be off / need checked). +### Sequence -1. `gpg --card-edit` -1. `admin` +#### Export and store the secret keys before starting. + +> Note: This is around 8m in the video linked above. + +Create a directory to store the exported keys. + +```bash +mkdir /tmp/gpg +``` + +List the keys. + +```bash +gpg --fingerprint --fingerprint +``` + +Export the secret keys, individually (this is for convenience, if you export the master key then the +sub-keys are included). + +```bash +gpg --export-secret-subkeys --armor > +/tmp/gpg/michael-.private--subkey.txt + +``` + +#### Import keys to yubikey. + +```bash +gpg --edit-key B86F487BF0A715D016DB140A37F1B52C60D8C24B +``` + +Then you need to select the sub-keys one at a time and move them to the appropriate slog on the +yubikey. The sub-keys should all have an expiration date associated with them, where as the master +keys are generally set to never expire, **you only want to move the sub-keys**. + +Look for the key that the line begins with `sub` (sub-key) and usage is `S` (signing). And select it +by typing `key `, a star should appear next to the selected key. + +```bash +gpg> key 4 +``` + +Transfer the key to the card. + +```bash +gpg> keytocard +``` + +Then select the number option for the type of key that you've selected, here you will be asked for +the password for the GPG key first, then the Admin GPG PIN for the yubikey in order to move the +private key onto the yubikey. + +When the key has been moved you will have to type the key and the number to deselect the key before +choosing the next one (i.e. `key 4` then `key 5` to choose the next key). + +Repeat this process for key types `S` (sign), `A` (authenticate), and `E` (encrypt), choosing the +appropriate slot for each. + +Once the keys are moved you type `quit`, it will prompt to save changes and you choose `n` (no), +then it will prompt to quit without saving and you select `y`. Otherwise you secret keys will be +deleted upon saving, which you will want to make a backup first. + +#### Save secret keys + +Next we will save the secret keys we exported in the beginning, these should typically be stored in +a safe location disconnected from the internet (such as a usb thumb drive). + +I like to wrap them up in a disk image that is password protected. + +```bash +hdutil create -encryption AES-256 -srcfolder /tmp/gpg /tmp/gpg.dmg +``` + +#### Delete the secret keys + +You do not want secret keys to be on your machine, they should only be stored in a safe location and +on the yubikey. + +```bash +gpg --delete-secret-keys +``` + +This will prompt / warn you several times just click yes or OK for all of it. + +You can check that they were deleted by using this command, which shouldn't output anything. + +```bash +gpg --list-secret-keys +``` + +#### Edit the card details + +Here we will edit the card details. + +```bash +gpg --card-edit +``` + +Enter admin mode. + +```bash +gpg/card> admin +``` + +Show the actions you can take + +```bash +gpg/card> help +``` + +Change the admin password + +```bash +gpg/card> passwd +``` + +Select option 3 to change the admin password. It will prompt for the current password `12345678`, +then ask for a new password. + +Then we need to change the user password, which is option 1. It will prompt for the current password +`123456`, then ask for a new password. This password will be needed whenever you need to do an +operation using the private keys stored in the yubikey. + +When done type `Q`, then you can change other items about the card if you'd like, such as name, url, +etc. + +## Set long-press of yubikey to be the GPG user password + +When the private GPG keys on the card are protected by a password you are prompted every time you +sign a code commit, so I setup the long press of the yubikey to output the gpg user's password +rather than have to get it from a password manager. + +## Test it. + +Create a test file that you can sign. + +```bash +echo "Test test..." >> /tmp/test.txt +``` + +Sign the test file. + +```bash +gpg --clearsign /tmp/test.txt +``` + +Check that it worked. + +```bash +cat /tmp/test.txt.asc +``` + +Remove the yubikey and try again, it shouldn't be possible without the yubikey being inserted. ## Setting up macOS to use gpg-agent for ssh