michael/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Updates gpg notes for yubikey with better step by step instructions.

Browse Source
This commit is contained in:
Michael Housh
2025-03-28 10:09:06 -04:00
parent 7c22f75ea4
commit eb901d528a
1 changed files with 164 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
Yubikey.md
View File

@@ -32,18 +32,179 @@ notes)
[helpful-youtube-video](https://www.youtube.com/watch?v=xGsixSh6sC4)
The `GPG-Suite` application needs to be installed on macOS in order to interact with the yubikey.
```bash
brew install gpg-suite-no-mail
```
This then gives you access to use the `gpg --card-edit` command that allows you to add gpg-keys to
the yubikey itself.
The yubikey only stores the private parts of the sub-keys, so the public portions need to still be
on the machine or downloaded from a key server.
[URL of public key](https://keys.openpgp.org/vks/v1/by-fingerprint/B86F487BF0A715D016DB140A37F1B52C60D8C24B)
### Default PIN's for yubikey (need changed below).
1. User: 123456
1. Admin: 12345678
### Sequence (from memory, may be off / need checked).
### Sequence
1. `gpg --card-edit`
1. `admin`
#### Export and store the secret keys before starting.
> Note: This is around 8m in the video linked above.
Create a directory to store the exported keys.
```bash
mkdir /tmp/gpg
```
List the keys.
```bash
gpg --fingerprint --fingerprint
```
Export the secret keys, individually (this is for convenience, if you export the master key then the
sub-keys are included).
```bash
gpg --export-secret-subkeys --armor <LAST-8-DIGITS-OF-FINGERPRINT> >
/tmp/gpg/michael-<LAST-8-DIGITS-OF-FINGERPRINT>.private-<Key Type>-subkey.txt
```
#### Import keys to yubikey.
```bash
gpg --edit-key B86F487BF0A715D016DB140A37F1B52C60D8C24B
```
Then you need to select the sub-keys one at a time and move them to the appropriate slog on the
yubikey. The sub-keys should all have an expiration date associated with them, where as the master
keys are generally set to never expire, **you only want to move the sub-keys**.
Look for the key that the line begins with `sub` (sub-key) and usage is `S` (signing). And select it
by typing `key <num>`, a star should appear next to the selected key.
```bash
gpg> key 4
```
Transfer the key to the card.
```bash
gpg> keytocard
```
Then select the number option for the type of key that you've selected, here you will be asked for
the password for the GPG key first, then the Admin GPG PIN for the yubikey in order to move the
private key onto the yubikey.
When the key has been moved you will have to type the key and the number to deselect the key before
choosing the next one (i.e. `key 4` then `key 5` to choose the next key).
Repeat this process for key types `S` (sign), `A` (authenticate), and `E` (encrypt), choosing the
appropriate slot for each.
Once the keys are moved you type `quit`, it will prompt to save changes and you choose `n` (no),
then it will prompt to quit without saving and you select `y`. Otherwise you secret keys will be
deleted upon saving, which you will want to make a backup first.
#### Save secret keys
Next we will save the secret keys we exported in the beginning, these should typically be stored in
a safe location disconnected from the internet (such as a usb thumb drive).
I like to wrap them up in a disk image that is password protected.
```bash
hdutil create -encryption AES-256 -srcfolder /tmp/gpg /tmp/gpg.dmg
```
#### Delete the secret keys
You do not want secret keys to be on your machine, they should only be stored in a safe location and
on the yubikey.
```bash
gpg --delete-secret-keys <KEY ID>
```
This will prompt / warn you several times just click yes or OK for all of it.
You can check that they were deleted by using this command, which shouldn't output anything.
```bash
gpg --list-secret-keys
```
#### Edit the card details
Here we will edit the card details.
```bash
gpg --card-edit
```
Enter admin mode.
```bash
gpg/card> admin
```
Show the actions you can take
```bash
gpg/card> help
```
Change the admin password
```bash
gpg/card> passwd
```
Select option 3 to change the admin password. It will prompt for the current password `12345678`,
then ask for a new password.
Then we need to change the user password, which is option 1. It will prompt for the current password
`123456`, then ask for a new password. This password will be needed whenever you need to do an
operation using the private keys stored in the yubikey.
When done type `Q`, then you can change other items about the card if you'd like, such as name, url,
etc.
## Set long-press of yubikey to be the GPG user password
When the private GPG keys on the card are protected by a password you are prompted every time you
sign a code commit, so I setup the long press of the yubikey to output the gpg user's password
rather than have to get it from a password manager.
## Test it.
Create a test file that you can sign.
```bash
echo "Test test..." >> /tmp/test.txt
```
Sign the test file.
```bash
gpg --clearsign /tmp/test.txt
```
Check that it worked.
```bash
cat /tmp/test.txt.asc
```
Remove the yubikey and try again, it shouldn't be possible without the yubikey being inserted.
## Setting up macOS to use gpg-agent for ssh