Skip to content

Instantly share code, notes, and snippets.

@DeviaVir

DeviaVir/yubikey.md

Created May 2, 2016 16:37
Show Gist options
  • Save DeviaVir/07d0ce517f1dd30bdb67144bc4144686 to your computer and use it in GitHub Desktop.
Save DeviaVir/07d0ce517f1dd30bdb67144bc4144686 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
yubikey.md

Install the yubikey personnalization tool via Homebrew

brew install ykpers

Install the GPG suite on your machine

Plug in your key and active the GPG compatible mode

$ ykpersonalize -m86
Firmware version 3.4.2 Touch level 1541 Program sequence 1
 
The USB mode will be set to: 0x86
 
Commit? (y/n) [n]: y

Configure a pin, an admin pin and your name. Save the pins in your password manager. Do not use existing pins.

$ gpg2 --card-edit
Application ID ...: X
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: X
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
 
gpg/card> admin
Admin commands are allowed
 
gpg/card> passwd
gpg: OpenPGP card no. X detected
 
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
 
Your selection? 1
(You will have to type the old PIN (123456) and enter a new pin.
PIN changed.
 
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
 
Your selection? 3
(You will have to type the old Admin PIN (12345678) and enter a new admin pin.
PIN changed.
 
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
 
Your selection? q

Tell your Yubikey about you

$ gpg2 --card-edit
Application ID ...: X
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: X
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
 
gpg/card> admin
Admin commands are allowed
 
gpg/card> name
Cardholder's surname: surname
Cardholder's given name: name
 
gpg/card> sex
Sex ((M)ale, (F)emale or space): M
 
gpg/card> login
Login data (account name): name
 
gpg/card> lang
Language preferences: en
 
gpg/card> quit

Generate a key. This command will force your card to generate a key and store it in the card.

$ gpg2 --card-edit
Application ID ...: X
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: X
Name of cardholder: name surname
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: name
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
 
gpg/card> admin
Admin commands are allowed
 
gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Tue Feb  9 15:55:04 2021 PST
Is this correct? (y/N) y
 
GnuPG needs to construct a user ID to identify your key.
 
Real name: Name Surname
Email address: [email protected]
Comment: Anything
You selected this USER-ID:
    "Name Surname (Anything) <[email protected]>"
 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
(Note that this step will take a little while ~1 minute)
gpg: key X marked as ultimately trusted
public and secret key created and signed.
 
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2018-08-19
pub   2048R/X 2016-02-11 [expires: 2021-02-09]
      Key fingerprint = X X X X X X X
uid       [ultimate] Name Surname (Anything) <[email protected]>
sub   2048R/X 2016-02-11 [expires: 2021-02-09]
sub   2048R/X 2016-02-11 [expires: 2021-02-09]
 
gpg/card> quit

It will tell you where it backs up the card image, move this image off of your PC and on to an external USB or triplesec encrypted offshore backup.

Edit your ~/.gnupg/gpg-agent.conf

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
write-env-file

Edit your ~/.bash_profile (or ~/.profile or ~/.zshrc) and add the following lines to use gpg-agent (and thus the yubikey) as your SSH key daemons:

# GPG Agent config
GPG_TTY=$(tty)
export GPG_TTY
if [ -f "${HOME}/.gpg-agent-info" ]; then
    . "${HOME}/.gpg-agent-info"
    export GPG_AGENT_INFO
    export SSH_AUTH_SOCK
fi

Logout and re-log (or killall gpg-agent ; gpg-agent --daemon ; source ~/.bash_profile)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment