We use infrastructure secrets to encrypt sensitive data, deploy cloud instances, remotely log in and administer systems.
In order to add simplicity and security to infrastructure secret management we are testing the yubikey 4 nano.
NOTE: with the yubikey 4 nano I have noted that ykpersonalize -m1 (CCID mode only) does not seem to have an effect.. Look into this!!! it is annoying mis-firing OTP.
Our goal is to prevent storing our secrets on our ops workstations or laptops. To that end we would move our ssh keys and gpg keys to the Openpgp card on the nano.
This should allow us to have:
- standard ssh access to systems with an rsa key through gpg and gpg-agent
- standard ssh forwarding
- passcode protected loading of ec2 deploy keys (required for bastion deployments into private vpcs)
- protected gpg encryption secret keys store off system
Install these tools for the yubikey
$ brew update
$ brew cask update
$ brew cask install yubikey-neo-manager yubikey-personalization-gui
$ brew install yubikey-personalization
Since my key ring exists and does not have an rsa subeky for authentication (ssh'ing into boxes) I need to add one.
https://developers.yubico.com/PGP/Importing_keys.html
~ $ gpg -K
/Users/loehmafr/.gnupg/secring.gpg
----------------------------------
sec 2048R/5F87E7A8 2011-07-31
uid Fran Loehmann <[email protected]>
uid Fran Loehmann <[email protected]>
ssb 2048R/5157AA14 2011-07-31
\# generage revoke cert
gpg --output 5F87E7A8-revoke.asc --gen-revoke 5F87E7A8
\# try and add a key for ssh auth
~ $ gpg --expert --edit-key 5F87E7A8
gpg (GnuPG/MacGPG2) 2.0.28; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/5F87E7A8 created: 2011-07-31 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/5157AA14 created: 2011-07-31 expires: never usage: E
[ultimate] (1). Fran Loehmann <[email protected]>
[ultimate] (2) Fran Loehmann <[email protected]>
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Fran Loehmann <[email protected]>"
2048-bit RSA key, ID 5F87E7A8, created 2011-07-31
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection?
#Select 8 and successively choose S E A Q
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 2048R/5F87E7A8 created: 2011-07-31 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/5157AA14 created: 2011-07-31 expires: never usage: E
sub 2048R/D848C147 created: 2016-01-17 expires: never usage: A
[ultimate] (1). Fran Loehmann <[email protected]>
[ultimate] (2) Fran Loehmann <[email protected]>
gpg> save
~ $ gpg -K
/Users/loehmafr/.gnupg/secring.gpg
----------------------------------
sec 2048R/5F87E7A8 2011-07-31
uid Fran Loehmann <[email protected]>
uid Fran Loehmann <[email protected]>
ssb 2048R/5157AA14 2011-07-31
ssb 2048R/D848C147 2016-01-17
~ $ gpg --export-secret-key 5F87E7A8 > /Volumes/NO\ NAME/5F87E7A8-secret.gpg
Since we will be using gpg-agent with ssh support we will need to disable ssh-agent on the laptop.
launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
NOTE: Since I broke stuff, I needed to touch /var/log/gpg-agent.log and chown to my user, should not need the logging unless in debug mode.
~ $ cp .gnupg/gpg-agent.conf .gnupg/gpg-agent.conf.orig
~ $ diff .gnupg/gpg-agent.conf.orig .gnupg/gpg-agent.conf
1a2,8
> enable-ssh-support
> write-env-file
> use-standard-socket
> default-cache-ttl 600
> max-cache-ttl 7200
> #debug-level advanced
> #log-file /var/log/gpg-agent.log
Add gpg-agent to user env ~/.bash_profile:
# Launch agent in shell
export GPG_TTY=$(tty)
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
gpg --export-secret-key --armor 5F87E7A8 > fran-gpg-5F87E7A8-backup-20160118.asc
Insert Key
https://www.yubico.com/start/mac-os/
Go through Keyboard ID.. touch yubikey when it says touch key and then choose ANSI.
####### check version
~ $ ykinfo -v
version: 4.2.7
Check agent works and show version..
~ $ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000] 04 02 07 90 00 .....
OK
####### set yubikey for CCID (pgp mode only)
NOTE: This did not seem to work!!
https://www.yubico.com/2012/12/yubikey-neo-composite-device/
This is a one way change and will only allow us to use the card for PGP which is the only thing I am looking to do..
ykpersonalize -m1
~ $ ykpersonalize -m1
Firmware version 4.2.7 Touch level 517 Program sequence 1
The USB mode will be set to: 0x1
Commit? (y/n) [n]: y
WARNING: This tool will not be able to switch back from the selected mode, really commit? (y/n) [n]: y
Default:
- Admin: 12345678
- User: 123456
~ $ gpg --card-edit
Application ID ...: D2760001240102010006041646820000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04164682
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102010006041646820000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
Sine we don't want our keys to be stored on the local machine we will send them to the card.
https://developers.yubico.com/PGP/Importing_keys.html
~ $ gpg -K
/Users/loehmafr/.gnupg/secring.gpg
----------------------------------
sec 2048R/5F87E7A8 2011-07-31
uid Fran Loehmann <[email protected]>
uid Fran Loehmann <[email protected]>
ssb 2048R/5157AA14 2011-07-31
ssb 2048R/D848C147 2016-01-17
loehmafr@0101M307158LM:
~ $ gpg --edit-key 5F87E7A8
gpg (GnuPG/MacGPG2) 2.0.28; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/5F87E7A8 created: 2011-07-31 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/5157AA14 created: 2011-07-31 expires: never usage: E
sub 2048R/D848C147 created: 2016-01-17 expires: never usage: A
[ultimate] (1). Fran Loehmann <[email protected]>
[ultimate] (2) Fran Loehmann <[email protected]>
gpg> toggle
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
ssb 2048R/5157AA14 created: 2011-07-31 expires: never
ssb 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
gpg> keytocard
Really move the primary key? (y/N) Y
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
You need a passphrase to unlock the secret key for
user: "Fran Loehmann <[email protected]>"
2048-bit RSA key, ID 5F87E7A8, created 2011-07-31
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/5157AA14 created: 2011-07-31 expires: never
ssb 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
## now enc key
gpg> key 1
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb* 2048R/5157AA14 created: 2011-07-31 expires: never
ssb 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
gpg> keytocard
Signature key ....: E15B ABF3 1D2D 10C7 DA5D 0B29 39FC 9F33 5F87 E7A8
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(2) Encryption key
Your selection? 2
You need a passphrase to unlock the secret key for
user: "Fran Loehmann <[email protected]>"
2048-bit RSA key, ID 5157AA14, created 2011-07-31
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb* 2048R/5157AA14 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
# unset key 1
gpg> key 1
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/5157AA14 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
# now auth key
gpg> key 2
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/5157AA14 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb* 2048R/D848C147 created: 2016-01-17 expires: never
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
gpg> keytocard
Signature key ....: E15B ABF3 1D2D 10C7 DA5D 0B29 39FC 9F33 5F87 E7A8
Encryption key....: E2B6 3214 FABE 8514 E2F1 1269 8F9C E289 5157 AA14
Authentication key: [none]
Please select where to store the key:
(3) Authentication key
Your selection? 3
You need a passphrase to unlock the secret key for
user: "Fran Loehmann <[email protected]>"
2048-bit RSA key, ID D848C147, created 2016-01-17
sec 2048R/5F87E7A8 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb 2048R/5157AA14 created: 2011-07-31 expires: never
card-no: 0006 04164682
ssb* 2048R/D848C147 created: 2016-01-17 expires: never
card-no: 0006 04164682
(1) Fran Loehmann <[email protected]>
(2) Fran Loehmann <[email protected]>
# save changes
gpg> quit
Save changes? (y/N) y
You should now have your ssh key loaded into the gpg-agent.
The key below is the public key to be added to remote hosts for ssh authorized_keys or for Github.
~ $ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPA1TYhCARWgYIPiz+nLBJQJDjAEeoeMkzUy+Tane8rIpplVorZpYylcuuaNASZCPV7SMmN2gJga3tXmng6HrWuLLwESFMOdo3oC9D5MB7OKof1TBLO9pHdPcTbM+qG8UtQsfMbeY2PRHZliB271wxkt22uuvkX9MaFu0a11+eJTI/TPqUa0MYjxICWyD1A3QNLUx6CavIgv6aBcf+M3pWgfOPezXi4hEQ5Wykd6p6BMMS/nFsp4oByZg3bnJC50D6Xq8SqvBLAKDYZ/4/mDBg0TD3D25s2Q2AJjNnxLldptweDFiaHxQj9NykeY2DJLkjdOMBE2Jt/Ys+83qV6ur cardno:000604164682