202303302047-setting-up-a-new-yubikey.org

Setting up a new Yubikey

Ensure Yubikey works

Run gpg --card-status to make sure the Yubikey is seen.

Setup Yubikey device details

Run gpg --card-edit to configure basic details

• Enable admin commands with admin
• name: Wiegley, John
• lang: en
• salutation: M)r.
• url: http://ftp.newartisans.com/pub/pubkey.asc
• login: johnw
• kdf-setup
• passwd
• (change PIN and admin PIN)
  • Default admin password is 12345678
  • Default password is 123456
• quit

Disable Yubikey code generation on touch

ykman config usb --disable OTP

Use it as a hardware token for signing-on to your Mac

ykman piv access change-management-key
ykman piv access change-pin
ykman piv access change-puk

1. Generate certificates on your YubiKey to be paired with macOS.
   • Generate key pairs for slot 9a and 9d, save public part to files.

   ykman piv keys generate 9a --algorithm ECCP256 /tmp/9a.pub
   ykman piv keys generate 9d --algorithm ECCP256 /tmp/9d.pub
       

   • Generate self-signed certificates, anything can be used as subject. You may also set the expiration, default is one year:

   ykman piv certificates generate 9a --subject "YubiKey 5" /tmp/9a.pub
   ykman piv certificates generate 9d --subject "YubiKey 5" /tmp/9d.pub
       

2. Pair the the YubiKey with macOS
   • The public key hash should now be listed as an unpaired identity.

     sc_auth identities
             

   • Use the listed hash to pair the YubiKey with your user.

     sc_auth pair -h HASH -u USERNAME
             

   • Verify that your user is paired:

     sc_auth list
             

     You may now use your YubiKey for login, but your password still works as well.

3. Install a configuration profile
   • To enforce the use of smart card a configuration profile needs to be installed. A sample profile can be found here. Save the sample profile as sample.mobileconfig
   • Install the profile by double-clicking on the profile and following the OS prompts.

Configure for GnuPG

Create sub-keys to use with Yubikey

gpg --quick-add-key 4710CF98AF9B327BB80F60E146C4BD1A7AC14BA2 cv25519 encr 2y
gpg --quick-add-key 4710CF98AF9B327BB80F60E146C4BD1A7AC14BA2 ed25519 auth 2y
gpg --quick-add-key 4710CF98AF9B327BB80F60E146C4BD1A7AC14BA2 ed25519 sign 2y

Changing secret key used by password-store

pass init [-p path] <gpg-id>

Transfer keys to Yubikeys

gpg --edit-key $(gpg -K [email protected] | grep '^sec' | head -1 | sed -e 's/.*\///' -e 's/ .*//')
key 2
keytocard
(choose correct key type)
key 3
keytocard
(choose correct key type)
key 4
keytocard
(choose correct key type)
save

Enabling use of GnuPG authentication key with SSH

echo $KEYGRIP_OF_AUTH_KEY >> ~/.gnupg/sshcontrol

Export new public key and upload to keyservers

gpg --export -a 0x46C4BD1A7AC14BA2 > pubkey.asc

gpg --keyserver pgp.mit.edu --send-keys 0x46C4BD1A7AC14BA2
gpg --keyserver keys.gnupg.net  --send-keys 0x46C4BD1A7AC14BA2
gpg --keyserver keyserver.ubuntu.com  --send-keys 0x46C4BD1A7AC14BA2
gpg --keyserver hkps://hkps.pool.sks-keyservers.net  --send-keys 0x46C4BD1A7AC14BA2

If necessary, upload new GnuPG public key and ssh key to GitHub

gpg --export -a 0x46C4BD1A7AC14BA2 | pbcopy
ssh-add -L

Copy the reference files to the approriate backup file

cd ~/.gnupg/private-keys-v1.d
KEYS=$(gpg --with-keygrip -K [email protected] | grep Keygrip | head -4 | tail -n '+2' | awk '{print $3}')
for key in $(echo $KEYS); do \
    cp ${key}.key ${key}.key.${KEYID}; \
done

Wiping a Yubikey

for service in openpgp piv oath fido otp; do \
    /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman $service reset; \
done