Skip to content

Instantly share code, notes, and snippets.

@twobiers
Forked from andreibosco/yubikey-windows10.md
Created September 2, 2020 19:36
Show Gist options
  • Save twobiers/132f49b966c6c0b2676239d53af2d3ea to your computer and use it in GitHub Desktop.
Save twobiers/132f49b966c6c0b2676239d53af2d3ea to your computer and use it in GitHub Desktop.
Setting up Yubikey with SSH and Git on Windows 10 + Powershell

Setting up Yubikey with SSH and Git on Windows 10 + Powershell

Based on the following guides:

Install dependencies

Set up new PINs for yubikey

  • Open Powershell
  • Set up new PINs:
    • Tip: the PINs doesn't have to be numeric-only
    gpg --expert --edit-card
    > admin
    > factory-reset # optional step
    > passwd
    # choose 1 to change PIN
    # default PIN is 123456
    # choose 3 to change Admin PIN
    # default PIN is 12345678
    > q
    > forcesig
    > quit
    
  • Add identification data
    gpg --expert --edit-card
    > admin
    > name
    # type your last names
    # and then your first names
    > lang
    # type your preference language (e.g., en)
    
  • Check keys: gpg --expert --card-status

Create a GPG key using Kleopatra

  • Go to Tools > Manage smartcard
  • Click on Generate new keys (I recommend creating a RSA 4096 key)

Configure Kleopatra to allow SSH support

  • In Kleopatra, click on Settings > Configure Kleopara
  • Select GnuPG System
  • Go to the tab Private Keys
  • Check Enable ssh support and Enable putty support
  • Click on Apply settings

Configure Git to use yubikey

  • Run this command to add Github to the list of known hosts and avoid a freezing issue using git: plink -agent -v [email protected]
    • If this command fails with an FATAL ERROR: No supported authentication methods available (server sent: publickey) error, try restarting the GPG Agent
  • Verify that the key is set up correctly: gpg --list-secret-keys --keyid-format LONG
    • Look for something like sec > rsa4096/683AB68D867FEB5C.
    • The key is the string after rsa4060/
  • Point Git to globally use GnuPG:
    git config --global gpg.program "c:\Program Files\GnuPG\bin\gpg.exe"
    git config --global commit.gpgsign true
    git config --global user.signingkey KEY_FROM_THE_PREVIOUS_STEP
    git config --global core.sshcommand "plink -agent"
    
  • If you haven't set up your Git user data, do it now:
    git config --global user.email [email protected]
    git config --global user.name "Your Full Name Here"
    
  • Generate a public SSH key: gpg --export-ssh-key [email protected] > id_rsa.pub
  • Add the public key into your Github account

Add your GPG Public Key to Github

  • Open Kleopatra, double-click on your click, click Export...
    • Make sure you are exporting the public key. It should start with "-----BEGING PBP PUBLIC KEY BLOCK-----"
  • Copy the key
  • Go into Github
  • Click on your profile image
  • Click on Settings
  • On the sidebar, click on SSH and GPG Keys
  • Click on New GPG Key
  • Paste the key

Accessing servers via SSH

  • Instead of using the ssh command on Powershell, you have to use the plink command: plink username@server

Exporting your certificates

  • On Kleopatra main screen, select your certificates
  • Go to File > Export...
  • Select a place to store your OpenPGP certificates

Importing your certificates

  • On Kleopatra main screen, go to File > Import...
  • Select your OpenPGP certificates files

To set a certificate trust level

  • On Powershell, list the existing keys: gpg --list-secret-keys --keyid-format LONG
  • To edit a key: gpg --edit-key KEYID
  • To set trust level to ultimate:
trust
5 # to trust completely (ultimate)
y # to confirm your decision
save

Restarting GPG agent

  • If you have issues connecting to your smartkey, try restarting the GPG Agent:
gpg-connect-agent killagent /bye
gpg-connect-agent /bye

That's it

Now you're all set. When using git or ssh, it should get the private key from your Yubikey and ask for its PIN number.

Enjoy :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment