This project was developed to securely provision PGP/YubiKeys at “enterprise” scale.
The yubikey-prov.sh script automates as much of How to generate and air gap PGP private keys using GnuPG, Tails and YubiKey as possible without compromising on security.
Although script works on macOS Catalina and Big Sur (for development purposes), it is highly recommended to use script on Tails.
Shout-out to TrustToken for supporting project. 🙌
- Uses Tails to generate PGP keys (using GnuPG) on air-gapped, amnesic and hardened operating system
- Uses VeraCrypt to backup PGP master keys and subkeys
- Uses YubiKeys to secure subkeys
- Tails USB flash drive or SD card with VeraCrypt and YubiKey Manager installed
- VeraCrypt encrypted volume stored on USB flash drive or SD card at path
/media/amnesia/Data/tails
on Tails or/Volumes/Data/tails
on macOS - YubiKey with OpenPGP support (firmware version 5.2.3 or higher)
cd ~/Persistent
git clone https://github.com/sunknudsen/yubikey-prov.git
cd yubikey-prov
$ ./yubikey-prov.sh --help
Usage: yubikey-prov.sh [options]
Options:
--first-name <name> first name
--last-name <name> last name
--email <email> email
--recovery-mode restore master key and subkeys (optional)
--rotate-credentials rotate credentials (recovery mode, optional)
--expiry <expiry> subkey expiry (defaults to 1)
--signing-key <path> path to signing key (optional)
--reset-applets reset applets to factory defaults
--nfc <nfc> enabled NFC applets (defaults to "FIDO2")
--usb <usb> enabled USB applets (defaults to "FIDO2 OPENPGP")
--lock-code <code> configuration lock-code (optional)
--yes disable most confirmation prompts
-v, --version display yubikey-prov version
-h, --help display yubikey-prov help
Disable all YubiKey NFC/USB applets except FIDO2 and OpenPGP (USB-only), create PGP master key and signing, encryption and authentication subkeys, sign public key using signing key, back up master key, subkeys and public key to VeraCrypt encrypted volume and public key to public folder, move subkeys to YubiKey and configure identity, enable user interaction and set user and admin PINs.
$ ./yubikey-prov.sh --first-name "John" --last-name "Doe" --email "john@example.net" --signing-key "/media/veracrypt1/securityteam/PGP/securityteam_master.asc"
MIT