yubikey-prov

Provision PGP/YubiKeys securely (beta)

This project was developed to securely provision PGP/YubiKeys at “enterprise” scale.

The yubikey-prov.sh script automates as much of How to generate and air gap PGP private keys using GnuPG, Tails and YubiKey as possible without compromising on security.

Although script works on macOS Catalina and Big Sur (for development purposes), it is highly recommended to use script on Tails.

Shout-out to TrustToken for supporting project. 🙌

Security features

Uses Tails to generate PGP keys (using GnuPG) on air-gapped, amnesic and hardened operating system
Uses VeraCrypt to backup PGP master keys and subkeys
Uses YubiKeys to secure subkeys

Requirements

Tails USB flash drive or SD card with VeraCrypt and YubiKey Manager installed
VeraCrypt encrypted volume stored on USB flash drive or SD card at path /media/amnesia/Data/tails on Tails or /Volumes/Data/tails on macOS
YubiKey with OpenPGP support (firmware version 5.2.3 or higher)

Installation (on Tails)

cd ~/Persistent
git clone https://github.com/sunknudsen/yubikey-prov.git
cd yubikey-prov

Usage

$ ./yubikey-prov.sh --help
Usage: yubikey-prov.sh [options]

Options:
  --first-name <name>  first name
  --last-name <name>   last name
  --email <email>      email
  --recovery-mode      restore master key and subkeys (optional)
  --rotate-credentials rotate credentials (recovery mode, optional)
  --expiry <expiry>    subkey expiry (defaults to 1)
  --signing-key <path> path to signing key (optional)
  --reset-applets      reset applets to factory defaults
  --nfc <nfc>          enabled NFC applets (defaults to "FIDO2")
  --usb <usb>          enabled USB applets (defaults to "FIDO2 OPENPGP")
  --lock-code <code>   configuration lock-code (optional)
  --yes                disable most confirmation prompts
  -v, --version        display yubikey-prov version
  -h, --help           display yubikey-prov help

Example

Disable all YubiKey NFC/USB applets except FIDO2 and OpenPGP (USB-only), create PGP master key and signing, encryption and authentication subkeys, sign public key using signing key, back up master key, subkeys and public key to VeraCrypt encrypted volume and public key to public folder, move subkeys to YubiKey and configure identity, enable user interaction and set user and admin PINs.

$ ./yubikey-prov.sh --first-name "John" --last-name "Doe" --email "john@example.net" --signing-key "/media/veracrypt1/securityteam/PGP/securityteam_master.asc"

Contributors

Sun Knudsen

Licence

MIT

sunknudsen / yubikey-prov