Giters

sveitser / gpg-yubikey-setup

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

GPG / yubikey setup

Please see drduh’s full guide for details.

Setup

Create bootable flash drive

nix build -f yubikey-installer.nix --out-link installer
sudo cp -v installer/iso/*.iso /dev/sdb
sync

Boot from flash drive, download the guide then maybe turn off networking.

Configure GnuPG

export GNUPGHOME=~/gnupg-workspace
mkdir -p $GNUPGHOME
wget -O $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf

Create keys

Generate the master key, use strong passphrase.

gpg --expert --full-generate-key

Optional, sign the new key with the old keys (not 100% sure about this part.)

gpg --export-secret-keys --armor --output /tmp/new.sec
# move to working system
gpg  --default-key $OLDKEY --sign-key $KEYID

Create subkeys for the card

FPR=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}')
gpg --batch --quick-add-key $FPR rsa4096 sign 5y
gpg --batch --quick-add-key $FPR rsa4096 encrypt 5y
gpg --batch --quick-add-key $FPR rsa4096 auth 5y

Backup keys

Export keys and revocation certificate

gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
gpg --output $GNUPGHOME/revoke.asc --gen-revoke $KEYID

To import public key elsewhere

gpg --import .../sub.key

Backups

Perform these steps once per backup.

sudo dd if=/dev/urandom of=/dev/sdb bs=4M status=progress
sudo fdisk /dev/sdb
# o w
sudo fdisk /dev/sdb
# n p RET RET +25M
# n p RET RET +25M w

Pick strong passphrase for encrypted partition and save the private keys.

sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 secret
sudo mkfs.ext2 /dev/mapper/secret -L gpg-$(date +%F)
sudo mkdir -p /mnt/encrypted-storage
sudo mount /dev/mapper/secret /mnt/encrypted-storage
sudo cp -avi $GNUPGHOME /mnt/encrypted-storage/
sudo umount /mnt/encrypted-storage/
sudo cryptsetup luksClose secret

Save the public keys to the unencrypted partition.

sudo mkfs.ext2 /dev/sdb2
sudo mkdir -p /mnt/public
sudo mount /dev/sdb2 /mnt/public/
gpg --armor --export $KEYID | sudo tee /mnt/public/gpg-$KEYID-$(date +%F).txt
sudo umount /dev/sdb2

Configure smart cards

Configuration

Change PIN (123456) and Admin PIN (12345678) and set personal details

gpg --card-edit
gpg/card> admin
> passwd
> 1
> ...
> 3
> ...
> q
gpg/card> name
> ...
gpg/card> lang
> en
gpg/card> login
> [email]

Transfer keys

  • The command keytocard is destructive, only proceed after backup is done.
  • Make sure the key types (auth, sign, enc) match in the commands below
gpg --edit-key $KEYID
> key 1
> keytocard
> 1
...
> key 1 # to unselect key 1
> key 2
> keytocard
...
> key 2
> key 3
> keytocard
...
> save

To repeat for multiple smart cards, restore the key from backup and repeat the keytocard commands.

mv -vi $GNUPGHOME $GNUPGHOME.1
cp -avi /mnt/encrypted-storage/gnupg-workspace $GNUPGHOME

Troubleshooting

If prompted to insert card with specific serial number, scan the new card.

gpg-connect-agent "scd serialno" "learn --force" /bye

About

Languages

Language:Nix 100.0%