GPG and YubiKey
Introduction
YubiKey is a great security device that can be used for multitude of applications. One its uses is for Sign/Authenticate/Encrypt using GPG. This can be used to sign emails and decrypt files as well as authentication in various applications. SSH authentication using YubiKey is explained in another post in this blog as well. Although you can set this up on Windows as well, we cover the setup on Ubuntu here.
Step 1: Installing the Required Packages
GPG should be installed on Ubuntu by default. However, you need to install Yubico packages in order for your server to recognize and work with the YubiKey.
sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install yubikey-manager-qt scdaemon gnupg2 curl
Step 2: Generating PGP Keys
To generate new keys, run
gpg --expert --full-gen-key
- Enter 1 (for ""RSA and RSA (Default)")
- For a YubiKey NEO enter 2048 and for other YubiKey models enter 4096 twice for the size. Specify the required information for the next question and then type O for Okay.
After the keys are generated, make a note of the key ID, which is displayed as part of the output "gpg: key 1234ABC marked as ultimately trusted".
Next, run
gpg --expert --edit-key KEY_ID
Then, enter the following commands in the exact order:
- addkey
- Enter 8.
- Enter A.
- Enter Q.
- Specify key size (2048) and expiration date (10 years should be good!) and save.
- addkey
- Enter 8.
- Enter S.
- Enter Q.
- Specify key size (2048) and expiration date (same date as previous one) and save.
Step 3: Creating Backup
This step is extremely important. So far the keys are created on your computer, and we need to move them into your YubiKey. But this process is one-way and removes the original keys from your system! It means that if for any reason you lose your YubiKey, you lose your keys as well. Also, if you want to program a backup YubiKey, if wouldn't be possible unless you keep backups!
gpg --export-secret-key --armor KEY_ID > filename.pgp
Keep the created file in a safe place!
Step 4: Setting Up PIN and Admin PIN
An important security feature of YubiKey is PIN and Admin PIN of the key. The default value for the PIN is 123456 and the default value for the Admin PIN is 12345678. These PINs are just for PGP keys. YubiKey has other PINs for other applications as well. To change the default PIN and Admin PIN, run:
gpg --card-edit
Then, type
admin
passwd
Use the given instruction to change both your PIN and Admin PIN. These are needed when programming your YubiKey or accessing the key.
Step 5: Importing the Keys to YubiKey
Run:
sudo gpg --edit-key KEY_ID
and enter the following commands:
toggle
keytocard
Select 1
key 1
keytocard
Select 2
key 1
key 2
keytocard
Select 3
quit
This must be done exactly as written. If you mess up, you need to start from the beginning (starting from importing your keys using the backup version).
This should do it! You can import your key stabs in a new system simply by running gpg --card-status on that system (assuming you have the required software installed)!