Personal Privacy

Login Advanced Search
     General TopicsSelf Hosted ServicesServer Setup

GPG and YubiKey

Introduction

YubiKey is a great security device that can be used for multitude of applications. One its uses is for Sign/Authenticate/Encrypt using GPG. This can be used to sign emails and decrypt files as well as authentication in various applications. SSH authentication using YubiKey is explained in another post in this blog as well. Although you can set this up on Windows as well, we cover the setup on Ubuntu here.

Step 1: Installing the Required Packages

GPG should be installed on Ubuntu by default. However, you need to install Yubico packages in order for your server to recognize and work with the YubiKey.

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install yubikey-manager-qt scdaemon gnupg2 curl

Step 2: Generating PGP Keys

To generate new keys, run

gpg --expert --full-gen-key

After the keys are generated, make a note of the key ID, which is displayed as part of the output "gpg: key 1234ABC marked as ultimately trusted".

Next, run

gpg --expert --edit-key KEY_ID

Then, enter the following commands in the exact order:

Step 3: Creating Backup

This step is extremely important. So far the keys are created on your computer, and we need to move them into your YubiKey. But this process is one-way and removes the original keys from your system! It means that if for any reason you lose your YubiKey, you lose your keys as well. Also, if you want to program a backup YubiKey, if wouldn't be possible unless you keep backups!

gpg --export-secret-key --armor KEY_ID > filename.pgp

Keep the created file in a safe place!

Step 4: Setting Up PIN and Admin PIN

An important security feature of YubiKey is PIN and Admin PIN of the key. The default value for the PIN is 123456 and the default value for the Admin PIN is 12345678. These PINs are just for PGP keys. YubiKey has other PINs for other applications as well. To change the default PIN and Admin PIN, run:

gpg --card-edit

Then, type

admin
passwd

Use the given instruction to change both your PIN and Admin PIN. These are needed when programming your YubiKey or accessing the key.

Step 5: Importing the Keys to YubiKey

Run:

sudo gpg --edit-key KEY_ID

and enter the following commands:

toggle
keytocard
Select 1
key 1
keytocard
Select 2
key 1
key 2
keytocard
Select 3
quit

This must be done exactly as written. If you mess up, you need to start from the beginning (starting from importing your keys using the backup version).

This should do it! You can import your key stabs in a new system simply by running gpg --card-status on that system (assuming you have the required software installed)!

Buy me a coffe?!


Comments

No comments yet!
Add a new comment:

18