Yubikey - Trammell Hudson's Projects

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="Collection of my projects and hacks."> <link rel="canonical" href="https://trmm.net/Yubikey/"> <link rel="icon" href="../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.4.2, mkdocs-material-9.0.6"> <meta property="og:title" content="Yubikey"> <meta property="og:site_name" content="Trammell Hudson's Projects"> <meta property="og:url" content="https://trmm.net/Yubikey/"> <meta property="og:description" content="Collection of my projects and hacks."> <meta property="og:image" content="https://trmm.net/images/logo.png"> <title>Yubikey - Trammell Hudson's Projects</title> <link rel="stylesheet" href="../assets/stylesheets/main.558e4712.min.css"> <link rel="stylesheet" href="../assets/stylesheets/palette.2505c338.min.css">  <link href="https://fonts.gstatic.com" rel="preconnect" crossorigin /> <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=IBM+Plex+Serif:300,400,400i,700%7CIBM+Plex+Sans:500,600,700%7CIBM+Plex+Mono&display=fallback" /> <style> body, input { font-family: "IBM Plex Serif", "Helvetica Neue", Helvetica, Arial, sans-serif; } pre, code, kbd { font-family: "IBM Plex Mono", "Courier New", Courier, monospace; } h1, h2, h3, h4, h5, h6 { font-family: "IBM Plex Sans", sans-serif; font-weight: 700 !important; } </style> <link rel="stylesheet" href="../extra.css"> <script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="black" data-md-color-accent="purple"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#software" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href=".." title="Trammell Hudson's Projects" class="md-header__button md-logo" aria-label="Trammell Hudson's Projects" data-md-component="logo"> <img src="../images/logo.png" alt="logo"> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Trammell Hudson's Projects </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> Yubikey </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list" role="presentation"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://github.com/osresearch/" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> GitHub </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href=".." title="Trammell Hudson's Projects" class="md-nav__button md-logo" aria-label="Trammell Hudson's Projects" data-md-component="logo"> <img src="../images/logo.png" alt="logo"> </a> Trammell Hudson's Projects </label> <div class="md-nav__source"> <a href="https://github.com/osresearch/" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> GitHub </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_1" type="checkbox" id="__nav_1" > <label class="md-nav__link" for="__nav_1" tabindex="0" aria-expanded="false"> Categories <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Categories" data-md-level="1"> <label class="md-nav__title" for="__nav_1"> <span class="md-nav__icon md-icon"></span> Categories </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../Category%3ARetrocomputing/" class="md-nav__link"> Retrocomputing </a> </li> <li class="md-nav__item"> <a href="../Category%3AVector_display/" class="md-nav__link"> Vector display </a> </li> <li class="md-nav__item"> <a href="../Category%3ARobots/" class="md-nav__link"> Robots </a> </li> <li class="md-nav__item"> <a href="../Category%3AClocks/" class="md-nav__link"> Clocks </a> </li> <li class="md-nav__item"> <a href="../Category%3A3D_Printing/" class="md-nav__link"> 3D Printing </a> </li> <li class="md-nav__item"> <a href="../Category%3ALaser_cutter/" class="md-nav__link"> Laser cutter </a> </li> <li class="md-nav__item"> <a href="../Category%3ATeensy/" class="md-nav__link"> Teensy </a> </li> <li class="md-nav__item"> <a href="../Category%3AMac/" class="md-nav__link"> Mac </a> </li> <li class="md-nav__item"> <a href="../Category%3APhotography/" class="md-nav__link"> Photography </a> </li> <li class="md-nav__item"> <a href="../Category%3AHobbies/" class="md-nav__link"> Hobbies </a> </li> <li class="md-nav__item"> <a href="../Category%3ALED/" class="md-nav__link"> LED </a> </li> <li class="md-nav__item"> <a href="../Category%3ALEDscape/" class="md-nav__link"> LEDscape </a> </li> <li class="md-nav__item"> <a href="../Category%3AReverse_engineering/" class="md-nav__link"> Reverse engineering </a> </li> <li class="md-nav__item"> <a href="../Category%3ATalks/" class="md-nav__link"> Talks </a> </li> <li class="md-nav__item"> <a href="../Category%3AHacks/" class="md-nav__link"> Hacks </a> </li> <li class="md-nav__item"> <a href="../Category%3ASecurity/" class="md-nav__link"> Security </a> </li> <li class="md-nav__item"> <a href="../Category%3AAircraft/" class="md-nav__link"> Aircraft </a> </li> <li class="md-nav__item"> <a href="../Category%3AArt/" class="md-nav__link"> Art </a> </li> <li class="md-nav__item"> <a href="../Category%3ABiking/" class="md-nav__link"> Biking </a> </li> <li class="md-nav__item"> <a href="../Category%3ALED/" class="md-nav__link"> Blinky </a> </li> <li class="md-nav__item"> <a href="../Category%3ABurning_Man/" class="md-nav__link"> Burning Man </a> </li> <li class="md-nav__item"> <a href="../Category%3AClasses/" class="md-nav__link"> Classes </a> </li> <li class="md-nav__item"> <a href="../Category%3ACoffee/" class="md-nav__link"> Coffee </a> </li> <li class="md-nav__item"> <a href="../Category%3AESP/" class="md-nav__link"> ESP </a> </li> <li class="md-nav__item"> <a href="../Category%3AFont/" class="md-nav__link"> Font </a> </li> <li class="md-nav__item"> <a href="../Category%3AGames/" class="md-nav__link"> Games </a> </li> <li class="md-nav__item"> <a href="../Category%3AInteractive_Show/" class="md-nav__link"> Interactive Show </a> </li> <li class="md-nav__item"> <a href="../Category%3ABeagleBone/" class="md-nav__link"> BeagleBone </a> </li> <li class="md-nav__item"> <a href="../Category%3APRU/" class="md-nav__link"> PRU </a> </li> <li class="md-nav__item"> <a href="../Category%3AMakerfaire/" class="md-nav__link"> Makerfaire </a> </li> <li class="md-nav__item"> <a href="../Category%3ANYCR/" class="md-nav__link"> NYCR </a> </li> <li class="md-nav__item"> <a href="../Category%3AOctober_First/" class="md-nav__link"> October First </a> </li> <li class="md-nav__item"> <a href="../Category%3AOscilloscope/" class="md-nav__link"> Oscilloscope </a> </li> <li class="md-nav__item"> <a href="../Category%3AROM/" class="md-nav__link"> ROM </a> </li> <li class="md-nav__item"> <a href="../Category%3ARadio/" class="md-nav__link"> Radio </a> </li> <li class="md-nav__item"> <a href="../Category%3ARaspberry_Pi/" class="md-nav__link"> Raspberry Pi </a> </li> <li class="md-nav__item"> <a href="../Category%3AShopbot/" class="md-nav__link"> Shopbot </a> </li> <li class="md-nav__item"> <a href="../Category%3ASoftware/" class="md-nav__link"> Software </a> </li> <li class="md-nav__item"> <a href="../Category%3ASparkCore/" class="md-nav__link"> SparkCore </a> </li> <li class="md-nav__item"> <a href="../Category%3AThingiverse/" class="md-nav__link"> Thingiverse </a> </li> <li class="md-nav__item"> <a href="../Category%3AUSB_Devices/" class="md-nav__link"> USB Devices </a> </li> <li class="md-nav__item"> <a href="../Category%3AVideo/" class="md-nav__link"> Video </a> </li> <li class="md-nav__item"> <a href="../Category%3AWearables/" class="md-nav__link"> Wearables </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2" tabindex="0" aria-expanded="false"> Chronological <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Chronological" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Chronological </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../Category%3A2010/" class="md-nav__link"> 2010 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2011/" class="md-nav__link"> 2011 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2012/" class="md-nav__link"> 2012 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2013/" class="md-nav__link"> 2013 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2014/" class="md-nav__link"> 2014 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2015/" class="md-nav__link"> 2015 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2016/" class="md-nav__link"> 2016 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2017/" class="md-nav__link"> 2017 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2018/" class="md-nav__link"> 2018 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2019/" class="md-nav__link"> 2019 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2020/" class="md-nav__link"> 2020 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2021/" class="md-nav__link"> 2021 </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_3" type="checkbox" id="__nav_3" > <label class="md-nav__link" for="__nav_3" tabindex="0" aria-expanded="false"> About <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="About" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> About </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../About/" class="md-nav__link"> About Me </a> </li> <li class="md-nav__item"> <a href="../PGP/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#software" class="md-nav__link"> Software </a> </li> <li class="md-nav__item"> <a href="#create-your-key" class="md-nav__link"> Create your key </a> </li> <li class="md-nav__item"> <a href="#transfer-keys-to-hardware" class="md-nav__link"> Transfer keys to hardware </a> </li> <li class="md-nav__item"> <a href="#set-hardware-pins" class="md-nav__link"> Set hardware PINs </a> </li> <li class="md-nav__item"> <a href="#test-apple-mail" class="md-nav__link"> Test Apple Mail </a> </li> <li class="md-nav__item"> <a href="#gpg-agent-and-ssh" class="md-nav__link"> gpg-agent and ssh </a> </li> <li class="md-nav__item"> <a href="#now-what" class="md-nav__link"> Now What? </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <h1>Yubikey</h1> <p><a href="https://www.flickr.com/photos/osr/15176226904/lightbox"><img src="https://live.staticflickr.com/7511/15176226904_c095ca5e1e_b.jpg" srcset="https://live.staticflickr.com/7511/15176226904_c095ca5e1e_b.jpg 1024w, https://live.staticflickr.com/7511/15176226904_c095ca5e1e.jpg 400w" /></a></p> <p><a href="/Edward_Snowden">Edward Snowden</a> says to trust in encryption, but you still need to worry about the security of the computer systems that run it:</p> <blockquote> <p><a href="http://techcrunch.com/2013/06/17/encrypting-your-email-works-says-nsa-whistleblower-edward-snowden/">Encryption works</a>. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.</p> </blockquote> <p>If you're worried that you're not paranoid enough about your communications security and want to improve your OpSec, it is actually fairly easy to go "full-Snowden" with hardware storage of your PGP secret keys. The Yubico <a href="https://www.yubico.com/products/yubikey-hardware/yubikey-neo/">Yubikey-Neo and Neo-N</a> USB tokens are a neat (and <a href="http://www.amazon.com/Yubico-Y-110-YubiKey-NEO-n/dp/B00O8ST7MM">cheap</a>) way to keep your keys locked in a hardware device rather than stored as a file on your harddrive. The hardware tokens are compatible with the <a href="https://en.wikipedia.org/wiki/OpenPGP card">OpenPGP card</a> protocol, which recent versions of <a href="https://en.wikipedia.org/wiki/GNU Privacy Guard">gnupg</a> support out-of-the-box. All of the public-key cryptography happens inside the tamper-proof device, so your secret key is never decrypted in the memory nor stored on disk of your machine.</p> <h2 id="software">Software</h2> <p><img alt="600px" src="/images/GPG_Tools_suite.png" /></p> <p><a href="https://gpgtools.org/gpgsuite.html">GPGTools</a> provides a very nice key management GUI as well as a plug-in for Apple Mail.app. It also bundles the commandline version of gnupg 2.0.22, which you will need for doing some specialized functions.</p> <p>Note that there is a bug in OS X Yosemite related to <a href="http://support.gpgtools.org/discussions/beta-feedback/79-usb-stick-with-gpg-card-token-no-longer-working">GPG card tokens not working</a>.</p> <h2 id="create-your-key">Create your key</h2> <p><img alt="" src="/images/GPG_new_key.png" /></p> <p>Run the <strong>GPG Keychain Access</strong> tool that the suite installed in /Applications and click the <strong>New Key</strong> button. Fill in your name and email and select the key type. The older Yubikey devices support up to RSA2048, so the defaults of "<strong>RSA and RSA</strong>" with length 2048 are correct. Yubikey Nano 4 added support for 4096 bit keys in late 2015 and you can select that if you want longer keys. Both devices also support secure key generation in hardware, but this requires some further steps in the terminal and is beyond the scope of this tutorial.</p> <p>Expiration dates aren't required, but they are good idea since nothing lasts forever. You can still decrypt old emails and documents, as well as verify signatures, with an expired key, but no one will send you new ones.</p> <p>You will need to pick a pass-phrase for the key -- make it a good one since it is the only thing that protects your key file while it is on disk. This <a href="https://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html">Passphrase FAQ</a> has some suggestions for picking a memorable one. You'll only need to type it in during these key operations and when you sign other users' keys.</p> <p><img alt="" src="/images/GPG_signing_subkey.png" /></p> <p>By default GPG Keychain tool create the primary key that has all access and one encryption subkey. For the cards you need to create a second subkey for signing. Double click on your key to bring up the <strong>Key Inspector</strong> window, select <strong>Subkeys</strong> and click <strong>+</strong> to create a new one of type <strong>RSA (sign only)</strong> and of length 2048.</p> <p><img alt="" src="/images/GPG_key_export.png" /></p> <p>At this point you should export your key and save it somewhere safely offline. Right click on your key in the main window and select "Export" and check <em>Allow secret key export</em>. As part of moving the keys into the hardware token they will be deleted from your keyring. If you were to lose the Yubikey, you would not be able to recover the keys.</p> <p><img alt="" src="/images/GPG_Key_revocation.png" /></p> <p>It is also worth creating a key revocation certificate. If you were to lose your keys or your passphrase, a pre-generated revocation certificate allows you to announce to the world that the key is no longer valid and should no longer be trusted. Right click on your key and save the revocation cert offline safely as well.</p> <p>Lastly, you can also now select to <strong>Send public key to Keyserver</strong>, which will make your public key available to others. This is how they will be able to encrypt messages that only you will be able to read and how they will be able to verify signatures that you make.</p> <h2 id="transfer-keys-to-hardware">Transfer keys to hardware</h2> <p>At this point we need to switch from the user-friendly GPG Keychain Access window to the gpg program in the terminal. Don't panic! Make note of your key's <em>Short ID</em> -- this is how it will be referenced with the command line utility. In this case mine is <code>17db29be</code></p> <p>Plug in your Yubikey and open Terminal.app (in /Applications/Utilities) and get ready for classic 1990s user interfaces. In these examples, the text you type is in bold, <code>%</code> is the shell prompt and everything else is printed by the <code>gpg</code> program.</p> <p>First you need to enable the OpenPGP Card / CCID mode. The <code>ykpersonalize</code> program can be downloaded from <a href="http://yubico.github.io/yubikey-personalization/releases.html">yubico on github</a>. You only need to do this once and can delete the program once you've run it.</p> <pre><code> % <b>~/Downloads/ykpers-1.16.0-mac/bin/ykpersonalize -m82</b> Firmware version 3.3.0 Touch level 1285 Program sequence 1 The USB mode will be set to: 0x82 Commit? (y/n) [n](n): <b>y</b> </code></pre> <p>Now let's edit your public key:</p> <pre><code> % <b>/usr/local/bin/gpg --edit-key 17db29be</b> gpg (GnuPG/MacGPG2) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 usage: SC trust: ultimate validity: ultimate sub 2048R/FAFFECA6 created: 2014-11-16 expires: 2018-11-16 usage: E sub 2048R/A9057450 created: 2014-11-16 expires: 2018-11-16 usage: S [ultimate](ultimate) (1). Trammell Hudson &lt;hudson@trmm.net> gpg> </code></pre> <p>GnuPG is now waiting for another command from you. We need to switch to editing the secret key portion of this key with the <code><b>toggle</b></code> command and then select the first non-primary key with the <code><b>key</b></code> command.</p> <pre><code> gpg> <b>toggle</b> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never ssb 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson &lt;hudson@trmm.net> gpg> <b>key 1</b> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb* 2048R/FAFFECA6 created: 2014-11-16 expires: never ssb 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson &lt;hudson@trmm.net> </code></pre> <p>Now we'll run the <code><b>keytocard</b></code> command to copy this key to the card.</p> <pre><code> gpg> <b>keytocard</b> Signature key ....: none Encryption key....: none Authentication key: none Please select where to store the key: &nbsp; (2) Encryption key Your selection? <b>2</b> You need a passphrase to unlock the secret key for user: "Trammell Hudson &lt;hudson@trmm.net>" 2048-bit RSA key, ID FAFFECA6, created 2014-11-16 </code></pre> <p><img alt="" src="/images/GPG_passphrase.png" /></p> <p>It will pop up a dialog prompting for the passphrase to unlock the key at this point. You'll need to enter your passphrase. Once your secret key is unlocked, it will need the Admin PIN for the hardware token. The default is <code>12345678</code>; we will change it later. Once you've passed both of these dialogs, gnupg will print out the secret keys and show that key 1 has been copied to the card and no longer resides in the keyring:</p> <pre><code> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb* 2048R/FAFFECA6 created: 2014-11-16 expires: never card-no: 0006 03036660 ssb 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson <hudson@trmm.net> </code></pre> <p>Now we need to deselect key 1, select key 2 and upload the signing key:</p> <pre><code> gpg> <b>key 1</b> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never card-no: 0006 03036660 ssb 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson &lt;hudson@trmm.net> gpg> <b>key 2</b> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never card-no: 0006 03036660 ssb* 2048R/A9057450 created: 2014-11-16 expires: never (1) Trammell Hudson &lt;hudson@trmm.net> gpg> <b>keytocard</b> Signature key ....: none Encryption key....: D04F 94C6 EF86 C150 9486 3F5C 2695 8563 FAFF ECA6 Authentication key: none Please select where to store the key: (1) Signature key (3) Authentication key Your selection? <b>1</b> You need a passphrase to unlock the secret key for user: "Trammell Hudson &lt;hudson@trmm.net>" 2048-bit RSA key, ID A9057450, created 2014-11-16 </code></pre> <p>Unlock the key as before. You won't need the admin PIN a second time since the token is unlocked.</p> <pre><code> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb 2048R/FAFFECA6 created: 2014-11-16 expires: never card-no: 0006 03036660 ssb* 2048R/A9057450 created: 2014-11-16 expires: never card-no: 0006 03036660 (1) Trammell Hudson &lt;hudson@trmm.net> </code></pre> <p>Now both keys are transferred to the card. Save the changes to the secret key on disk and exit gnupg:</p> <pre><code> gpg> <b>save</b> </code></pre> <h2 id="set-hardware-pins">Set hardware PINs</h2> <p>Still in the terminal, we'll use GnuPG to edit the card values. Your values might differ slightly.</p> <pre><code> % <b>/usr/local/bin/gpg --card-edit</b> Application ID ...: D2760001240102000006030366600000 Version ..........: 2.0 Manufacturer .....: unknown Serial number ....: 03036660 Name of cardholder: Trammell Hudson Language prefs ...: [set](not) Sex ..............: unspecified URL of public key : https://pgp.mit.edu/pks/lookup?op=get&search=0xB65BFE540DEF86C0 Login data .......: hudson@trmm.net Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 12 Signature key ....: 7EBB 6AFB 7B36 B4EE 39AD 2EE1 AC49 5576 A905 7450 created ....: 2014-11-16 04:11:18 Encryption key....: D04F 94C6 EF86 C150 9486 3F5C 2695 8563 FAFF ECA6 created ....: 2014-11-16 04:09:21 Authentication key: 8175 10FD F418 2B9B 50BF DB03 DD20 72FC C749 00F0 created ....: 2014-11-16 03:55:59 General key info..: pub 2048R/A9057450 2014-11-16 Trammell Hudson &lt;hudson@trmm.net> sec 2048R/17DB29BE created: 2014-11-16 expires: 2018-11-16 ssb> 2048R/FAFFECA6 created: 2014-11-16 expires: 2018-11-16 card-no: 0006 03036660 ssb> 2048R/A9057450 created: 2014-11-16 expires: 2018-11-16 card-no: 0006 03036660 gpg/card> </code></pre> <p>Switch to <strong>Admin</strong> mode and change the PIN:</p> <pre><code> gpg/card> <b>admin</b> Admin commands are allowed gpg/card> <b>passwd</b> gpg: OpenPGP card no. D2760001240102000006030366600000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? <b>1</b> </code></pre> <p>A dialog box should pop up asking for the current pin; the default is <code>123456</code>. The new pin must be at least 6 digits long or it will give you an error:</p> <pre><code> Error changing the PIN: Conditions of use not satisfied </code></pre> <p>If you have satisfied the condition, you'll get a success message:</p> <pre><code> PIN changed. </code></pre> <p>Repeat for the Admin PIN; this one must be 8 digits or longer.</p> <h2 id="test-apple-mail">Test Apple Mail</h2> <p><img alt="" src="/images/GPG_Apple_Mail_prefs.png" /></p> <p>Quit and restart Apple Mail. There should be a new preferences pane for <strong>GPGMail</strong>. Encrypting by default is a good idea.</p> <p><img alt="640px" src="/images/GPG_Apple_Mail.png" /></p> <p>When you create a new message, there should be an <strong>OpenPGP</strong> flag on the upper corner of the compose window and two new buttons that indicate <em>Encrypted</em> and <em>Signed</em>. If you have the public key for the recipient and have selected to default to encryption, the button should automatically be selected.</p> <h2 id="gpg-agent-and-ssh">gpg-agent and ssh</h2> <p>You can also use the GPG <strong>Authentiation key</strong> stored in the Yubikey for ssh authentication. <code>gpg-agent</code> can be used in place of <code>ssh-agent</code>; when you login to a remote host it will prompt you for your PIN (either via a popup or on the terminal). My <code>~/.gnupg/gpg-agent.conf</code> contains:</p> <div class="highlight"><pre><span></span><code>pinentry-program /usr/local/MacGPG2/libexec/pinentrymac.app/Contents/MacOS/pinentry-mac enable-ssh-support write-env-file use-standard-socket </code></pre></div> <p>And I have added these lines to my <code>~/.profile</code> to configure ssh to talk to gpg-agent:</p> <div class="highlight"><pre><span></span><code>if [ -r "~/.gpg-agent-info" ]; then . "~.gpg-agent-info" fi </code></pre></div> <p>To extract the public key for adding to <code>~/.ssh/authorized_keys</code> on the remote side, run <code>ssh-add&nbsp;-L</code>. it should print something like: <div class="highlight"><pre><span></span><code>ssh-rsa AAAAB3Nza[...](...) cardno:000603036660 </code></pre></div></p> <h2 id="now-what">Now What?</h2> <ul> <li>Encourage your friends to switch to encrypted email</li> <li>Go to a <a href="http://www.cryptoparty.in/">CryptoParty</a> and sign each others keys.</li> <li>Signing other people's keys</li> <li>Publishing to keyserver.</li> </ul>  <p><a href="/Category:2014"><span style='color:white; background-color:red'>2014</a> <a href="/Category:Security"><span style='color:white; background-color:red'>Security</a> <a href="/Category:Cryptography"><span style='color:white; background-color:red'>Cryptography</a> <a href="/Category:USB_Devices"><span style='color:white; background-color:red'>USB Devices</a></p> <hr> <div class="md-source-file"> <small> Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 8, 2020</span> </small> </div> </article> </div> </div> </main> <footer class="md-footer"> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> <div class="md-social"> <a href="https://twitter.com/qrs" target="_blank" rel="noopener" title="twitter.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg> </a> <a href="https://flickr.com/osr" target="_blank" rel="noopener" title="flickr.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M400 32H48C21.5 32 0 53.5 0 80v352c0 26.5 21.5 48 48 48h352c26.5 0 48-21.5 48-48V80c0-26.5-21.5-48-48-48zM144.5 319c-35.1 0-63.5-28.4-63.5-63.5s28.4-63.5 63.5-63.5 63.5 28.4 63.5 63.5-28.4 63.5-63.5 63.5zm159 0c-35.1 0-63.5-28.4-63.5-63.5s28.4-63.5 63.5-63.5 63.5 28.4 63.5 63.5-28.4 63.5-63.5 63.5z"/></svg> </a> <a href="https://github.com/osresearch" target="_blank" rel="noopener" title="github.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg> </a> <a href="https://social.v.st/@th" target="_blank" rel="noopener" title="social.v.st" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48 0 0 0-63.72 28.5-63.72 125.7 0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54 0 0 1-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z"/></svg> </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.e5c33ebb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src="../assets/javascripts/bundle.51d95adb.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-MML-AM_CHTML"></script> </body> </html>

CINXE.COM

Yubikey - Trammell Hudson's Projects