-
Notifications
You must be signed in to change notification settings - Fork 2
8 PGP SSH Config
The goal is to explain the generation and usage of PGP and SSH keys with Yubikeys.
DrDuh Yubikey Guide : the procedure below is adapted from DrDuh guide, albeit simplified (and less secure).
paru –S openssh gnupg pcsclite ccid hopenpgp-tools yubikey-personalization
Important
|
hopenpgp-tools installs 100+ Haskell dependencies which are updated super frequently. Uninstall it after this procedure with paru -Rns hopenpgp-tools if you don’t want to be bothered by this.
|
We will use the "batch" procedure. For full step by step, check DrDuh Yubikey Guide.
Tip
|
Generate a strong passphrase for the private key, and get ready to copy/paste it as it will be required many times. |
gpgconf --kill gpg-agent
cd $GNUPGHOME
curl -L "https://raw.githubusercontent.com/Jubijub/arch-config/master/home/jubi/.gnupg/gen-params-rsa4096" -O
gpg --batch --generate-key gen-params-rsa4096
Verify the key
gpg --list-key
gpg --quick-add-key $KEYFP rsa4096 sign 1y
gpg --quick-add-key $KEYFP rsa4096 encr 1y
gpg --quick-add-key $KEYFP rsa4096 auth 1y
gpg --expert --edit-key $KEYID
gpg> adduid
Real name: Dr Duh
Email address: DrDuh@other.org
Comment:
You selected this USER-ID:
"Dr Duh <DrDuh@other.org>"
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> trust
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
Please decide how far you trust this user to correctly verify other users\' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> uid 1
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
[ultimate] (1)* Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> primary
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
[ultimate] (1)* Dr Duh <doc@duh.to>
[ unknown] (2) Dr Duh <DrDuh@other.org>
gpg> save
gpg -K
It should displey something like this :
gpg -K
/tmp.FLZC0xcM/pubring.kbx
............................................................................
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
uid Dr Duh <doc@duh.to>
ssb rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
ssb rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
ssb rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
-
Verify the key against GPG best practices
gpg --export $KEYID | hokey lint
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
$ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
$ gpg --output $GNUPGHOME/revoke.asc --gen-revoke $KEYID
-
No specific reason
-
Write a rationale like
General purpose revocation certificate
and finish with a blank line.
I choose an insecure approach as I do this for convenience over security, follow DrDuh Yubikey Guide for more secure options.
$ sudo cp -avi $GNUPGHOME ~/Downloads
$ gpg --armor --export $KEYID | sudo tee ~/Downloads/<the name of your temp env>/gpg-$KEYID-$(date +%F).asc
$ gpg --keyserver keys.gnupg.net --send-key $KEYID
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID
$ gpg --keyserver pgp.mit.edu --send-key $KEYID
Warning
|
This will reset previously installed GPG keys, as well as the pin codes for the key. |
Important
|
You need to do this for all keys you want to use. |
ykman openpgp reset
gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102010006055532110000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
gpg/card> name
Cardholder's surname: Duh
Cardholder's given name: Dr
gpg/card> lang
Language preferences: en
gpg/card> login
Login data (account name): doc@duh.to
gpg/card> list
gpg/card> quit
This process is to be repeated on all keys. Doing so destroy the key, so you will need to restore the environment between keys.
$ gpg --edit-key $KEYID
key 1
keytocard
Select the Sign key (1)
key1
key 2
keytocard
Select the Encryption key (2)
key2
key 3
keytocard
Select the Authentication key (3)
key3
save
Verify the sub-keys have been moved to YubiKey as indicated by ssb>
:
$ gpg -K
/tmp.FLZC0xcM/pubring.kbx
..................................................................................
sec rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
uid Dr Duh <doc@duh.to>
ssb> rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
ssb> rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
ssb> rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
keytocard
is a destructive process, so you will need to restore your backup into $GNUPGHOME
mv -vi $GNUPGHOME $GNUPGHOME.1 (1)
cp -avi ~/Downloads/<the name of your temp env>/ $GNUPGHOME
cd $GNUPGHOME
-
If you provision more than 2 keys, iterate .1, .2, etc…
$ paru -S srm
$ sudo srm -r $GNUPGHOME || sudo rm -rf $GNUPGHOME
$ gpg --delete-secret-key $KEYID
$ unset GNUPGHOME
Make sure GNUPGHOME is unset, otherwise the commands below won’t work, as it points to a temp directory instead of pointing to ~/.gnupg
At this point your keys are ready to function
Note
|
If you are reinstalling your computer with existing keys you’d like to reuse, you can directly start at this stage. |
cd ~/.gnupg
curl -L "https://raw.githubusercontent.com/drduh/config/master/gpg.conf" -O
chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg
gpg --homedir ~/.gnupg/ --import ~/Downloads/<the name of your temp env>/gpg-public-0x<the key id>-YYYY-MM-DD.asc
export KEYID=<the ID>
$ cd ~/.gnupg
$ curl -L "https://raw.githubusercontent.com/Jubijub/arch-config/master/home/jubi/.gnupg/gpg-agent.conf" -O
$ grep -ve "^#" gpg-agent.conf
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses
-
Add to .zshrc
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
-
Add to .zshenv
# Set SSH to use gpg-agent
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
git config --global user.signingkey $KEYID
git config --global commit.gpgsign true (1)
-
prevents from having to specify the -S option on git commit to sign the commit. All commits will be autosigned.
-
SSH key
ssh-add -L
-
PGP key
gpg --list-secret-keys --keyid-format LONG <email> (1)
gpg --armor --export $KEYID
-
this line is optional, but you can retrieve the $KEYID if needed
-
Go in the interface
-
Add the keys using the exported versions above.
Use this procedure to restore a working environment
Import the latest public key (if the keys are expired, follow the procedure below)
mkdir ~/.gnupg
cd ~/.gnupg
gpg --import /<your backup>/gpg-0x<kEYID>-<date>.asc
export KEYID=<from the output of the previous command>
Import the config files
curl -L "https://raw.githubusercontent.com/drduh/config/master/gpg.conf" -O
curl -L "https://raw.githubusercontent.com/Jubijub/arch-config/master/home/jubi/.gnupg/gpg-agent.conf" -O
chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg
gpg-connect-agent "scd serialno" "learn --force" /bye
gpg-connect-agent updatestartuptty /bye
You may need to close Kitty and reopen it.
git config --global user.signingkey $KEYID
git config --global commit.gpgsign true (1)
-
prevents from having to specify the -S option on git commit to sign the commit. All commits will be autosigned.
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
gpg --import /<your backup>/mastersub.key
cp -v /<your backup>/gpg.conf $GNUPGHOME
Edit the main key:
export KEYID=0xFF3E7D88647EBCDB
gpg --expert --edit-key $KEYID
gpg --edit-key $KEYID
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
ssb rsa4096/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
ssb rsa4096/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
gpg> key 1
gpg> key 2
gpg> key 3
gpg> expire
Set a value of 1y
If you get a message like sign_and_send_pubkey: signing failed for RSA "cardno:9 031 456" from agent: agent refused operation
:
Close your terminal and restart it. Then launch :
gpg-connect-agent updatestartuptty /bye