Objective: Create a secure OpenPGP keypair, eg: offline master key with subkeys (aka "laptop keys") stored on a YubiKey NEO hardware device for everyday use.
Below is a collection of notes and info that helped me navigate through a jungle of new concepts, jargon, bad UI decisions, broken software, bugs and other obstacles to reach the above goal. – Jonathan
This is an elegant device with many functions including the ability to store OpenPGP keys and use them to sign, encrypt and / or authenticate. The keys cannot be extracted from the device. The OpenPGP java apps that do the signing are Open Source. NOTE: Yubico has released the "upgraded" YubiKey 4 -- which I discovered is not open source and is phasing out the NEO-n. The maximum RSA key size for the YubiKey NEO 3 was 2048 bits, which is fine for subkeys. You can of course create a 4096 bit master key which stays offline. Newer YubiKey 4+ support 4096 bit keys. The YubiKey 5 now supports Curve25519 which is recommended for security and speed.
Please note that YubiKey NEO devices issued before 2015-04-14 contain an insecure OpenPGP applet.
- PGP and SSH keys on a YubiKey NEO (Eric Severance) - Primary guide used for this setup.
- Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard (Simon Josefsson)
- How to import an existing PGP key to a YubiKey
- Why Subkeys do not have a Public key
- Yubico developer signing keys.
- Using an OpenPGP SmartCard (some good troubleshooting info related to Linux, gpg smartcards like the YubiKey, etc)
- Creating the perfect gpg keypair
- OpenPGP Best Practices (riseup) - Good tips from those who need to do security right.
- Problems with apps sharing the same token on the Mac (Error:
pcsc_connect failed: sharing violation (0x8010000b))
See gnupg.md for general info about Gnupg, tricks, configuration and usability options. Also info about the OpenPGP Web Of Trust and signing keys.
WTFPL - See LICENSE for more info.