Skip to content

wtjerry/yubikey_setup_howto

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
esev_blog_bak
esev_blog_bak
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

yubikey setup howto

The following describes my current yubikey secret setup.

components

The following components are part of it:

  • yubikey: hardware key for gpg / ssh
  • pass: password manager (see also OpenKeychain and PasswordStore android)
  • gpg: commit signing, pass, encryption, .. (see also dotfiles repo)
  • ssh: git, remoting, rsync, .. (see also dotfiles and tasker repo)

one time setup of new smartcard

  1. using gpg --card-edit and then passwd:
    1. set pin
    2. set admin pin
  2. potentially set touch policy
    • ykman openpgp keys set-touch %all_types_here% on

key rotation

  1. backup / preparation
    1. backup old private key
    2. ensure all devices have all pass changes upstreamed
  2. new key
    1. create new key and push to yubikey
      1. tutorial pages:
      2. general steps
        1. symlink .gnupg to usb key to ensure main key is never on computer
        2. gen master key, certify (auth) only
        3. gen subkeys x3 (enc, sign, auth)
        4. --armor --export pubkey to somewhere
        5. --armor --export-secret-key master to somewhere
        6. --armor --export-secret-subkeys to somewhere
        7. bakup rev cert to somewhere
        8. --expert-edit-key, toggle, key 1/2/3 to select subkeys
        9. keytocard all subkeys to smartcard
        10. rm symlink
    2. change key on all devices
      1. push pub key to keyserver (eg https://sks.pgpkeys.eu/)
      2. import pub key to smartcard
      3. import pub key to device
    3. ssh
      1. -k --with-keygrip
      2. take keygrip of Authenticate subkey and put into .gnupg/sshcontrol
  3. update pass
    1. re-encrypt pass
      • (yes i am aware an attacker having access to the previous version and later on getting access to a previous version of my keys, would be able to access those passwords. That just not part of my personal threat scenario)
    2. push pass
    3. get pass on all devices
  4. trust public key
    1. ssh-add -L to get ssh pubkey
    2. update trusted pub key on:
      • github
      • gitlab
      • NAS
      • ADO work
  5. next steps
    1. create next todo/cal entry for key rotation

devices:

  • laptop
  • work laptop
  • phone
  • desktop pc

About

No description, website, or topics provided.

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages