Setting up GPG with private keys on Yubikey NEO

Why?

I have always felt a little nervous by having my private keys on different pc’s. If one machine gets compromised, it’s quite easy to steal. The solution is to have them on a write only HSM device like yubikey. It’s a reasonably priced USB smart card / OTP / HOPT / U2F device. It has an OpenGPG applet that can store 3 private keys.

By using the Yubikey I can safely move between different pc’s and bring my private keys safely with me on the Yubikey 🙂

How?

Download, check signature and burn a DVD with Tails OS (found at https://tails.boum.org). Boot it up without network. This is to ensure that we can safely handle our keys.

First we need to generate a keypair for our identity. This key has the ability to sign and certify. I put these two abilities in the key because the yubikey only has 3 key slots total.

$ gpg2 --expert --gen-key
   (8) RSA (set your own capabilities)
   Current allowed actions: Sign Certify 
   What keysize do you want? (2048) 
   Key is valid for? (0) 2y
   Is this correct? (y/N) y
   Real name: Alex Skov Jensen
   Email address: my@mail.org
   Comment: 

   pub 2048R/0xF8DF3D09276FD782 2017-01-05 [expires: 2019-01-05]
   Key fingerprint = 8906 92D0 ACA7 945E 6F82 DD3C F8DF 3D09 276F D782
   uid [ultimate] Alex Skov Jensen <my@mail.org>

Then we edit the key in order to add 2 other subkeys.

$ gpg2 --expert --edit-key 0xF8DF3D09276FD782
   pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC 
   trust: ultimate validity: ultimate
   [ultimate] (1). Alex Skov Jensen <my@mail.org>

addkey
   (8) RSA (set your own capabilities)
   Current allowed actions: Encrypt 
   What keysize do you want? (2048) 
   Key is valid for? (0) 2y
   Is this correct? (y/N) y
   Really create? (y/N) y

   pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC 
   trust: ultimate validity: ultimate
   sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E 
   [ultimate] (1). Alex Skov Jensen <my@mail.org>

addkey
   (8) RSA (set your own capabilities)
   Current allowed actions: Authenticate 
   What keysize do you want? (2048) 
   Key is valid for? (0) 2y
   Is this correct? (y/N) y
   Really create? (y/N) y

   pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC 
   trust: ultimate validity: ultimate
   sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E 
   sub 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: 2019-01-05 usage: A 
   [ultimate] (1). Alex Skov Jensen <my@mail.org>

save

Now we generate a revocation certificate, that we use if we ever loose control of our keys.

$ gpg2 --gen-revoke 0xF8DF3D09276FD782 > revoke-certificte-0xF8DF3D09276FD782.txt
   3 = Key is no longer used
   Enter an optional description; end it with an empty line:
   Is this okay? (y/N) y

Now we backup all the keys before we start moving them to the yubikey.

$ gpg2 -a --export-secret-keys 0xF8DF3D09276FD782 > secret-keys-in-keyring-0xF8DF3D09276FD782.txt

Then we move the private keys to the yubikey slots

$ gpg2 --edit-key 0xF8DF3D09276FD782
   pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC 
   trust: ultimate validity: ultimate
   sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E 
   sub 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: 2019-01-05 usage: A 
   [ultimate] (1). Alex Skov Jensen <my@mail.org>

toggle
   sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05
   ssb 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never 
   ssb 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never 
   (1) Alex Skov Jensen <my@mail.org>

keytocard
   Really move the primary key? (y/N) y
   (1) Signature key
   Replace existing key? (y/N) y

key 1
   sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05
   card-no: 0006 04874404
   ssb* 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never 
   ssb 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never 
   (1) Alex Skov Jensen <my@mail.org>

keytocard
 (2) Encryption key
 Replace existing key? (y/N) y

key 1
key 2
   sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05
   card-no: 0006 04874404
   ssb 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never 
   card-no: 0006 04874404
   ssb* 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never 
   (1) Alex Skov Jensen <my@mail.org>

keytocard
   (3) Authentication key
   Replace existing key? (y/N) y
save

Now we export the keys again. This time the keys will have references to the yubikey.

$ gpg2 -a --export-secret-keys 0xF8DF3D09276FD782 > secret-keys-on-yubikey-0xF8DF3D09276FD782.txt

Now all the public keys are in the keyring and the private keys are stored safely on the yubikey. Because I want to use the yubikey for SSH authorization I need a string I can add to ~/.ssh/authorized_keys on my linux-boxes…

$ gpg2 --export 0x83D99E748D7CF4F8 | openpgp2ssh 48D7CF4F8 > ssh-public-key-0x83D99E748D7CF4F8.txt

The following files I copy to a USB-stick and store them safe in a physical vault:

revoke-certificte-0xF8DF3D09276FD782.txt
secret-keys-in-keyring-0xF8DF3D09276FD782.txt
secret-keys-on-yubikey-0xF8DF3D09276FD782.txt

I then find another USB stick at copy “secret-keys-on-yubikey-0xF8DF3D09276FD782.txt” to it. I do this so that I can import it om my workstations, where I need my keys.

On the same stick I put the file “ssh-public-key-0x83D99E748D7CF4F8.txt” for copying to my linuxboxes (to ~/.ssh/authorized_keys)

To secure your yubikey, you should change the PIN, Admin PIN and Resetcode:

$ gpg2 --card-edit
admin
passwd
   1 - change PIN
   2 - unblock PIN
   3 - change Admin PIN
   4 - set the Reset Code


Leave a Reply

Your email address will not be published. Required fields are marked *