Why?
I have always felt a little nervous by having my private keys on different pc’s. If one machine gets compromised, it’s quite easy to steal. The solution is to have them on a write only HSM device like yubikey. It’s a reasonably priced USB smart card / OTP / HOPT / U2F device. It has an OpenGPG applet that can store 3 private keys.
By using the Yubikey I can safely move between different pc’s and bring my private keys safely with me on the Yubikey 🙂
How?
Download, check signature and burn a DVD with Tails OS (found at https://tails.boum.org). Boot it up without network. This is to ensure that we can safely handle our keys.
First we need to generate a keypair for our identity. This key has the ability to sign and certify. I put these two abilities in the key because the yubikey only has 3 key slots total.
$ gpg2 --expert --gen-key (8) RSA (set your own capabilities) Current allowed actions: Sign Certify What keysize do you want? (2048) Key is valid for? (0) 2y Is this correct? (y/N) y Real name: Alex Skov Jensen Email address: my@mail.org Comment: pub 2048R/0xF8DF3D09276FD782 2017-01-05 [expires: 2019-01-05] Key fingerprint = 8906 92D0 ACA7 945E 6F82 DD3C F8DF 3D09 276F D782 uid [ultimate] Alex Skov Jensen <my@mail.org>
Then we edit the key in order to add 2 other subkeys.
$ gpg2 --expert --edit-key 0xF8DF3D09276FD782 pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Alex Skov Jensen <my@mail.org> addkey (8) RSA (set your own capabilities) Current allowed actions: Encrypt What keysize do you want? (2048) Key is valid for? (0) 2y Is this correct? (y/N) y Really create? (y/N) y pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC trust: ultimate validity: ultimate sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E [ultimate] (1). Alex Skov Jensen <my@mail.org> addkey (8) RSA (set your own capabilities) Current allowed actions: Authenticate What keysize do you want? (2048) Key is valid for? (0) 2y Is this correct? (y/N) y Really create? (y/N) y pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC trust: ultimate validity: ultimate sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E sub 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: 2019-01-05 usage: A [ultimate] (1). Alex Skov Jensen <my@mail.org> save
Now we generate a revocation certificate, that we use if we ever loose control of our keys.
$ gpg2 --gen-revoke 0xF8DF3D09276FD782 > revoke-certificte-0xF8DF3D09276FD782.txt 3 = Key is no longer used Enter an optional description; end it with an empty line: Is this okay? (y/N) y
Now we backup all the keys before we start moving them to the yubikey.
$ gpg2 -a --export-secret-keys 0xF8DF3D09276FD782 > secret-keys-in-keyring-0xF8DF3D09276FD782.txt
Then we move the private keys to the yubikey slots
$ gpg2 --edit-key 0xF8DF3D09276FD782 pub 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 usage: SC trust: ultimate validity: ultimate sub 2048R/0xF48CE25582789068 created: 2017-01-05 expires: 2019-01-05 usage: E sub 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: 2019-01-05 usage: A [ultimate] (1). Alex Skov Jensen <my@mail.org> toggle sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 ssb 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never ssb 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never (1) Alex Skov Jensen <my@mail.org> keytocard Really move the primary key? (y/N) y (1) Signature key Replace existing key? (y/N) y key 1 sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 card-no: 0006 04874404 ssb* 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never ssb 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never (1) Alex Skov Jensen <my@mail.org> keytocard (2) Encryption key Replace existing key? (y/N) y key 1 key 2 sec 2048R/0xF8DF3D09276FD782 created: 2017-01-05 expires: 2019-01-05 card-no: 0006 04874404 ssb 2048R/0xF48CE25582789068 created: 2017-01-05 expires: never card-no: 0006 04874404 ssb* 2048R/0x83D99E748D7CF4F8 created: 2017-01-05 expires: never (1) Alex Skov Jensen <my@mail.org> keytocard (3) Authentication key Replace existing key? (y/N) y save
Now we export the keys again. This time the keys will have references to the yubikey.
$ gpg2 -a --export-secret-keys 0xF8DF3D09276FD782 > secret-keys-on-yubikey-0xF8DF3D09276FD782.txt
Now all the public keys are in the keyring and the private keys are stored safely on the yubikey. Because I want to use the yubikey for SSH authorization I need a string I can add to ~/.ssh/authorized_keys on my linux-boxes…
$ gpg2 --export 0x83D99E748D7CF4F8 | openpgp2ssh 48D7CF4F8 > ssh-public-key-0x83D99E748D7CF4F8.txt
The following files I copy to a USB-stick and store them safe in a physical vault:
revoke-certificte-0xF8DF3D09276FD782.txt secret-keys-in-keyring-0xF8DF3D09276FD782.txt secret-keys-on-yubikey-0xF8DF3D09276FD782.txt
I then find another USB stick at copy “secret-keys-on-yubikey-0xF8DF3D09276FD782.txt” to it. I do this so that I can import it om my workstations, where I need my keys.
On the same stick I put the file “ssh-public-key-0x83D99E748D7CF4F8.txt” for copying to my linuxboxes (to ~/.ssh/authorized_keys)
To secure your yubikey, you should change the PIN, Admin PIN and Resetcode:
$ gpg2 --card-edit admin passwd 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code