# Yubikey 4 Setup This guide assumes you have an existing GPG key generated and saved as an asc file. There are ways to have the Yubikey 4 generate the GPG private key but for our needs we generate the GPG keys ahead of Yubikey setup using tails and keep the secret key material on encrypted disks as much as possible. # Reset The Yubikey ## Reset Main Slot Configuration Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and delete the configuration for ALL of the Yubikey's slots. ``` bash sudo apt install yubikey-personalization-gui ``` ## Reset GPG Configuration ``` bash gpg-connect-agent /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo Card has been successfully reset. /bye # Unplug / plug back in to ensure fully reset gpg --card-status # Should show blank card ``` # Basic Slot Setup Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and setup the Yubikey OTP 2FA in Slot 1. Leave Slot 2 non-configured. You may need/want to set this up later but it's outside the scope of this document. ``` bash sudo apt install yubikey-personalization-gui ``` # GPG Setup Make sure you have ```gpg2``` and ```scdaemon``` installed before doing anything further. ## Setup Yubikey For GPG - [https://developers.yubico.com/PGP/Card_edit.html](https://developers.yubico.com/PGP/Card_edit.html) ``` bash gpg --card-status # Shouldn't show anything useful gpg --card-edit admin passwd 1 123456 3 12345678 q name lang en url https://lollipopcloud.solutions/gpg/lc_keys/kemonine.pub login kemonine quit gpg --card-status ``` ## Import GPG Keys Remember: we pre-generate GPG keys for people. They need to be imported before setting up the Yubikey. - [https://developers.yubico.com/PGP/Importing_keys.html](https://developers.yubico.com/PGP/Importing_keys.html) ``` bash gpg --import kemonine.asc gpg --list-keys --keyid-format LONG gpg --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779 trust 5 y save gpg --card-status gpg --expert --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779 toggle keytocard y 1 keytocard y 3 key 1 keytocard 2 key 1 key 2 keytocard quit y gpg --card-status gpg --list-secret-keys # Unplug Yubikey gpg --list-secret-keys ``` # Setup Git GPG Signing - [https://kemonine.info/post/2017/12/signed-git-commits/](https://kemonine.info/post/2017/12/signed-git-commits/) ``` bash gpg --list-secret-keys --keyid-format LONG # Look for something like: rsa4096/9D79FBF661EC6779 the part after the / is the key id to use with git # cd to git project git config commit.gpgsign true git config user.signingkey [Your Key ID] # Add key to gitea / gitlab -- the contents of kemonine.pub are what you put into the gitea instance ```` # SSH Auth with GPG Key - [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/) - [https://kemonine.info/post/2017/12/gpg---ssh-auth/](https://kemonine.info/post/2017/12/gpg---ssh-auth/) - [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/) - [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh) - [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh) - [https://mlohr.com/gpg-agent-ssh-gnome/](https://mlohr.com/gpg-agent-ssh-gnome/) ``` bash apt install pinentry-curses ``` ``` bash ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg-agent.conf enable-ssh-support pinentry-program /usr/bin/pinentry-curses default-cache-ttl 60 max-cache-ttl 120 ``` ``` bash ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg.conf personal-digest-preferences SHA256 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed ``` ``` bash ubuntu@ubuntu ~ $ cat .bashrc # append this to the bottom export GPG_TTY="$(tty)" export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" gpg-connect-agent updatestartuptty /bye ```