lollipopcloud/advanced/yubikey_notes.md

Yubikey 4 Setup

This guide assumes you have an existing GPG key generated and saved as an asc file. There are ways to have the Yubikey 4 generate the GPG private key but for our needs we generate the GPG keys ahead of Yubikey setup using tails and keep the secret key material on encrypted disks as much as possible.

Reset The Yubikey

Reset Main Slot Configuration

Download the Personalization Tools and delete the configuration for ALL of the Yubikey's slots.

sudo apt install yubikey-personalization-gui

Reset GPG Configuration

gpg-connect-agent
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.
/bye

# Unplug / plug back in to ensure fully reset
gpg --card-status # Should show blank card

Basic Slot Setup

Download the Personalization Tools and setup the Yubikey OTP 2FA in Slot 1. Leave Slot 2 non-configured. You may need/want to set this up later but it's outside the scope of this document.

sudo apt install yubikey-personalization-gui

GPG Setup

Make sure you have gpg2 and scdaemon installed before doing anything further.

Setup Yubikey For GPG

• https://developers.yubico.com/PGP/Card_edit.html

gpg --card-status # Shouldn't show anything useful
gpg --card-edit
admin
passwd
    1
        123456
    3
        12345678
    q
name
lang
    en
url
    https://lollipopcloud.solutions/gpg/lc_keys/kemonine.pub
login
    kemonine
quit
gpg --card-status

Import GPG Keys

Remember: we pre-generate GPG keys for people. They need to be imported before setting up the Yubikey.

• https://developers.yubico.com/PGP/Importing_keys.html

gpg --import kemonine.asc 
gpg --list-keys --keyid-format LONG
gpg --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
trust
    5
    y
    save
gpg --card-status
gpg --expert --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
toggle
keytocard
    y
    1
keytocard
    y
    3
key 1
keytocard
    2
key 1
key 2
keytocard
quit
    y
gpg --card-status
gpg --list-secret-keys
# Unplug Yubikey
gpg --list-secret-keys

Setup Git GPG Signing

• https://kemonine.info/post/2017/12/signed-git-commits/

gpg --list-secret-keys --keyid-format LONG
# Look for something like: rsa4096/9D79FBF661EC6779 the part after the / is the key id to use with git
# cd to git project
git config commit.gpgsign true
git config user.signingkey [Your Key ID]
# Add key to gitea / gitlab -- the contents of kemonine.pub are what you put into the gitea instance

SSH Auth with GPG Key

• https://developers.yubico.com/PGP/SSH_authentication/
• https://kemonine.info/post/2017/12/gpg---ssh-auth/
• https://developers.yubico.com/PGP/SSH_authentication/
• https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh
• https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh
• https://mlohr.com/gpg-agent-ssh-gnome/

apt install pinentry-curses

ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg-agent.conf 
enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 60
max-cache-ttl 120

ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg.conf 
personal-digest-preferences SHA256
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

ubuntu@ubuntu ~ $ cat .bashrc # append this to the bottom
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye