mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-12-22 16:38:56 +00:00
Merge pull request #360 from drduh/wip-winter22
Fix issues #300, #331, #304, #322, #325
This commit is contained in:
commit
100767b0f8
14
README.md
14
README.md
@ -1183,6 +1183,8 @@ Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypte
|
|||||||
|
|
||||||
As an additional backup measure, consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys. The [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) points out that such printouts *are still password-protected*. It recommends to *write the password on the paper*, since it will be unlikely that you remember the original key password that was used when the paper backup was created. Obviously, you need a really good place to keep such a printout.
|
As an additional backup measure, consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys. The [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) points out that such printouts *are still password-protected*. It recommends to *write the password on the paper*, since it will be unlikely that you remember the original key password that was used when the paper backup was created. Obviously, you need a really good place to keep such a printout.
|
||||||
|
|
||||||
|
It is strongly recommended to keep even encrypted OpenPGP private key material offline to deter [key overwriting attacks](https://www.kopenpgp.com/), for example.
|
||||||
|
|
||||||
**Linux**
|
**Linux**
|
||||||
|
|
||||||
Attach another external storage device and check its label:
|
Attach another external storage device and check its label:
|
||||||
@ -2259,7 +2261,7 @@ max-cache-ttl 120
|
|||||||
pinentry-program /usr/bin/pinentry-curses
|
pinentry-program /usr/bin/pinentry-curses
|
||||||
```
|
```
|
||||||
|
|
||||||
**Important** The `cache-ttl` options do **NOT** apply when using a YubiKey as a smartcard as the PIN is [cached by the smartcard itself](https://dev.gnupg.org/T3362). Therefore, in order to clear the PIN from cache (smartcard equivalent to `default-cache-ttl` and `max-cache-ttl`), you need to unplug the YubiKey.
|
**Important** The `cache-ttl` options do **NOT** apply when using a YubiKey as a smartcard as the PIN is [cached by the smartcard itself](https://dev.gnupg.org/T3362). Therefore, in order to clear the PIN from cache (smartcard equivalent to `default-cache-ttl` and `max-cache-ttl`), you need to unplug the YubiKey, or set the `forcesig` flag when editing the card to be prompted for the PIN each time.
|
||||||
|
|
||||||
**Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`.
|
**Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`.
|
||||||
|
|
||||||
@ -2543,7 +2545,7 @@ Now you can use PuTTY for public key SSH authentication. When the server asks fo
|
|||||||
The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve:
|
The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve:
|
||||||
![WSL agent architecture](media/schema_gpg.png)
|
![WSL agent architecture](media/schema_gpg.png)
|
||||||
|
|
||||||
**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information.
|
**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See [weasel-pageant](https://github.com/vuori/weasel-pageant) for further information or consider using [wsl2-ssh-pageant](https://github.com/BlackReloaded/wsl2-ssh-pageant) which supports both SSH and GPG agent forwarding.
|
||||||
|
|
||||||
#### Use ssh-agent or use S.weasel-pegant
|
#### Use ssh-agent or use S.weasel-pegant
|
||||||
|
|
||||||
@ -2965,9 +2967,8 @@ Before you unmount your backup, ask yourself if you should make another one just
|
|||||||
- If you receive the error, `Please insert the card with serial number: *` see [using of multiple keys](#using-multiple-keys).
|
- If you receive the error, `Please insert the card with serial number: *` see [using of multiple keys](#using-multiple-keys).
|
||||||
|
|
||||||
- If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`.
|
- If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`.
|
||||||
- If, when you try the above `--edit-key` command, you get the error
|
|
||||||
`Need the secret key to do this.`, you can manually specify trust for the key in
|
- If, when you try the above `--edit-key` command, you get the error `Need the secret key to do this` - manually specify trust for the key in `~/.gnupg/gpg.conf` by using the `trust-key [key ID]` directive.
|
||||||
`~/.gnupg/gpg.conf` by using the `trust-key [your key ID]` directive.
|
|
||||||
|
|
||||||
- If, when using a previously provisioned YubiKey on a new computer with `pass`, you see the
|
- If, when using a previously provisioned YubiKey on a new computer with `pass`, you see the
|
||||||
following error on `pass insert`:
|
following error on `pass insert`:
|
||||||
@ -2979,11 +2980,14 @@ Before you unmount your backup, ask yourself if you should make another one just
|
|||||||
|
|
||||||
- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however.
|
- If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however.
|
||||||
|
|
||||||
|
- If you lost your GPG public key, follow [this guide](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) to recover it from YubiKey.
|
||||||
|
|
||||||
- Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance.
|
- Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance.
|
||||||
|
|
||||||
# Alternatives
|
# Alternatives
|
||||||
|
|
||||||
* [`piv-agent`](https://github.com/smlx/piv-agent) is an SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).
|
* [`piv-agent`](https://github.com/smlx/piv-agent) is an SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey).
|
||||||
|
* [`keytotpm`](https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html) is an option to use GnuPG with TPM systems.
|
||||||
|
|
||||||
# Links
|
# Links
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user