mirror of
https://github.com/drduh/YubiKey-Guide.git
synced 2024-12-23 00:48:57 +00:00
few more style nits
This commit is contained in:
parent
29563423c1
commit
6e19ae4cc4
24
README.md
24
README.md
@ -1413,9 +1413,9 @@ cd $GNUPGHOME
|
|||||||
|
|
||||||
## Switching between YubiKeys
|
## Switching between YubiKeys
|
||||||
|
|
||||||
When GnuPG key is added to YubiKey using the *keytocard* command, the key is deleted from the keyring and a *stub* is added, pointing to the YubiKey. The stub identifies the GnuPG key ID and YubiKey serial number.
|
When a GnuPG key is added to YubiKey using `keytocard`, the key is deleted from the keyring and a **stub** is added, pointing to the YubiKey. The stub identifies the GnuPG key ID and YubiKey serial number.
|
||||||
|
|
||||||
However, when the operation is repeated for an additional YubiKey, the stub is overwritten by the *keytocard* operation and now will point to the latest YubiKey.
|
When the operation is repeated for an additional YubiKey, the stub is overwritten `keytocard` and now will point to the latest YubiKey.
|
||||||
|
|
||||||
GnuPG will request a specific YubiKey by serial number, as referenced by the stub, and will not recognize another YubiKey with a different serial number without manual intervention.
|
GnuPG will request a specific YubiKey by serial number, as referenced by the stub, and will not recognize another YubiKey with a different serial number without manual intervention.
|
||||||
|
|
||||||
@ -1443,7 +1443,7 @@ Before completing setup, verify the following:
|
|||||||
|
|
||||||
Reboot to finish.
|
Reboot to finish.
|
||||||
|
|
||||||
If an ephemeral environment was not used for setup, delete secret keys from the keyring and [securely delete](https://srm.sourceforge.net/) `$GNUPGHOME`.
|
If an ephemeral environment was not used for setup, delete secret keys from the keyring and [securely delete](https://srm.sourceforge.net/) `$GNUPGHOME`
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --delete-secret-key $KEYID
|
gpg --delete-secret-key $KEYID
|
||||||
@ -1533,7 +1533,7 @@ export KEYID=0xF0F2CFEB04341FB5
|
|||||||
gpg --edit-key $KEYID
|
gpg --edit-key $KEYID
|
||||||
```
|
```
|
||||||
|
|
||||||
Assign ultimate trust by tying `trust` and selecting option `5`:
|
Assign ultimate trust by typing `trust` and selecting option `5`:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg> trust
|
gpg> trust
|
||||||
@ -1688,8 +1688,6 @@ sudo mount /dev/mapper/secret /mnt/encrypted-storage
|
|||||||
|
|
||||||
Import the Certify key and configuration to a temporary working directory.
|
Import the Certify key and configuration to a temporary working directory.
|
||||||
|
|
||||||
Note that Windows users should import certify.gpg:
|
|
||||||
|
|
||||||
```console
|
```console
|
||||||
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
|
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
|
||||||
|
|
||||||
@ -1756,13 +1754,13 @@ Set the expiration date, then `save`
|
|||||||
Next, [Export public keys](#export-public-keys):
|
Next, [Export public keys](#export-public-keys):
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --armor --export $KEYID > gpg-$KEYID-$(date +%F).asc
|
gpg --armor --export $KEYID > $KEYID-$(date +%F).asc
|
||||||
```
|
```
|
||||||
|
|
||||||
Transfer the public key to the destination host, and then import it:
|
Transfer the public key to the destination host, and then import it:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
gpg --import gpg-0x*.asc
|
gpg --import 0x*.asc
|
||||||
```
|
```
|
||||||
|
|
||||||
Alternatively, publish to a public key server to update the expiration:
|
Alternatively, publish to a public key server to update the expiration:
|
||||||
@ -1781,7 +1779,7 @@ The validity of the GnuPG identity will be extended, allowing it to be used agai
|
|||||||
|
|
||||||
## Rotating keys
|
## Rotating keys
|
||||||
|
|
||||||
Follow the original steps to generate and add each Subkey.
|
Follow the original procedure to generate and add [Subkeys](#subkeys).
|
||||||
|
|
||||||
Previous Subkeys may be kept or deleted from the identity.
|
Previous Subkeys may be kept or deleted from the identity.
|
||||||
|
|
||||||
@ -1851,7 +1849,7 @@ Use `showpref` to verify notions were correctly added.
|
|||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
|
|
||||||
**Tip** YubiKey can be used directly for SSH only, without GnuPG features, starting in [OpenSSH v8.2](https://www.openssh.com/txt/release-8.2). For more information, see [ed25519-sk.md](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md) and [Yubico - GitHub now supports SSH security keys](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/).
|
**Tip** YubiKey can be used directly for SSH only, without GnuPG features, starting in [OpenSSH v8.2](https://www.openssh.com/txt/release-8.2). For more information, see [vorburger/ed25519-sk.md](https://github.com/vorburger/vorburger.ch-Notes/blob/develop/security/ed25519-sk.md) and [Yubico - GitHub now supports SSH security keys](https://www.yubico.com/blog/github-now-supports-ssh-security-keys/).
|
||||||
|
|
||||||
[gpg-agent](https://wiki.archlinux.org/title/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`) as well as PuTTy's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them persistently as keys, then makes them available to ssh clients. Any existing ssh private keys should be deleted after importing to GnuPG agent.
|
[gpg-agent](https://wiki.archlinux.org/title/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`) as well as PuTTy's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them persistently as keys, then makes them available to ssh clients. Any existing ssh private keys should be deleted after importing to GnuPG agent.
|
||||||
|
|
||||||
@ -2175,11 +2173,7 @@ The goal is to configure SSH client inside WSL work together with the Windows ag
|
|||||||
|
|
||||||
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
|
**Note** this works only for SSH agent forwarding. GnuPG forwarding for cryptographic operations is not supported. See [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant) for more information.
|
||||||
|
|
||||||
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires:
|
One way to forward is just `ssh -A` (still need to eval weasel to setup local ssh-agent), and only relies on OpenSSH. In this track, `ForwardAgent` and `AllowAgentForwarding` in ssh/sshd config may be involved. However, when using ssh socket forwarding, do not enable `ForwardAgent` in ssh config. See [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more information. This requires Ubuntu 16.04 or newer for WSL and Kleopatra.
|
||||||
|
|
||||||
* Ubuntu 16.04 or newer for WSL
|
|
||||||
* Kleopatra
|
|
||||||
* [Windows configuration](#windows)
|
|
||||||
|
|
||||||
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
|
Download [vuori/weasel-pageant](https://github.com/vuori/weasel-pageant).
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user