knowledge/YubiKey-Guide
1
0
Fork 0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2024-11-09 22:30:56 +00:00
Code Issues Releases Activity

Merge pull request #447 from drduh/wip-30jun24

Browse Source 
Export variables throughout (fix #434)
This commit is contained in:
drduh 2024-07-04 22:01:59 +00:00 committed by GitHub
commit d30f93ac32
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
README.md
View File

@ -291,6 +291,7 @@ verify-options show-uid-validity
with-fingerprint with-fingerprint
require-cross-certification require-cross-certification
no-symkey-cache no-symkey-cache
armor
use-agent use-agent
throw-keyids throw-keyids
``` ```
@ -304,13 +305,13 @@ When creating an identity with GnuPG, the default options ask for a "Real name",
Depending on how you plan to use GnuPG, set these values respectively: Depending on how you plan to use GnuPG, set these values respectively:
```console ```console
IDENTITY="YubiKey User <yubikey@example>" export IDENTITY="YubiKey User <yubikey@example>"
``` ```
Or use any attribute which will uniquely identity the key (this may be incompatible with certain use cases): Or use any attribute which will uniquely identity the key (this may be incompatible with certain use cases):
```console ```console
IDENTITY="My Cool YubiKey - 2024" export IDENTITY="My Cool YubiKey - 2024"
``` ```
## Key ## Key
@ -320,7 +321,7 @@ Select the desired algorithm and key size. This guide recommends 4096-bit RSA.
Set the value: Set the value:
```console ```console
KEY_TYPE=rsa4096 export KEY_TYPE=rsa4096
``` ```
## Expiration ## Expiration
@ -338,13 +339,13 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating Subkeys
Set the expiration date to two years: Set the expiration date to two years:
```console ```console
EXPIRATION=2y export EXPIRATION=2y
``` ```
Or set the expiration date to a specific date to schedule maintenace: Or set the expiration date to a specific date to schedule maintenace:
```console ```console
EXPIRATION=2026-05-01 export EXPIRATION=2026-05-01
``` ```
## Passphrase ## Passphrase
@ -354,9 +355,9 @@ Generate a passphrase for the Certify key. It will be used infrequently to manag
The following commands will generate a strong passphrase and avoid ambiguous characters: The following commands will generate a strong passphrase and avoid ambiguous characters:
```console ```console
CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ export CERTIFY_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1) ; echo "$CERTIFY_PASS" cut -c2- | tr " " "-" | head -1) ; echo "\n$CERTIFY_PASS\n"
``` ```
Write the passphrase in a secure location, ideally separate from the portable storage device used for key material, or memorize it. Write the passphrase in a secure location, ideally separate from the portable storage device used for key material, or memorize it.
@ -385,9 +386,9 @@ gpg --batch --passphrase "$CERTIFY_PASS" \
Set and view the Certify key identifier and fingerprint for use later: Set and view the Certify key identifier and fingerprint for use later:
```console ```console
KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }') export KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }')
KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }') export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }')
printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP"
``` ```
@ -494,9 +495,9 @@ Use [LUKS](https://dys2p.com/en/2023-05-luks-security.html) to encrypt the new p
Generate another unique [Passphrase](#passphrase) (ideally different from the one used for the Certify key) to protect the encrypted volume: Generate another unique [Passphrase](#passphrase) (ideally different from the one used for the Certify key) to protect the encrypted volume:
```console ```console
LUKS_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \ export LUKS_PASS=$(LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \ tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
cut -c2- | tr " " "-" | head -1) ; echo $LUKS_PASS cut -c2- | tr " " "-" | head -1) ; echo "\n$LUKS_PASS\n"
``` ```
This passphrase will also be used infrequently to access the Certify key and should be very strong. This passphrase will also be used infrequently to access the Certify key and should be very strong.
@ -703,7 +704,7 @@ Connect YubiKey and confirm its status:
gpg --card-status gpg --card-status
``` ```
If the card is locked, [Reset](#reset) it. If the card is locked, [Reset](#reset-yubikey) it.
## Change PIN ## Change PIN
@ -722,9 +723,9 @@ The *User PIN* must be at least 6 characters and the *Admin PIN* must be at leas
Set PINs manually or generate them, for example a 6 digit User PIN and 8 digit Admin PIN: Set PINs manually or generate them, for example a 6 digit User PIN and 8 digit Admin PIN:
```console ```console
ADMIN_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w8 | head -1) export ADMIN_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w8 | head -1)
USER_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w6 | head -1) export USER_PIN=$(LC_ALL=C tr -dc '0-9' < /dev/urandom | fold -w6 | head -1)
printf "\nAdmin PIN: %12s\nUser PIN: %13s\n\n" "$ADMIN_PIN" "$USER_PIN" printf "\nAdmin PIN: %12s\nUser PIN: %13s\n\n" "$ADMIN_PIN" "$USER_PIN"
``` ```
@ -779,7 +780,7 @@ quit
EOF EOF
``` ```
Run `gpg --card-status` to verify results. Run `gpg --card-status` to verify results (*Login data* field).
# Transfer Subkeys # Transfer Subkeys
@ -851,7 +852,7 @@ The `>` after a tag indicates the key is stored on a smart card.
Verify you have done the following: Verify you have done the following:
- [ ] Memorized or wrote down the Certify key passphrase to a secure and durable location - [ ] Memorized or wrote down the Certify key (identity) passphrase to a secure and durable location
* `echo $CERTIFY_PASS` to see it again; [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) or [`passphrase.csv`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.csv) to transcribe it * `echo $CERTIFY_PASS` to see it again; [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) or [`passphrase.csv`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.csv) to transcribe it
- [ ] Memorized or wrote down passphrase to encrypted volume on portable storage - [ ] Memorized or wrote down passphrase to encrypted volume on portable storage
* `echo $LUKS_PASS` to see it again; [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) or [`passphrase.csv`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.csv) to transcribe it * `echo $LUKS_PASS` to see it again; [`passphrase.html`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.html) or [`passphrase.csv`](https://raw.githubusercontent.com/drduh/YubiKey-Guide/master/passphrase.csv) to transcribe it
@ -1026,7 +1027,7 @@ Decrypt the message - a prompt for the User PIN will appear:
gpg --decrypt --armor encrypted.txt gpg --decrypt --armor encrypted.txt
``` ```
To encrypt to multiple recipients/keys (set the preferred key ID last): To encrypt to multiple recipients/keys, set the preferred key ID last:
```console ```console
echo "test message string" | \ echo "test message string" | \
@ -1039,7 +1040,7 @@ Use a [shell function](https://github.com/drduh/config/blob/master/zshrc) to mak
```console ```console
secret () { secret () {
output=~/"${1}".$(date +%s).enc output="${1}".$(date +%s).enc
gpg --encrypt --armor --output ${output} \ gpg --encrypt --armor --output ${output} \
-r $KEYID "${1}" && echo "${1} -> ${output}" -r $KEYID "${1}" && echo "${1} -> ${output}"
} }
@ -1774,7 +1775,7 @@ sudo mount /dev/sdc2 /mnt/public
Copy the original private key materials to a temporary working directory: Copy the original private key materials to a temporary working directory:
```console ```console
GNUPGHOME=$(mktemp -d -t gnupg-$(date +%Y-%m-%d)-XXXXXXXXXX) export GNUPGHOME=$(mktemp -d -t gnupg-$(date +%Y-%m-%d)-XXXXXXXXXX)
cd $GNUPGHOME cd $GNUPGHOME
@ -1786,9 +1787,9 @@ Confirm the identity is available, set the key id and fingerprint:
```console ```console
gpg -K gpg -K
KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }') export KEYID=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^pub:/ { print $5; exit }')
KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }') export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }')
echo $KEYID $KEYFP echo $KEYID $KEYFP
``` ```
@ -1796,7 +1797,7 @@ echo $KEYID $KEYFP
Recall the Certify key passphrase and set it, for example: Recall the Certify key passphrase and set it, for example:
```console ```console
CERTIFY_PASS=ABCD-0123-IJKL-4567-QRST-UVWX export CERTIFY_PASS=ABCD-0123-IJKL-4567-QRST-UVWX
``` ```
## Renew Subkeys ## Renew Subkeys
@ -1804,16 +1805,17 @@ CERTIFY_PASS=ABCD-0123-IJKL-4567-QRST-UVWX
Determine the updated expiration, for example: Determine the updated expiration, for example:
```console ```console
EXPIRATION=2026-09-01 export EXPIRATION=2026-09-01
EXPIRATION=2y export EXPIRATION=2y
``` ```
Renew the Subkeys: Renew the Subkeys:
```console ```console
gpg --batch --pinentry-mode=loopback \ gpg --batch --pinentry-mode=loopback \
--passphrase "$CERTIFY_PASS" --quick-set-expire "$KEYFP" "$EXPIRATION" "*" --passphrase "$CERTIFY_PASS" --quick-set-expire "$KEYFP" "$EXPIRATION" \
$(gpg -K --with-colons | awk -F: '/^fpr:/ { print $10 }' | tail -n "+2" | tr "\n" " ")
``` ```
Export the updated public key: Export the updated public key: