Editing GPG Guide

From Bibliotheca Anonoma

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 2: Line 2:


WIP (Ctrl-S's job)
WIP (Ctrl-S's job)


Guide for securely creating a PGP keyset.
Guide for securely creating a PGP keyset.
Line 7: Line 8:
Some smartcards support longer keys.
Some smartcards support longer keys.
This guide will use 2048 bit RSA keys for as much security as is currently practical.
This guide will use 2048 bit RSA keys for as much security as is currently practical.




Line 18: Line 20:
* Decide how long you want the keys to remain valid.
* Decide how long you want the keys to remain valid.
* It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.
* It is supposed to be possible to increase this time at a later time, bot I don't know how this shit works yet.
* Command notation quickref:
<syntaxhighlight lang="bash">
## Double hash symbol(##) This is a comment, just for you to read.
$ nano somefile.txt ## <- Dollar sign ($) That was a command in BASH running as a normal user.
$ sudo nano somefile.txt ## <- That was a regular user using sudo to run a command as root.
# nano somefile.txt ## <- Single hash (#) sign -That was running a command a root.
## (The root account is a superuser with complete authority over the system.)
gpg> help ## <- That was a command inside the gpg program's subshell.
</syntaxhighlight>




Line 88: Line 80:
# Let machine boot into persistant liveusb
# Let machine boot into persistant liveusb
# Ubuntu desktop environment should be displayed on your computer.
# Ubuntu desktop environment should be displayed on your computer.


=== Update liveUSB software ===
=== Update liveUSB software ===
Line 118: Line 111:
</syntaxhighlight>
</syntaxhighlight>


This is an example of expected output with a yubikey 5 with values removed for confidentiality:
<syntaxhighlight lang="bash">
$ gpg --card-edit list


Reader ...........: [REMOVED]
Application ID ...: [REMOVED]
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: [REMOVED]
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]


gpg/card>
</syntaxhighlight>


== Remove machine from network ==
== Remove machine from network ==
* Remove all network cables from the machine.
Remove all network cables from the machine.
* Turn off all wifi devices on the machine.
Turn off all wifi devices on the machine.
* Test by running:
Test by running:
<syntaxhighlight lang="bash">
$ ping 8.8.8.8
$ ping 8.8.8.8
</syntaxhighlight>
You should fail to connect.
* You should fail to connect.
 


== Generate keys ==
== Generate keys ==
* !!! BE OFFLINE !!!
* !!! BE OFFLINE !!!
=== GPG Secret keys ===
* Create master key:
* Create master as demonstrated in the following example:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --full-gen-key
$ gpg --full-gen-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
 
GnuPG needs to construct a user ID to identify your key.
 
Real name: fakename
Email address: [email protected]
Comment: fake person comment
You selected this USER-ID:
    "fakename (fake person comment) <[email protected]>"
 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BEBEAAF16847B703 marked as ultimately trusted
gpg: directory '/home/pi/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/pi/.gnupg/openpgp-revocs.d/196CBE3A87E329179CC27B5CBEBEAAF16847B703.rev'
public and secret key created and signed.
 
pub  rsa4096 2020-02-12 [SC]
      196CBE3A87E329179CC27B5CBEBEAAF16847B703
uid                      fakename (fake person comment) <[email protected]>
sub  rsa4096 2020-02-12 [E]
</syntaxhighlight>
</syntaxhighlight>
* This master key should be 4096 bits in size.
# This master key should be 4096 bits in size


* When asked: "Please select what kind of key you want:"
# When asked: "Please select what kind of key you want:"
** Choose: "(1) RSA and RSA (default)"
Choose: "(1) RSA and RSA (default)"


* When asked: What keysize do you want?
# When asked: What keysize do you want?
** Choose: 4096
# Choose: 4096


* When asked: "Please specify how long the key should be valid."
# When asked: "Please specify how long the key should be valid."
** Choose: 0 = key does not expire
Choose: 0 = key does not expire


*A hexadecimal 'name' for the key you just generated should be displayed in the console.
A hexadecimal 'name' for the key you just generated should be displayed in the console.
Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
Select it, and copy the text to the clipboard by right-clicking the highlighted text and choosing "copy".
** In the example this keyname was <code>196CBE3A87E329179CC27B5CBEBEAAF16847B703</code>


=== Create subkeys for actual use ===
* One subkey for each of: Encrypt, Authenticate, Sign
* These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
* (To create subkeys as shown you must use the <code>--expert</code> command-line argument)
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --expert --edit-key KEYNAME
$ gpg --edit-key KEYNAME
</syntaxhighlight>
</syntaxhighlight>


* Example of creating subkeys:
=== Create subkeys for actual use ===
<syntaxhighlight lang="bash">
One subkey for each of: Encrypt, Authenticate, Sign
$ gpg --expert --edit-key 196CBE3A87E329179CC27B5CBEBEAAF16847B703
These subkeys should each be 2048 bits in size so they can fit onto all common smartcards.
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Secret key is available.
 
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec  rsa4096/BEBEAAF16847B703
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/2975948F8F5E65F7
    created: 2020-02-12  expires: never      usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg> key 1 ## Selecting the automatically-generated subkey to delete it.
 
sec  rsa4096/BEBEAAF16847B703
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
ssb* rsa4096/2975948F8F5E65F7
    created: 2020-02-12  expires: never      usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg> delkey ## Deleting the automatically-generated subkey.
Do you really want to delete this key? (y/N) y
 
sec  rsa4096/BEBEAAF16847B703
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg> addkey ## Adding a subkey to "Sign" (1/3)...
Please select what kind of key you want:
  (3) DSA (sign only)
  (4) RSA (sign only)
  (5) Elgamal (encrypt only)
  (6) RSA (encrypt only)
  (7) DSA (set your own capabilities)
  (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? e
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
 
sec  rsa4096/BEBEAAF16847B703
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
    created: 2020-02-12  expires: never      usage: S
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg> addkey ## Adding a subkey to "Encrypt" (2/3)...
Please select what kind of key you want:
  (3) DSA (sign only)
  (4) RSA (sign only)
  (5) Elgamal (encrypt only)
  (6) RSA (encrypt only)
  (7) DSA (set your own capabilities)
  (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? s
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
 
sec  rsa4096/BEBEAAF16847B703
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
    created: 2020-02-12  expires: never      usage: S
ssb  rsa4096/96F8E1C255A68B9D
    created: 2020-02-12  expires: never      usage: E
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg> addkey ## Adding a subkey to "Authenticate" (3/3)...
Please select what kind of key you want:
  (3) DSA (sign only)
  (4) RSA (sign only)
  (5) Elgamal (encrypt only)
  (6) RSA (encrypt only)
  (7) DSA (set your own capabilities)
  (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished


Your selection? s


Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt


  (S) Toggle the sign capability
== Store keys to backup drives ==
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? e
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? a
 
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
 
  (S) Toggle the sign capability
  (E) Toggle the encrypt capability
  (A) Toggle the authenticate capability
  (Q) Finished
 
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
 
sec  rsa4096/FEEDB00BCODEBEEF
    created: 2020-02-12  expires: never      usage: SC
    trust: ultimate      validity: ultimate
ssb  rsa4096/203E068632D2C436
    created: 2020-02-12  expires: never      usage: S
ssb  rsa4096/96F8E1C255A68B9D
    created: 2020-02-12  expires: never      usage: E
ssb  rsa4096/43685156C4472A6B
    created: 2020-02-12  expires: never      usage: A
[ultimate] (1). fakename (fake person comment) <[email protected]>
 
gpg>save ## You MUST enter the save command for the keys to be kept!
$ ## Finished creating the subkeys.
</syntaxhighlight>
 
=== Store keys to backup drives ===
* !!! BE OFFLINE !!!
* !!! BE OFFLINE !!!
* Create a folder to store our secret keys:
* Create a folder to store our secret keys:
Line 486: Line 163:
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
$ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01'
</syntaxhighlight>
</syntaxhighlight>


* Secret keys:
* Secret keys:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --output KEYNAME-DATE.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-20191129.masterkeys.txt --export-secret-keys --armor KEYNAME
$ gpg --output KEYNAME-DATE.subkeys.txt --export-secret-subkeys --armor KEYNAME
$ gpg --output KEYNAME-20191129.subkeys.txt --export-secret-subkeys --armor KEYNAME
</syntaxhighlight>
</syntaxhighlight>


* Public keys:
* Public keys:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --export --armor KEYNAME > KEYNAME-DATE.public.key
## TODO
</syntaxhighlight>
</syntaxhighlight>


* Revocation certificate:
* Revocation certs:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --output KEYNAME-DATE.revocation-certificate.asc --gen-revoke KEYNAME
## TODO
</syntaxhighlight>
</syntaxhighlight>


* SSH public key
<syntaxhighlight lang="bash">
$ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
</syntaxhighlight>




== Exporting SSH key ==
=== Move the key to smartcard ===
How to generate the ssh public key to put onto a remote server.
* !!! BE OFFLINE !!!
<syntaxhighlight lang="bash">
$ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
</syntaxhighlight>
 
 
== Smartcards ==
 
== Reset smartcard to factory settings and erase stored  GPG keys ==
* ! ONLY TESTED ON Yubikey 5 !
* ! USE AT OWN RISK !
* I don't know if doing a factory reset will affect other functions of your smartcard, such as FIDO, FIDO2, PIV, OTP, etc.
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ date; gpg --card-edit # Begin editing the smartcard.
## TODO
gpg/card> help # Show commands list.
 
## Inspect card to be sure it's the one you intend to reset:
gpg/card> list # "list all available data"
 
gpg/card> admin # Enable card admin commands.
gpg/card> help # Show commands list.
 
## Perform factory reset on smartcard to bring it to a known-good state
gpg/card> factory-reset # "factory-reset  destroy all keys and data"
## Confirm that you want to reset the card
>y
>yes
## Confirm card has been reset by inspection:
gpg/card> list # "list all available data"
gpg/card>quit
</syntaxhighlight>
</syntaxhighlight>


=== Set the smartcard PIN, adminPIN, & reset code ===
*The PIN, AdminPIN, and ResetCode can be alphanumerical passphrases.
  (a-z, A-Z, 0-9, space, etc.)
* "PIN" - Day-to-day use.
* "Admin PIN" - Load new key onto card.
* "Reset Code" - Reset PIN attempts counter.
* The Default yubikey "PIN" is "123456"
* The Default Yubikey "Admin PIN" apin is "12345678"
* Begin editing the smartcard.
<syntaxhighlight lang="bash">
$ date; gpg --card-edit # Begin editing the smartcard.
gpg/card> admin
</syntaxhighlight>


* Set PIN
<syntaxhighlight lang="bash">
gpg/card> passwd # "menu to change or unblock the PIN"
>"1 - change PIN"
</syntaxhighlight>


* Set admin PIN (used for installing secret key to card)
<syntaxhighlight lang="bash">
gpg/card> passwd # "menu to change or unblock the PIN"
>3 - change Admin PIN
</syntaxhighlight>
* Set the Recovery Code (Used for resetting retry counter for PIN)
<syntaxhighlight lang="bash">
gpg/card> passwd # "menu to change or unblock the PIN"
>4 - set the Reset Code
</syntaxhighlight>
=== Smartcard PIN codes ===
* You need to set two PIN codes for your smartcard.
<br>A user PIN and an admin PIN


* Generate a random number to use as a PIN for your smartcard
=== Erase keys from liveusb ===
(apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg )
<syntaxhighlight lang="bash">
## apg (Password generator program)
## -a 1 (Use supplied parameters)
## -M N (Use numerals only)
## -m 10 (Minimum 8 characters long)
## -x 10 (Maximum 8 characters long)
$ apg -a 1 -M N -m 8 -x 8
86187171
65856553
45100116
18826756
02283057
10274420
</syntaxhighlight>
* Write down the user PIN code on your paper.
<code>User PIN: USER-PIN-HERE</code>
<br>The user PIN is required to use the stored keys.
 
* Write down the admin PIN code on your paper.
<code>admin PIN: ADMIN-PIN-HERE</code>
<br>The admin pin is used to edit the card.
 
* Store copies of these codes in safe places where you will not lose them and nobody can read them.
* You will not be able to use the smartcard without the correct code.
 
* Change the smartcard's user PIN.
<syntaxhighlight lang="bash">
$ gpg --card-edit
gpg/card> admin ## Card admin menu.
gpg/card> passwd ## Change card password(s).
gpg/card> 1 ## 1 - change PIN.
gpg/card> q ## Exit PIN edit submenu.
gpg/card> list ## Display card information.
gpg/card> quit ## Exit GPG.
</syntaxhighlight>
 
* Change the smartcard's admin PIN
<syntaxhighlight lang="bash">
$ gpg --card-edit
gpg/card> admin ## Card admin menu.
gpg/card> passwd ## Change card password(s).
gpg/card> 3 ## 3 - change Admin PIN.
gpg/card> q ## Exit PIN edit submenu.
gpg/card> list ## Display card information.
gpg/card> quit ## Exit GPG.
</syntaxhighlight>
 
=== Reload the secret key and subkeys from the backup file ===
This is required if you want to prepare more than one smartcard.
 
==== Delete GPG keystore ====
* Do not do this unless you are sure you have successfully backed up your keys.
* To install the same key to additional smartcards, it must be reloaded from the file again.
* It MAY be needed to delete the key from GPG's keystore for reimport?
<syntaxhighlight lang="bash">
$ date; gpg --delete-secret-keys FEEDB00BCODEBEEF # Forget/erase secret key from GPG keystore.
$ date; gpg --delete-keys FEEDB00BCODEBEEF # Forget/erase public key from GPG keystore.
$ date; rm -rf ~/.gnupg/ # Erase GPG keystore alltogether.
</syntaxhighlight>
 
==== Import secret key from file ====
<syntaxhighlight lang="bash">
$ cd "/path/to/my/key/backup/dir/" # Go to the directory where we have the key files.
$ date; gpg --import FEEDB00BCODEBEEF.1970JAN01.public.key # Import your publickey from file.
$ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.masterkeys.txt # Import your secretkey from file into local keystore (You should be asked for the secretkey password at this point).
$ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.subkeys.txt
</syntaxhighlight>
 
==== Set imported secretkey to maximum trust level ====
* It is required to set the trust level to ultimate to put it on a smartcard.
<syntaxhighlight lang="bash">
$ date; gpg --edit-key FEEDB00BCODEBEEF
gpg>trust # Edit trust level for the key.
gpg>trust>5 # "5 = I trust ultimately"
gpg>trust>y # Confirm absolute trust
gpg>save # Save changes and exit GPG.
</syntaxhighlight>
 
=== Move the key to smartcard ===
* !!! BE OFFLINE !!!
* !!! BE OFFLINE !!!
* Insert your smartcard device.
* Transfer each of the three subkeys to the smartcard (Sign, Encrypt, Authenticate)
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --card-edit
$ rm -rf /.gnupg*
gpg>key 1 ## Toggle select for the key at position 1 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 1 ## Toggle select for the key at position 1 in the list.
</syntaxhighlight>
</syntaxhighlight>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg --card-edit
## TODO
gpg>key 2 ## Toggle select for the key at position 2 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 2 ## Toggle select for the key at position 2 in the list.
</syntaxhighlight>
</syntaxhighlight>


<syntaxhighlight lang="bash">
$ gpg --card-edit
gpg>key 3 ## Toggle select for the key at position 3 in the list.
gpg> keytocard # Send the key to the smartcard.
gpg>key 3 ## Toggle select for the key at position 3 in the list.
</syntaxhighlight>


* To add the key to another smartcard, you must import it from the backup.
<syntaxhighlight lang="bash">
$ gpg --import KEYNAME-DATE.masterkeys.txt
$ gpg --import KEYNAME-DATE.subkeys.txt
$ gpg --edit-key KEYNAME
gpg> trust ## Edit the trust level for this key.
gpg> 5 ## Assign ultimate trust to our own key.
gpg> y ## Confirm the trust setting.
</syntaxhighlight>


== Erase keys from liveusb ==
* !!! BE OFFLINE !!!
* Remove the GPG keystore as an added precaution.
<syntaxhighlight lang="bash">
$ rm -rf ~/.gnupg*
</syntaxhighlight>


=== Setup public key side ===
=== Setup public key side ===
Copy and paste the text in the ssh-remote.key file from the earlier steps into the `~/.ssh/authorized_keys` file on the machine you intend to connect to.
=== Set up key on machine we want to SSH to ===
Open the authorized_keys for your user account and paste in the SSH key
(Created earlier in this guide as "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key")
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ mkdir -vp ~/.ssh/ ; touch ~/.ssh/authorized_keys; # Create authorized_keys if it does not exist.
## TODO
$ nano ~/.ssh/authorized_keys # Edit authorized_keys file
</syntaxhighlight>
</syntaxhighlight>


== Using multiple cards ==
=== Set up key on machine we want to SSH to ===
This command tells GPG to associate keys it has with copies of those keys on a connected smartcard.
The same command works on both Linux and Windows.
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
$ gpg-connect-agent "scd serialno" "learn --force" /bye
## TODO
</syntaxhighlight>
</syntaxhighlight>
<syntaxhighlight lang="cmd">
> gpg-connect-agent "scd serialno" "learn --force" /bye
</syntaxhighlight>
https://github.com/drduh/YubiKey-Guide#using-multiple-keys




== WSL  (Windows Subsystem for Linux) ==
* ! WIP !
Getting SSH to work in WSL.
https://github.com/drduh/YubiKey-Guide#using-multiple-keys
https://github.com/vuori/weasel-pageant
* Download and extract weasel-pagent to somewhere convenient on the windows side.
https://github.com/vuori/weasel-pageant/releases
Place this line in your .bashrc file
<syntaxhighlight lang="bash">$ nano ~./bashrc</syntaxhighlight>
<syntaxhighlight lang="bash">
# Make GNUPG / GPG work with windows smartcards weasel-pageant
eval $(<location where you unpacked the zip>/weasel-pageant -rb -a $HOME/.weasel-pageant.sock)
</syntaxhighlight>
Reload the config from the updated file:
<syntaxhighlight lang="bash">$ source ~/.bashrc</syntaxhighlight>
Add entry to the ~/.ssh/config file:
<syntaxhighlight lang="bash">nano ~/.ssh/config</syntaxhighlight>
<syntaxhighlight lang="bash">
ForwardAgent yes
RemoteForward /root/.gnupg/S.gpg-agent.ssh $HOME/.weasel-pageant.sock
</syntaxhighlight>
<syntaxhighlight lang="bash">$ chmod 600 ~/.ssh/config ; chown $USER ~/.ssh/config # Ensure you have the correct owner and permissions for the config file.</syntaxhighlight>
Test if it works:
<syntaxhighlight lang="bash">$ ssh-add -l</syntaxhighlight>
If it is working it will show your key in the list it gives.
if you get the erro :
chmod 600 ~/.ssh/config
=== Automating on Windows ===
Save the following script to a .bat file. (e.g.  `C:\scripts\gpg_refresh.bat`)
<syntaxhighlight lang="cmd">
@echo off
rem gpg_refresh.bat
rem Check if our key is on an attached smartcard and associate it if so.
gpg-connect-agent "scd serialno" "learn --force" /bye
</syntaxhighlight>
* Press the start button on your keyboard to open the start menu.
* Type "schedule", "Task Scheduler" should appear as a search result in the start menu.
* Open Task Scheduler.
* In the section on the right of the window (Under the heading "Actions") select "Create Task".
* Set the Name to `Check and Update GPG smartcards`
* Set the description to `Tell GPG to compare its keys against smartcards, and link any that match.`
** "Name" : "1 hour"
** "Description" : "1 hour"
** "Security options" -> "Run whether user is logged on or not" : Selected. (Hides command window when task runs)
** "Security options" -> "Do not store password. The task will only have access to local computer resources." : Selected. (Prevents requiring user's password to be entered to set up task.)
* This task must be running using your user account, so that the instance of GPG associated with your account is acted on.
** "Configure for:": "Windows 10"
* Click on the "Triggers" tab at the top of the window then click the "New" button
* In the "New Trigger" window that opens:
** "Begin the task": `On a schedule`
** Settings -> "Daily" selected.
** Settings -> "Start": Set a value in the next hour or so.
** Settings -> "Recur every" [ ] days: "1"
** "Advanced setings" -> "Repeat task every": Box checked.
** "Advanced setings" -> "Repeat task every" : "1 hour"
** "Advanced setings" -> "for a duration of" : "1 day"
** "Advanced setings" -> "Expire": Box unchecked. (Never expire)
** "Advanced setings" -> "Enabled": Box checked.
* Click "OK" once these settings are set.
* Click on the "Actions" tab at the top of the window then click the "New" button
* In the "New Action" window that opens:
** "Settings` -> "Action": "Start a program"
** "Settings" -> "Program/script" : The path to the .bat file.
* Click "OK" once these settings are set.
* Click "OK" in the "Create Task" window.
https://stackoverflow.com/questions/4249542/run-a-task-every-x-minutes-with-windows-task-scheduler
https://www.howtogeek.com/tips/how-to-run-a-scheduled-task-without-a-command-window-appearing/
== Troubleshooting ==
To kill running background  GPG:
<syntaxhighlight lang="cmd">
gpg-connect-agent killagent /bye # Kill GPG.
</syntaxhighlight>
To start background GPG:
<syntaxhighlight lang="cmd">
gpg-connect-agent /bye # Start GPG.
</syntaxhighlight>
To inspect connected card(s?):
<syntaxhighlight lang="cmd">
gpg --card-status # Inspect smartcard.
</syntaxhighlight>


== Sources ==
== Sources ==
Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive):
Guide to set up Ubuntu on a USB flash drive (Full persistant install to USB drive):
https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/
https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/


* Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide):
Guide to write Ubuntu installer to USB drive (Does not support software install wituout modifications, see other guide):
 
https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started
https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started


* Ubuntu download page:
Ubuntu download page:
 
https://ubuntu.com/download/desktop
https://ubuntu.com/download/desktop


* Guides to set up a Yubikey device:
Guides to set up a Yubikey device:
 
https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/
https://withinboredom.info/blog/2017/11/18/signing-commits-ssh-with-yubikey-and-windows/


https://zeos.ca/post/2018/gpg-yubikey5/
Yubikey troubleshooting pages:
 
* Yubikey troubleshooting pages:
 
https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-
https://support.yubico.com/support/solutions/articles/15000014892-troubleshooting-gpg-no-such-device-
* GPG key import/export:
https://unix.stackexchange.com/questions/184947/how-to-import-secret-gpg-key-copied-from-one-machine-to-another
https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/
* Other guides:
https://github.com/tomlowenthal/documentation/blob/master/gpg/smartcard-keygen.md
https://blogs.fsfe.org/jens.lechtenboerger/2013/04/19/how-to-set-up-your-fellowship-card/
https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4
https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
https://www.linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/
https://0day.work/using-a-yubikey-for-gpg-and-ssh/
https://xladius.com/opsec/2018/06/25/using-yubikeys-for-openpgp
https://oychang.com/posts/gpg/notes-on-yubikey-neo.html
https://github.com/drduh/YubiKey-Guide
* Misc of interest:
https://www.dongleauth.info/
https://www.dongleauth.info/dongles/
https://www.nitrokey.com/documentation/installation
https://www.nitrokey.com/documentation/frequently-asked-questions-faq#how-to-use-the-nitrokey-with-multiple-computers
https://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#
https://security.stackexchange.com/questions/45094/smart-card-gnupg-what-is-stored-in-my-keyring-how-to-adopt-smart-card
https://stackoverflow.com/questions/46689885/how-to-get-public-key-from-an-openpgp-smart-card-without-using-key-servers
https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html
https://crypto.stackexchange.com/questions/43223/are-additional-pgp-subkeys-still-needed-for-smartcards
https://stackoverflow.com/questions/48016033/how-do-i-encrypt-an-email-using-a-yubikey
Please note that all contributions to Bibliotheca Anonoma are considered to be released under the Creative Commons Attribution-ShareAlike (see Bibliotheca Anonoma:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)