Latest revision |
Your text |
Line 2: |
Line 2: |
|
| |
|
| WIP (Ctrl-S's job) | | WIP (Ctrl-S's job) |
| | |
|
| |
|
| Guide for securely creating a PGP keyset. | | Guide for securely creating a PGP keyset. |
Line 7: |
Line 8: |
| Some smartcards support longer keys. | | Some smartcards support longer keys. |
| This guide will use 2048 bit RSA keys for as much security as is currently practical. | | This guide will use 2048 bit RSA keys for as much security as is currently practical. |
| | |
|
| |
|
|
| |
|
Line 88: |
Line 90: |
| # Let machine boot into persistant liveusb | | # Let machine boot into persistant liveusb |
| # Ubuntu desktop environment should be displayed on your computer. | | # Ubuntu desktop environment should be displayed on your computer. |
| | |
|
| |
|
| === Update liveUSB software === | | === Update liveUSB software === |
Line 118: |
Line 121: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| This is an example of expected output with a yubikey 5 with values removed for confidentiality:
| |
| <syntaxhighlight lang="bash">
| |
| $ gpg --card-edit list
| |
|
| |
|
| Reader ...........: [REMOVED]
| |
| Application ID ...: [REMOVED]
| |
| Version ..........: 3.4
| |
| Manufacturer .....: Yubico
| |
| Serial number ....: [REMOVED]
| |
| Name of cardholder: [not set]
| |
| Language prefs ...: [not set]
| |
| Sex ..............: unspecified
| |
| URL of public key : [not set]
| |
| Login data .......: [not set]
| |
| Signature PIN ....: not forced
| |
| Key attributes ...: rsa2048 rsa2048 rsa2048
| |
| Max. PIN lengths .: 127 127 127
| |
| PIN retry counter : 3 0 3
| |
| Signature counter : 0
| |
| KDF setting ......: on
| |
| Signature key ....: [none]
| |
| Encryption key....: [none]
| |
| Authentication key: [none]
| |
| General key info..: [none]
| |
|
| |
|
| gpg/card>
| |
| </syntaxhighlight>
| |
|
| |
|
| == Remove machine from network == | | == Remove machine from network == |
Line 154: |
Line 132: |
| </syntaxhighlight> | | </syntaxhighlight> |
| * You should fail to connect. | | * You should fail to connect. |
| | |
|
| |
|
| == Generate keys == | | == Generate keys == |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| | |
| | === Smartcard PIN codes === |
| | * You need to set two PIN codes for your smartcard. |
| | <br>A user PIN and an admin PIN |
| | |
| | * Generate a random number to use as a PIN for your smartcard |
| | (apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg ) |
| | <syntaxhighlight lang="bash"> |
| | ## apg (Password generator program) |
| | ## -a 1 (Use supplied parameters) |
| | ## -M N (Use numerals only) |
| | ## -m 10 (Minimum 8 characters long) |
| | ## -x 10 (Maximum 8 characters long) |
| | $ apg -a 1 -M N -m 8 -x 8 |
| | 86187171 |
| | 65856553 |
| | 45100116 |
| | 18826756 |
| | 02283057 |
| | 10274420 |
| | </syntaxhighlight> |
| | * Write down the user PIN code on your paper. |
| | <code>User PIN: USER-PIN-HERE</code> |
| | <br>The user PIN is required to use the stored keys. |
| | |
| | * Write down the admin PIN code on your paper. |
| | <code>admin PIN: ADMIN-PIN-HERE</code> |
| | <br>The admin pin is used to edit the card. |
| | |
| | * Store copies of these codes in safe places where you will not lose them and nobody can read them. |
| | * You will not be able to use the smartcard without the correct code. |
| | |
| | * Change the smartcard's user PIN. |
| | <syntaxhighlight lang="bash"> |
| | $ gpg --card-edit |
| | gpg/card> admin ## Card admin menu. |
| | gpg/card> passwd ## Change card password(s). |
| | gpg/card> 1 ## 1 - change PIN. |
| | gpg/card> q ## Exit PIN edit submenu. |
| | gpg/card> list ## Display card information. |
| | gpg/card> quit ## Exit GPG. |
| | </syntaxhighlight> |
| | |
| | * Change the smartcard's admin PIN |
| | <syntaxhighlight lang="bash"> |
| | $ gpg --card-edit |
| | gpg/card> admin ## Card admin menu. |
| | gpg/card> passwd ## Change card password(s). |
| | gpg/card> 3 ## 3 - change Admin PIN. |
| | gpg/card> q ## Exit PIN edit submenu. |
| | gpg/card> list ## Display card information. |
| | gpg/card> quit ## Exit GPG. |
| | </syntaxhighlight> |
| | |
| | |
| === GPG Secret keys === | | === GPG Secret keys === |
| * Create master as demonstrated in the following example: | | * Create master as demonstrated in the following example: |
Line 460: |
Line 494: |
| generator a better chance to gain enough entropy. | | generator a better chance to gain enough entropy. |
|
| |
|
| sec rsa4096/FEEDB00BCODEBEEF | | sec rsa4096/BEBEAAF16847B703 |
| created: 2020-02-12 expires: never usage: SC | | created: 2020-02-12 expires: never usage: SC |
| trust: ultimate validity: ultimate | | trust: ultimate validity: ultimate |
Line 475: |
Line 509: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| === Store keys to backup drives ===
| | |
| | == Store keys to backup drives == |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| * Create a folder to store our secret keys: | | * Create a folder to store our secret keys: |
Line 486: |
Line 521: |
| $ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' | | $ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' |
| </syntaxhighlight> | | </syntaxhighlight> |
| | |
|
| |
|
| * Secret keys: | | * Secret keys: |
Line 503: |
Line 539: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| * SSH public key
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
| |
| </syntaxhighlight>
| |
|
| |
|
| |
| == Exporting SSH key ==
| |
| How to generate the ssh public key to put onto a remote server.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
| |
| </syntaxhighlight>
| |
|
| |
|
| |
| == Smartcards ==
| |
|
| |
| == Reset smartcard to factory settings and erase stored GPG keys ==
| |
| * ! ONLY TESTED ON Yubikey 5 !
| |
| * ! USE AT OWN RISK !
| |
| * I don't know if doing a factory reset will affect other functions of your smartcard, such as FIDO, FIDO2, PIV, OTP, etc.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --card-edit # Begin editing the smartcard.
| |
| gpg/card> help # Show commands list.
| |
|
| |
| ## Inspect card to be sure it's the one you intend to reset:
| |
| gpg/card> list # "list all available data"
| |
|
| |
| gpg/card> admin # Enable card admin commands.
| |
| gpg/card> help # Show commands list.
| |
|
| |
| ## Perform factory reset on smartcard to bring it to a known-good state
| |
| gpg/card> factory-reset # "factory-reset destroy all keys and data"
| |
| ## Confirm that you want to reset the card
| |
| >y
| |
| >yes
| |
| ## Confirm card has been reset by inspection:
| |
| gpg/card> list # "list all available data"
| |
| gpg/card>quit
| |
| </syntaxhighlight>
| |
|
| |
| === Set the smartcard PIN, adminPIN, & reset code ===
| |
| *The PIN, AdminPIN, and ResetCode can be alphanumerical passphrases.
| |
| (a-z, A-Z, 0-9, space, etc.)
| |
| * "PIN" - Day-to-day use.
| |
| * "Admin PIN" - Load new key onto card.
| |
| * "Reset Code" - Reset PIN attempts counter.
| |
| * The Default yubikey "PIN" is "123456"
| |
| * The Default Yubikey "Admin PIN" apin is "12345678"
| |
| * Begin editing the smartcard.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --card-edit # Begin editing the smartcard.
| |
| gpg/card> admin
| |
| </syntaxhighlight>
| |
|
| |
| * Set PIN
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >"1 - change PIN"
| |
| </syntaxhighlight>
| |
|
| |
| * Set admin PIN (used for installing secret key to card)
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >3 - change Admin PIN
| |
| </syntaxhighlight>
| |
|
| |
| * Set the Recovery Code (Used for resetting retry counter for PIN)
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >4 - set the Reset Code
| |
| </syntaxhighlight>
| |
|
| |
| === Smartcard PIN codes ===
| |
| * You need to set two PIN codes for your smartcard.
| |
| <br>A user PIN and an admin PIN
| |
|
| |
| * Generate a random number to use as a PIN for your smartcard
| |
| (apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg )
| |
| <syntaxhighlight lang="bash">
| |
| ## apg (Password generator program)
| |
| ## -a 1 (Use supplied parameters)
| |
| ## -M N (Use numerals only)
| |
| ## -m 10 (Minimum 8 characters long)
| |
| ## -x 10 (Maximum 8 characters long)
| |
| $ apg -a 1 -M N -m 8 -x 8
| |
| 86187171
| |
| 65856553
| |
| 45100116
| |
| 18826756
| |
| 02283057
| |
| 10274420
| |
| </syntaxhighlight>
| |
| * Write down the user PIN code on your paper.
| |
| <code>User PIN: USER-PIN-HERE</code>
| |
| <br>The user PIN is required to use the stored keys.
| |
|
| |
| * Write down the admin PIN code on your paper.
| |
| <code>admin PIN: ADMIN-PIN-HERE</code>
| |
| <br>The admin pin is used to edit the card.
| |
|
| |
| * Store copies of these codes in safe places where you will not lose them and nobody can read them.
| |
| * You will not be able to use the smartcard without the correct code.
| |
|
| |
| * Change the smartcard's user PIN.
| |
| <syntaxhighlight lang="bash">
| |
| $ gpg --card-edit
| |
| gpg/card> admin ## Card admin menu.
| |
| gpg/card> passwd ## Change card password(s).
| |
| gpg/card> 1 ## 1 - change PIN.
| |
| gpg/card> q ## Exit PIN edit submenu.
| |
| gpg/card> list ## Display card information.
| |
| gpg/card> quit ## Exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
| * Change the smartcard's admin PIN
| |
| <syntaxhighlight lang="bash">
| |
| $ gpg --card-edit
| |
| gpg/card> admin ## Card admin menu.
| |
| gpg/card> passwd ## Change card password(s).
| |
| gpg/card> 3 ## 3 - change Admin PIN.
| |
| gpg/card> q ## Exit PIN edit submenu.
| |
| gpg/card> list ## Display card information.
| |
| gpg/card> quit ## Exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
| === Reload the secret key and subkeys from the backup file ===
| |
| This is required if you want to prepare more than one smartcard.
| |
|
| |
| ==== Delete GPG keystore ====
| |
| * Do not do this unless you are sure you have successfully backed up your keys.
| |
| * To install the same key to additional smartcards, it must be reloaded from the file again.
| |
| * It MAY be needed to delete the key from GPG's keystore for reimport?
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --delete-secret-keys FEEDB00BCODEBEEF # Forget/erase secret key from GPG keystore.
| |
| $ date; gpg --delete-keys FEEDB00BCODEBEEF # Forget/erase public key from GPG keystore.
| |
| $ date; rm -rf ~/.gnupg/ # Erase GPG keystore alltogether.
| |
| </syntaxhighlight>
| |
|
| |
| ==== Import secret key from file ====
| |
| <syntaxhighlight lang="bash">
| |
| $ cd "/path/to/my/key/backup/dir/" # Go to the directory where we have the key files.
| |
| $ date; gpg --import FEEDB00BCODEBEEF.1970JAN01.public.key # Import your publickey from file.
| |
| $ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.masterkeys.txt # Import your secretkey from file into local keystore (You should be asked for the secretkey password at this point).
| |
| $ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.subkeys.txt
| |
| </syntaxhighlight>
| |
|
| |
|
| ==== Set imported secretkey to maximum trust level ====
| |
| * It is required to set the trust level to ultimate to put it on a smartcard.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --edit-key FEEDB00BCODEBEEF
| |
| gpg>trust # Edit trust level for the key.
| |
| gpg>trust>5 # "5 = I trust ultimately"
| |
| gpg>trust>y # Confirm absolute trust
| |
| gpg>save # Save changes and exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
|
| === Move the key to smartcard === | | === Move the key to smartcard === |
Line 693: |
Line 576: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| == Erase keys from liveusb == | | |
| | === Erase keys from liveusb === |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| * Remove the GPG keystore as an added precaution.
| |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| $ rm -rf ~/.gnupg* | | $ rm -rf /.gnupg* |
| | </syntaxhighlight> |
| | <syntaxhighlight lang="bash"> |
| | ## TODO |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| === Setup public key side ===
| |
| Copy and paste the text in the ssh-remote.key file from the earlier steps into the `~/.ssh/authorized_keys` file on the machine you intend to connect to.
| |
|
| |
|
|
| |
|
| === Set up key on machine we want to SSH to ===
| |
| Open the authorized_keys for your user account and paste in the SSH key
| |
| (Created earlier in this guide as "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key")
| |
| <syntaxhighlight lang="bash">
| |
| $ mkdir -vp ~/.ssh/ ; touch ~/.ssh/authorized_keys; # Create authorized_keys if it does not exist.
| |
| $ nano ~/.ssh/authorized_keys # Edit authorized_keys file
| |
| </syntaxhighlight>
| |
|
| |
|
| == Using multiple cards == | | === Setup public key side === |
| This command tells GPG to associate keys it has with copies of those keys on a connected smartcard.
| |
| The same command works on both Linux and Windows.
| |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| $ gpg-connect-agent "scd serialno" "learn --force" /bye
| | ## TODO |
| </syntaxhighlight>
| |
| <syntaxhighlight lang="cmd">
| |
| > gpg-connect-agent "scd serialno" "learn --force" /bye
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| https://github.com/drduh/YubiKey-Guide#using-multiple-keys
| |
|
| |
|
| | | === Set up key on machine we want to SSH to === |
| == WSL (Windows Subsystem for Linux) == | |
| * ! WIP !
| |
| Getting SSH to work in WSL.
| |
| https://github.com/drduh/YubiKey-Guide#using-multiple-keys
| |
| https://github.com/vuori/weasel-pageant
| |
| * Download and extract weasel-pagent to somewhere convenient on the windows side.
| |
| https://github.com/vuori/weasel-pageant/releases
| |
| Place this line in your .bashrc file
| |
| <syntaxhighlight lang="bash">$ nano ~./bashrc</syntaxhighlight>
| |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| # Make GNUPG / GPG work with windows smartcards weasel-pageant | | ## TODO |
| eval $(<location where you unpacked the zip>/weasel-pageant -rb -a $HOME/.weasel-pageant.sock)
| |
| </syntaxhighlight>
| |
| Reload the config from the updated file:
| |
| <syntaxhighlight lang="bash">$ source ~/.bashrc</syntaxhighlight>
| |
| Add entry to the ~/.ssh/config file:
| |
| <syntaxhighlight lang="bash">nano ~/.ssh/config</syntaxhighlight>
| |
| <syntaxhighlight lang="bash">
| |
| ForwardAgent yes
| |
| RemoteForward /root/.gnupg/S.gpg-agent.ssh $HOME/.weasel-pageant.sock
| |
| </syntaxhighlight>
| |
| <syntaxhighlight lang="bash">$ chmod 600 ~/.ssh/config ; chown $USER ~/.ssh/config # Ensure you have the correct owner and permissions for the config file.</syntaxhighlight>
| |
| Test if it works:
| |
| <syntaxhighlight lang="bash">$ ssh-add -l</syntaxhighlight>
| |
| If it is working it will show your key in the list it gives.
| |
| | |
| if you get the erro :
| |
| chmod 600 ~/.ssh/config
| |
| === Automating on Windows ===
| |
| Save the following script to a .bat file. (e.g. `C:\scripts\gpg_refresh.bat`)
| |
| <syntaxhighlight lang="cmd">
| |
| @echo off
| |
| rem gpg_refresh.bat
| |
| rem Check if our key is on an attached smartcard and associate it if so.
| |
| gpg-connect-agent "scd serialno" "learn --force" /bye
| |
| </syntaxhighlight>
| |
| | |
| * Press the start button on your keyboard to open the start menu.
| |
| * Type "schedule", "Task Scheduler" should appear as a search result in the start menu.
| |
| * Open Task Scheduler.
| |
| * In the section on the right of the window (Under the heading "Actions") select "Create Task".
| |
| * Set the Name to `Check and Update GPG smartcards`
| |
| * Set the description to `Tell GPG to compare its keys against smartcards, and link any that match.`
| |
| ** "Name" : "1 hour"
| |
| ** "Description" : "1 hour"
| |
| ** "Security options" -> "Run whether user is logged on or not" : Selected. (Hides command window when task runs)
| |
| ** "Security options" -> "Do not store password. The task will only have access to local computer resources." : Selected. (Prevents requiring user's password to be entered to set up task.)
| |
| * This task must be running using your user account, so that the instance of GPG associated with your account is acted on.
| |
| ** "Configure for:": "Windows 10"
| |
| | |
| * Click on the "Triggers" tab at the top of the window then click the "New" button
| |
| * In the "New Trigger" window that opens:
| |
| ** "Begin the task": `On a schedule`
| |
| ** Settings -> "Daily" selected.
| |
| ** Settings -> "Start": Set a value in the next hour or so.
| |
| ** Settings -> "Recur every" [ ] days: "1"
| |
| ** "Advanced setings" -> "Repeat task every": Box checked.
| |
| ** "Advanced setings" -> "Repeat task every" : "1 hour"
| |
| ** "Advanced setings" -> "for a duration of" : "1 day"
| |
| ** "Advanced setings" -> "Expire": Box unchecked. (Never expire)
| |
| ** "Advanced setings" -> "Enabled": Box checked.
| |
| * Click "OK" once these settings are set.
| |
| | |
| * Click on the "Actions" tab at the top of the window then click the "New" button
| |
| * In the "New Action" window that opens:
| |
| ** "Settings` -> "Action": "Start a program"
| |
| ** "Settings" -> "Program/script" : The path to the .bat file.
| |
| * Click "OK" once these settings are set.
| |
| | |
| * Click "OK" in the "Create Task" window.
| |
| | |
| https://stackoverflow.com/questions/4249542/run-a-task-every-x-minutes-with-windows-task-scheduler
| |
| | |
| https://www.howtogeek.com/tips/how-to-run-a-scheduled-task-without-a-command-window-appearing/
| |
| | |
| == Troubleshooting ==
| |
| To kill running background GPG:
| |
| <syntaxhighlight lang="cmd">
| |
| gpg-connect-agent killagent /bye # Kill GPG.
| |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| To start background GPG:
| |
| <syntaxhighlight lang="cmd">
| |
| gpg-connect-agent /bye # Start GPG.
| |
| </syntaxhighlight>
| |
|
| |
|
| To inspect connected card(s?):
| |
| <syntaxhighlight lang="cmd">
| |
| gpg --card-status # Inspect smartcard.
| |
| </syntaxhighlight>
| |
|
| |
|
| == Sources == | | == Sources == |
Line 845: |
Line 631: |
|
| |
|
| https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/ | | https://msol.io/blog/tech/back-up-your-pgp-keys-with-gpg/ |
|
| |
| * Other guides:
| |
|
| |
| https://github.com/tomlowenthal/documentation/blob/master/gpg/smartcard-keygen.md
| |
|
| |
| https://blogs.fsfe.org/jens.lechtenboerger/2013/04/19/how-to-set-up-your-fellowship-card/
| |
|
| |
| https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4
| |
|
| |
| https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/
| |
|
| |
| https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
| |
|
| |
| https://www.linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/
| |
|
| |
| https://0day.work/using-a-yubikey-for-gpg-and-ssh/
| |
|
| |
| https://xladius.com/opsec/2018/06/25/using-yubikeys-for-openpgp
| |
|
| |
| https://oychang.com/posts/gpg/notes-on-yubikey-neo.html
| |
|
| |
| https://github.com/drduh/YubiKey-Guide
| |
|
| |
| * Misc of interest:
| |
|
| |
| https://www.dongleauth.info/
| |
|
| |
| https://www.dongleauth.info/dongles/
| |
|
| |
| https://www.nitrokey.com/documentation/installation
| |
|
| |
| https://www.nitrokey.com/documentation/frequently-asked-questions-faq#how-to-use-the-nitrokey-with-multiple-computers
| |
|
| |
| https://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#
| |
|
| |
| https://security.stackexchange.com/questions/45094/smart-card-gnupg-what-is-stored-in-my-keyring-how-to-adopt-smart-card
| |
|
| |
| https://stackoverflow.com/questions/46689885/how-to-get-public-key-from-an-openpgp-smart-card-without-using-key-servers
| |
|
| |
| https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html
| |
|
| |
| https://crypto.stackexchange.com/questions/43223/are-additional-pgp-subkeys-still-needed-for-smartcards
| |
|
| |
| https://stackoverflow.com/questions/48016033/how-do-i-encrypt-an-email-using-a-yubikey
| |