Latest revision |
Your text |
Line 2: |
Line 2: |
|
| |
|
| WIP (Ctrl-S's job) | | WIP (Ctrl-S's job) |
| | |
|
| |
|
| Guide for securely creating a PGP keyset. | | Guide for securely creating a PGP keyset. |
Line 7: |
Line 8: |
| Some smartcards support longer keys. | | Some smartcards support longer keys. |
| This guide will use 2048 bit RSA keys for as much security as is currently practical. | | This guide will use 2048 bit RSA keys for as much security as is currently practical. |
| | |
|
| |
|
|
| |
|
Line 88: |
Line 90: |
| # Let machine boot into persistant liveusb | | # Let machine boot into persistant liveusb |
| # Ubuntu desktop environment should be displayed on your computer. | | # Ubuntu desktop environment should be displayed on your computer. |
| | |
|
| |
|
| === Update liveUSB software === | | === Update liveUSB software === |
Line 145: |
Line 148: |
| gpg/card> | | gpg/card> |
| </syntaxhighlight> | | </syntaxhighlight> |
| | |
|
| |
|
| == Remove machine from network == | | == Remove machine from network == |
Line 154: |
Line 158: |
| </syntaxhighlight> | | </syntaxhighlight> |
| * You should fail to connect. | | * You should fail to connect. |
| | |
|
| |
|
| == Generate keys == | | == Generate keys == |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| | |
| | === Smartcard PIN codes === |
| | * You need to set two PIN codes for your smartcard. |
| | <br>A user PIN and an admin PIN |
| | |
| | * Generate a random number to use as a PIN for your smartcard |
| | (apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg ) |
| | <syntaxhighlight lang="bash"> |
| | ## apg (Password generator program) |
| | ## -a 1 (Use supplied parameters) |
| | ## -M N (Use numerals only) |
| | ## -m 10 (Minimum 8 characters long) |
| | ## -x 10 (Maximum 8 characters long) |
| | $ apg -a 1 -M N -m 8 -x 8 |
| | 86187171 |
| | 65856553 |
| | 45100116 |
| | 18826756 |
| | 02283057 |
| | 10274420 |
| | </syntaxhighlight> |
| | * Write down the user PIN code on your paper. |
| | <code>User PIN: USER-PIN-HERE</code> |
| | <br>The user PIN is required to use the stored keys. |
| | |
| | * Write down the admin PIN code on your paper. |
| | <code>admin PIN: ADMIN-PIN-HERE</code> |
| | <br>The admin pin is used to edit the card. |
| | |
| | * Store copies of these codes in safe places where you will not lose them and nobody can read them. |
| | * You will not be able to use the smartcard without the correct code. |
| | |
| | * Change the smartcard's user PIN. |
| | <syntaxhighlight lang="bash"> |
| | $ gpg --card-edit |
| | gpg/card> admin ## Card admin menu. |
| | gpg/card> passwd ## Change card password(s). |
| | gpg/card> 1 ## 1 - change PIN. |
| | gpg/card> q ## Exit PIN edit submenu. |
| | gpg/card> list ## Display card information. |
| | gpg/card> quit ## Exit GPG. |
| | </syntaxhighlight> |
| | |
| | * Change the smartcard's admin PIN |
| | <syntaxhighlight lang="bash"> |
| | $ gpg --card-edit |
| | gpg/card> admin ## Card admin menu. |
| | gpg/card> passwd ## Change card password(s). |
| | gpg/card> 3 ## 3 - change Admin PIN. |
| | gpg/card> q ## Exit PIN edit submenu. |
| | gpg/card> list ## Display card information. |
| | gpg/card> quit ## Exit GPG. |
| | </syntaxhighlight> |
| | |
| | |
| === GPG Secret keys === | | === GPG Secret keys === |
| * Create master as demonstrated in the following example: | | * Create master as demonstrated in the following example: |
Line 460: |
Line 520: |
| generator a better chance to gain enough entropy. | | generator a better chance to gain enough entropy. |
|
| |
|
| sec rsa4096/FEEDB00BCODEBEEF | | sec rsa4096/BEBEAAF16847B703 |
| created: 2020-02-12 expires: never usage: SC | | created: 2020-02-12 expires: never usage: SC |
| trust: ultimate validity: ultimate | | trust: ultimate validity: ultimate |
Line 475: |
Line 535: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| === Store keys to backup drives ===
| | |
| | == Store keys to backup drives == |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| * Create a folder to store our secret keys: | | * Create a folder to store our secret keys: |
Line 486: |
Line 547: |
| $ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' | | $ cd '/medua/ubuntu/keystore01/gpg.ctrl-s.2020-02-01' |
| </syntaxhighlight> | | </syntaxhighlight> |
| | |
|
| |
|
| * Secret keys: | | * Secret keys: |
Line 503: |
Line 565: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| * SSH public key
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
| |
| </syntaxhighlight>
| |
|
| |
|
| |
| == Exporting SSH key ==
| |
| How to generate the ssh public key to put onto a remote server.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --output "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key" --armour --export-ssh-key FEEDB00BCODEBEEF
| |
| </syntaxhighlight>
| |
|
| |
|
| |
| == Smartcards ==
| |
|
| |
| == Reset smartcard to factory settings and erase stored GPG keys ==
| |
| * ! ONLY TESTED ON Yubikey 5 !
| |
| * ! USE AT OWN RISK !
| |
| * I don't know if doing a factory reset will affect other functions of your smartcard, such as FIDO, FIDO2, PIV, OTP, etc.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --card-edit # Begin editing the smartcard.
| |
| gpg/card> help # Show commands list.
| |
|
| |
| ## Inspect card to be sure it's the one you intend to reset:
| |
| gpg/card> list # "list all available data"
| |
|
| |
| gpg/card> admin # Enable card admin commands.
| |
| gpg/card> help # Show commands list.
| |
|
| |
| ## Perform factory reset on smartcard to bring it to a known-good state
| |
| gpg/card> factory-reset # "factory-reset destroy all keys and data"
| |
| ## Confirm that you want to reset the card
| |
| >y
| |
| >yes
| |
| ## Confirm card has been reset by inspection:
| |
| gpg/card> list # "list all available data"
| |
| gpg/card>quit
| |
| </syntaxhighlight>
| |
|
| |
| === Set the smartcard PIN, adminPIN, & reset code ===
| |
| *The PIN, AdminPIN, and ResetCode can be alphanumerical passphrases.
| |
| (a-z, A-Z, 0-9, space, etc.)
| |
| * "PIN" - Day-to-day use.
| |
| * "Admin PIN" - Load new key onto card.
| |
| * "Reset Code" - Reset PIN attempts counter.
| |
| * The Default yubikey "PIN" is "123456"
| |
| * The Default Yubikey "Admin PIN" apin is "12345678"
| |
| * Begin editing the smartcard.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --card-edit # Begin editing the smartcard.
| |
| gpg/card> admin
| |
| </syntaxhighlight>
| |
|
| |
|
| * Set PIN
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >"1 - change PIN"
| |
| </syntaxhighlight>
| |
|
| |
| * Set admin PIN (used for installing secret key to card)
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >3 - change Admin PIN
| |
| </syntaxhighlight>
| |
|
| |
| * Set the Recovery Code (Used for resetting retry counter for PIN)
| |
| <syntaxhighlight lang="bash">
| |
| gpg/card> passwd # "menu to change or unblock the PIN"
| |
| >4 - set the Reset Code
| |
| </syntaxhighlight>
| |
|
| |
| === Smartcard PIN codes ===
| |
| * You need to set two PIN codes for your smartcard.
| |
| <br>A user PIN and an admin PIN
| |
|
| |
| * Generate a random number to use as a PIN for your smartcard
| |
| (apg is a linux tool to generate random passwords https://linux.die.net/man/1/apg )
| |
| <syntaxhighlight lang="bash">
| |
| ## apg (Password generator program)
| |
| ## -a 1 (Use supplied parameters)
| |
| ## -M N (Use numerals only)
| |
| ## -m 10 (Minimum 8 characters long)
| |
| ## -x 10 (Maximum 8 characters long)
| |
| $ apg -a 1 -M N -m 8 -x 8
| |
| 86187171
| |
| 65856553
| |
| 45100116
| |
| 18826756
| |
| 02283057
| |
| 10274420
| |
| </syntaxhighlight>
| |
| * Write down the user PIN code on your paper.
| |
| <code>User PIN: USER-PIN-HERE</code>
| |
| <br>The user PIN is required to use the stored keys.
| |
|
| |
| * Write down the admin PIN code on your paper.
| |
| <code>admin PIN: ADMIN-PIN-HERE</code>
| |
| <br>The admin pin is used to edit the card.
| |
|
| |
| * Store copies of these codes in safe places where you will not lose them and nobody can read them.
| |
| * You will not be able to use the smartcard without the correct code.
| |
|
| |
| * Change the smartcard's user PIN.
| |
| <syntaxhighlight lang="bash">
| |
| $ gpg --card-edit
| |
| gpg/card> admin ## Card admin menu.
| |
| gpg/card> passwd ## Change card password(s).
| |
| gpg/card> 1 ## 1 - change PIN.
| |
| gpg/card> q ## Exit PIN edit submenu.
| |
| gpg/card> list ## Display card information.
| |
| gpg/card> quit ## Exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
| * Change the smartcard's admin PIN
| |
| <syntaxhighlight lang="bash">
| |
| $ gpg --card-edit
| |
| gpg/card> admin ## Card admin menu.
| |
| gpg/card> passwd ## Change card password(s).
| |
| gpg/card> 3 ## 3 - change Admin PIN.
| |
| gpg/card> q ## Exit PIN edit submenu.
| |
| gpg/card> list ## Display card information.
| |
| gpg/card> quit ## Exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
| === Reload the secret key and subkeys from the backup file ===
| |
| This is required if you want to prepare more than one smartcard.
| |
|
| |
| ==== Delete GPG keystore ====
| |
| * Do not do this unless you are sure you have successfully backed up your keys.
| |
| * To install the same key to additional smartcards, it must be reloaded from the file again.
| |
| * It MAY be needed to delete the key from GPG's keystore for reimport?
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --delete-secret-keys FEEDB00BCODEBEEF # Forget/erase secret key from GPG keystore.
| |
| $ date; gpg --delete-keys FEEDB00BCODEBEEF # Forget/erase public key from GPG keystore.
| |
| $ date; rm -rf ~/.gnupg/ # Erase GPG keystore alltogether.
| |
| </syntaxhighlight>
| |
|
| |
| ==== Import secret key from file ====
| |
| <syntaxhighlight lang="bash">
| |
| $ cd "/path/to/my/key/backup/dir/" # Go to the directory where we have the key files.
| |
| $ date; gpg --import FEEDB00BCODEBEEF.1970JAN01.public.key # Import your publickey from file.
| |
| $ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.masterkeys.txt # Import your secretkey from file into local keystore (You should be asked for the secretkey password at this point).
| |
| $ date; gpg --allow-secret-key-import --import FEEDB00BCODEBEEF-20200530.subkeys.txt
| |
| </syntaxhighlight>
| |
|
| |
| ==== Set imported secretkey to maximum trust level ====
| |
| * It is required to set the trust level to ultimate to put it on a smartcard.
| |
| <syntaxhighlight lang="bash">
| |
| $ date; gpg --edit-key FEEDB00BCODEBEEF
| |
| gpg>trust # Edit trust level for the key.
| |
| gpg>trust>5 # "5 = I trust ultimately"
| |
| gpg>trust>y # Confirm absolute trust
| |
| gpg>save # Save changes and exit GPG.
| |
| </syntaxhighlight>
| |
|
| |
|
| === Move the key to smartcard === | | === Move the key to smartcard === |
Line 693: |
Line 602: |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| == Erase keys from liveusb == | | |
| | === Erase keys from liveusb === |
| * !!! BE OFFLINE !!! | | * !!! BE OFFLINE !!! |
| * Remove the GPG keystore as an added precaution.
| |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| $ rm -rf ~/.gnupg* | | $ rm -rf /.gnupg* |
| | </syntaxhighlight> |
| | <syntaxhighlight lang="bash"> |
| | ## TODO |
| </syntaxhighlight> | | </syntaxhighlight> |
| | |
| | |
| | |
|
| |
|
| === Setup public key side === | | === Setup public key side === |
| Copy and paste the text in the ssh-remote.key file from the earlier steps into the `~/.ssh/authorized_keys` file on the machine you intend to connect to.
| | <syntaxhighlight lang="bash"> |
| | | ## TODO |
| | </syntaxhighlight> |
|
| |
|
| === Set up key on machine we want to SSH to === | | === Set up key on machine we want to SSH to === |
| Open the authorized_keys for your user account and paste in the SSH key
| |
| (Created earlier in this guide as "FEEDB00BCODEBEEF-1970JAN01.ssh-remote.key")
| |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| $ mkdir -vp ~/.ssh/ ; touch ~/.ssh/authorized_keys; # Create authorized_keys if it does not exist.
| | ## TODO |
| $ nano ~/.ssh/authorized_keys # Edit authorized_keys file
| |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
Line 722: |
Line 635: |
| </syntaxhighlight> | | </syntaxhighlight> |
| https://github.com/drduh/YubiKey-Guide#using-multiple-keys | | https://github.com/drduh/YubiKey-Guide#using-multiple-keys |
|
| |
|
| |
| == WSL (Windows Subsystem for Linux) ==
| |
| * ! WIP !
| |
| Getting SSH to work in WSL.
| |
| https://github.com/drduh/YubiKey-Guide#using-multiple-keys
| |
| https://github.com/vuori/weasel-pageant
| |
| * Download and extract weasel-pagent to somewhere convenient on the windows side.
| |
| https://github.com/vuori/weasel-pageant/releases
| |
| Place this line in your .bashrc file
| |
| <syntaxhighlight lang="bash">$ nano ~./bashrc</syntaxhighlight>
| |
| <syntaxhighlight lang="bash">
| |
| # Make GNUPG / GPG work with windows smartcards weasel-pageant
| |
| eval $(<location where you unpacked the zip>/weasel-pageant -rb -a $HOME/.weasel-pageant.sock)
| |
| </syntaxhighlight>
| |
| Reload the config from the updated file:
| |
| <syntaxhighlight lang="bash">$ source ~/.bashrc</syntaxhighlight>
| |
| Add entry to the ~/.ssh/config file:
| |
| <syntaxhighlight lang="bash">nano ~/.ssh/config</syntaxhighlight>
| |
| <syntaxhighlight lang="bash">
| |
| ForwardAgent yes
| |
| RemoteForward /root/.gnupg/S.gpg-agent.ssh $HOME/.weasel-pageant.sock
| |
| </syntaxhighlight>
| |
| <syntaxhighlight lang="bash">$ chmod 600 ~/.ssh/config ; chown $USER ~/.ssh/config # Ensure you have the correct owner and permissions for the config file.</syntaxhighlight>
| |
| Test if it works:
| |
| <syntaxhighlight lang="bash">$ ssh-add -l</syntaxhighlight>
| |
| If it is working it will show your key in the list it gives.
| |
|
| |
| if you get the erro :
| |
| chmod 600 ~/.ssh/config
| |
| === Automating on Windows ===
| |
| Save the following script to a .bat file. (e.g. `C:\scripts\gpg_refresh.bat`)
| |
| <syntaxhighlight lang="cmd">
| |
| @echo off
| |
| rem gpg_refresh.bat
| |
| rem Check if our key is on an attached smartcard and associate it if so.
| |
| gpg-connect-agent "scd serialno" "learn --force" /bye
| |
| </syntaxhighlight>
| |
|
| |
| * Press the start button on your keyboard to open the start menu.
| |
| * Type "schedule", "Task Scheduler" should appear as a search result in the start menu.
| |
| * Open Task Scheduler.
| |
| * In the section on the right of the window (Under the heading "Actions") select "Create Task".
| |
| * Set the Name to `Check and Update GPG smartcards`
| |
| * Set the description to `Tell GPG to compare its keys against smartcards, and link any that match.`
| |
| ** "Name" : "1 hour"
| |
| ** "Description" : "1 hour"
| |
| ** "Security options" -> "Run whether user is logged on or not" : Selected. (Hides command window when task runs)
| |
| ** "Security options" -> "Do not store password. The task will only have access to local computer resources." : Selected. (Prevents requiring user's password to be entered to set up task.)
| |
| * This task must be running using your user account, so that the instance of GPG associated with your account is acted on.
| |
| ** "Configure for:": "Windows 10"
| |
|
| |
| * Click on the "Triggers" tab at the top of the window then click the "New" button
| |
| * In the "New Trigger" window that opens:
| |
| ** "Begin the task": `On a schedule`
| |
| ** Settings -> "Daily" selected.
| |
| ** Settings -> "Start": Set a value in the next hour or so.
| |
| ** Settings -> "Recur every" [ ] days: "1"
| |
| ** "Advanced setings" -> "Repeat task every": Box checked.
| |
| ** "Advanced setings" -> "Repeat task every" : "1 hour"
| |
| ** "Advanced setings" -> "for a duration of" : "1 day"
| |
| ** "Advanced setings" -> "Expire": Box unchecked. (Never expire)
| |
| ** "Advanced setings" -> "Enabled": Box checked.
| |
| * Click "OK" once these settings are set.
| |
|
| |
| * Click on the "Actions" tab at the top of the window then click the "New" button
| |
| * In the "New Action" window that opens:
| |
| ** "Settings` -> "Action": "Start a program"
| |
| ** "Settings" -> "Program/script" : The path to the .bat file.
| |
| * Click "OK" once these settings are set.
| |
|
| |
| * Click "OK" in the "Create Task" window.
| |
|
| |
| https://stackoverflow.com/questions/4249542/run-a-task-every-x-minutes-with-windows-task-scheduler
| |
|
| |
| https://www.howtogeek.com/tips/how-to-run-a-scheduled-task-without-a-command-window-appearing/
| |
|
| |
| == Troubleshooting ==
| |
| To kill running background GPG:
| |
| <syntaxhighlight lang="cmd">
| |
| gpg-connect-agent killagent /bye # Kill GPG.
| |
| </syntaxhighlight>
| |
|
| |
| To start background GPG:
| |
| <syntaxhighlight lang="cmd">
| |
| gpg-connect-agent /bye # Start GPG.
| |
| </syntaxhighlight>
| |
|
| |
| To inspect connected card(s?):
| |
| <syntaxhighlight lang="cmd">
| |
| gpg --card-status # Inspect smartcard.
| |
| </syntaxhighlight>
| |
|
| |
|
| == Sources == | | == Sources == |