Home >> Useful

Yubikeys

Commands for setting up a Yubikey, with GPG key and SSH key using (PIV).

Relies on the following:

GPG

Set up roughly following this guide.

# Insert key ... duh

# Bring up gpg
$ gpg --card-edit

# Enter admin mode
gpg/card> admin

# Set the PIN and admin PIN
gpg/card> passwd

# Generate a key
gpg/card> generate

Set up the agent:

pinentry-program $PATH_TO/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200

Add the following to your profile:

GPG_TTY="$(tty)"
export GPG_TTY
gpgconf --launch gpg-agent

SSH

The following generates a new SSH keypair that resides on the key. Adapted from the following:

Ensure that yubico-piv-tool is installed.

Ensure opensc is installed.

Create a volume in memory to use for temporarily storing the key material (see ramdisk).

# Switch into the ramdisk
$ cd /volumes/secure
$ umask 077

# Create a public key.
# Enter the management key when prompted.
# Default: 010203040506070801020304050607080102030405060708
$ yubico-piv-tool \
  -a generate \
  -s 9a \
  -k \
  --pin-policy=once \
  --touch-policy=always \
  --algorithm=ECCP256 \
  -o public.pem


# Create a self-signed certificate
# Enter the PIN when prompted, then tap the key.
$ yubico-piv-tool \
  -a verify-pin \
  -a selfsign-certificate \
  -s 9a \
  -S '/CN=ssh/' \
  --valid-days=365 \
  -i public.pem \
  -o cert.pem

# Import the certificate
# Enter the management key when prompted.
$ yubico-piv-tool -k -a import-certificate -s 9a -i cert.pem

Confirm that they key has been added:

$ yubico-piv-tool -a status

At this point, the SSH key should be loaded on the Yubikey. Fetch the public key:

$ ssh-keygen -D $HOME/.nix-profile/lib/opensc-pkcs11.so -e

Note that the path to the .so file may differ, based on the setup. The above is based on using Nix.

Add the key to the local ssh-agent:

$ _path=$(readlink $HOME/.nix-profile/lib/opensc-pkcs11.so) \
  ssh-add -s "$_path"

Note that the path must match the value that has been whitelisted on the ssh-agent via the -P flag.

Confirm the key has been added:

$ ssh-add -L