Commands for setting up a Yubikey, with GPG key and SSH key using (PIV).
Relies on the following:
Set up roughly following this guide.
# Insert key ... duh
# Bring up gpg
$ gpg --card-edit
# Enter admin mode
gpg/card> admin
# Set the PIN and admin PIN
gpg/card> passwd
# Generate a key
gpg/card> generate
Set up the agent:
pinentry-program $PATH_TO/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
Add the following to your profile:
GPG_TTY="$(tty)"
export GPG_TTY
gpgconf --launch gpg-agent
The following generates a new SSH keypair that resides on the key. Adapted from the following:
Ensure that
yubico-piv-tool is
installed.
Ensure opensc is installed.
Create a volume in memory to use for temporarily storing the key material (see
ramdisk).
# Switch into the ramdisk
$ cd /volumes/secure
$ umask 077
# Create a public key.
# Enter the management key when prompted.
# Default: 010203040506070801020304050607080102030405060708
$ yubico-piv-tool \
-a generate \
-s 9a \
-k \
--pin-policy=once \
--touch-policy=always \
--algorithm=ECCP256 \
-o public.pem
# Create a self-signed certificate
# Enter the PIN when prompted, then tap the key.
$ yubico-piv-tool \
-a verify-pin \
-a selfsign-certificate \
-s 9a \
-S '/CN=ssh/' \
--valid-days=365 \
-i public.pem \
-o cert.pem
# Import the certificate
# Enter the management key when prompted.
$ yubico-piv-tool -k -a import-certificate -s 9a -i cert.pem
Confirm that they key has been added:
$ yubico-piv-tool -a status
At this point, the SSH key should be loaded on the Yubikey. Fetch the public key:
$ ssh-keygen -D $HOME/.nix-profile/lib/opensc-pkcs11.so -e
Note that the path to the .so file may differ, based on the setup. The above
is based on using Nix.
Add the key to the local ssh-agent:
$ _path=$(readlink $HOME/.nix-profile/lib/opensc-pkcs11.so) \
ssh-add -s "$_path"
Note that the path must match the value that has been whitelisted on the
ssh-agent via the -P flag.
Confirm the key has been added:
$ ssh-add -L