Yubikeys

Commands for setting up a Yubikey, with GPG key and SSH key using (PIV).

Relies on the following:

• ykman

• gnupg

GPG

Set up roughly following this guide.

# Insert key ... duh

# Bring up gpg
$ gpg --card-edit

# Enter admin mode
gpg/card> admin

# Set the PIN and admin PIN
gpg/card> passwd

# Generate a key
gpg/card> generate

Set up the agent:

pinentry-program $PATH_TO/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200

Add the following to your profile:

GPG_TTY="$(tty)"
export GPG_TTY
gpgconf --launch gpg-agent

Seeding local instance

Import keys in RAM (e.g. /dev/shm).

$ gpg --import private.key

Export subkeys.

$ gpg --armor --output subkeys.key --export-secret-subkeys $KEY

Remove all secret keys.

$ gpg --delete-secret-keys $KEY

Re-import subkey secret keys.

$ gpg --import subkeys.key

Update the subkey to point at the Yubikey.

$ gpg --expert --edit-key $KEY

gpg> key $NUM
gpg> keytocard

Select signature key. Enter the passphrases to unlock the key, and then enter the Yubikey admin PIN (12345678).

Save and exit.

List the secret keys, which should show a pointer to the card for the subkey.

$ gpg --list-secret-keys
------------------------------
sec>  ... snip ...
ssb>  ... snip ...

Shred any remaining key material.

$ shred -u $FILE [$FILE ...]

SSH

The following generates a new SSH keypair that resides on the key. Adapted from the following:

• Using PIV for SSH through PKCS #11 (Official)

• Using a Yubikey to Secure SSH on macOS

• Authenticating SSH with PIV and PKCS#11 (client)

Ensure that yubico-piv-tool is installed.

Ensure opensc is installed.

Create a volume in memory to use for temporarily storing the key material (see ramdisk).

# Switch into the ramdisk
$ cd /volumes/secure
$ umask 077

# Create a public key.
# Enter the management key when prompted.
# Default: 010203040506070801020304050607080102030405060708
$ yubico-piv-tool \
  -a generate \
  -s 9a \
  -k \
  --pin-policy=once \
  --touch-policy=always \
  --algorithm=ECCP256 \
  -o public.pem


# Create a self-signed certificate
# Enter the PIN when prompted, then tap the key.
$ yubico-piv-tool \
  -a verify-pin \
  -a selfsign-certificate \
  -s 9a \
  -S '/CN=ssh/' \
  --valid-days=365 \
  -i public.pem \
  -o cert.pem

# Import the certificate
# Enter the management key when prompted.
$ yubico-piv-tool -k -a import-certificate -s 9a -i cert.pem

Confirm that they key has been added:

$ yubico-piv-tool -a status

At this point, the SSH key should be loaded on the Yubikey. Fetch the public key:

$ ssh-keygen -D $HOME/.nix-profile/lib/opensc-pkcs11.so -e

Note that the path to the .so file may differ, based on the setup. The above is based on using Nix.

Add the key to the local `ssh-agent`:

$ _path=$(readlink $HOME/.nix-profile/lib/opensc-pkcs11.so) \
  ssh-add -s "$_path"

Note that the path must match the value that has been whitelisted on the ssh-agent via the -P flag.

Confirm the key has been added:

$ ssh-add -L