Insert the yubikey into the usb port if it is not already plugged in. Jun 11, 2018 our macos is now effectively tricked into thinking that it deals with sshagent, even though its the gpgagent doing authenticating and reading pgp keys directly from your yubikey. In practice, the only thing thats clear is that the pin is needed to access the secrets on the yubikey, so it is effectively equivalent to a gpg secret key passphrase, though it operates at the token level. In this post im going to go over the steps to configure your yubikey for ssh authentication using a gpg key stored on the yubikey itself. While a mac is not a requirement, if youre using windows, the steps will likely be different. It uses encryption to ensure that your messages can be read only by the people you send them to, others can send you messages that only you can read, and these messages can be digitally signed so the people getting them are sure who sent them.
It shouldnt even look special, except it will ask you for the pin when needed, and wont work when the yubikey neo is not connected. This isnt an allexhaustive guide, and you more advanced users may choose to do things differently than i have demonstrated here. I got into a bit of a tangle by specifying a 5 digit pin gpg 1. Yubikey 5 series keys work with the most services across the web. Apr 28, 2017 to use the authentication key for ssh, ensure you have properly setup gpg agent to handle ssh keys and issue the following command, which will output the ssh public key.
Each yubikey with an authentication gpg subkey will produce a different public ssh key. Yubico has just released yubikey for windows hello. How to use a gpg key for ssh authentication linode. If you have a comment or suggestion, please open an issue on github. Configuring yubikey for gpg and u2f kudelski security. This product must be purchased in combination with a yubikey 4 nano. Attach nonconductive end to yubikey 4 nano latch to keychain. Gpg draws a random data encryption key dek, encrypts the file with dek using, e. Yubicos new yubikey for windows hello app makes logging in to your pc a breeze. But its most frequent use is in using those keys to encrypt and decrypt messages. Openkeychain helps you communicate more privately and securely. The advantage of storing your gpg key on a yubikey instead of a computer is that its more secure, since its harder to steal and harder for keylogging malware to get. I tried for a while now to decrypt mailsfiles on my android via openkeychain using my yubikey over nfc. Yubikey 4 authentication is four times faster than typing a one time passcode and does not require a battery nor network connectivity so it is always on and accessible.
Jan 14, 2018 yubikey can only handle a single thing at a time, and is a touch slow, so if you are using saltssh to run a command on multiple servers, and if that saltssh happens to use gpg to decrypt pillars, then youre going to be waiting hundreds of times longer than you would using the vanilla, parallelizable ssh agent and scdaemonfree gpg agent. Ive published a bash function which automates this slightly special key generation process by skipping straight to the load subkeys onto the smartcard section one could feasibly transfer an alreadyexistent, unexpired. I did the same steps on a different windows 7 64 bit machine and it works download gpg4win, import public keys, insert yubikey and type in gpg cardstatus and it loads stubs. Openkeychain and yubikey issue i tried for a while now to decrypt mailsfiles on my android via openkeychain using my yubikey over nfc. A yubikey can act as a gpg smartcard allowing us to safely store our private gpg keys on it. It is wise and more secure to check out for their integrity remarks. The goal here is for you to make sure gpg for windows knows that theres a private key on the smart card, and associates a signing key id with that private key so when git wants to sign a commit, youll get a smart card pin prompt. I wont go into detail on how to create gpg keys, but i will assume that you have a masterkey and three subkeys. Mailvelope allows gpg keys on yubikey to be used with gmail and others. Windows gnupg gpg smart card status not detecting yubikey. Thunderbird supports oauth 2 authentication and can be used with gmail.
Use my yubikey with gpg keys to ssh with a guest computer osx or windows use yubikey gpg key for ssh. Security implications of carrying yubikey on keychain it seems that many people tend to carry their yubikey on a keychain together with home keys etc. This requires a finicky setup process dealing with pgp keys and the gpg ux, and seems to lose track of the yubikey and require restarting all the time. A yubikey with openpgp support yubikey 44c and nano variants, neo and neon. Before we get too invested in this tutorial, i want to point out that im using a mac. Yubico yubikey lanyard for use with usba nano formfactor. Openkeychain does not seem to know to prompt for my yubikey. Please donate for gpg4win to support maintenance and development. Configuring yubikeys, gpg, and keybase things that matter most. This works fine, since i can use a yubikey nano for the macbook pro, and leave the desktop one plugged in.
For those with a windows 10 home license, the above steps are all that is required to get yubikey. This guide goes through the steps for setting this up on a mac running os x. How to setup signed git commits with a yubikey neo and gpg. Sometimes, the gpg agent does not correctly detect if the yubikey is plugged in. Yubikey can only handle a single thing at a time, and is a touch slow, so if you are using saltssh to run a command on multiple servers, and if that saltssh happens to use gpg to decrypt pillars, then youre going to be waiting hundreds of times longer than you would using the vanilla, parallelizable ssh agent and scdaemonfree gpgagent. Security implications of carrying yubikey on keychain. Keys stored on yubikey are nonexportable as opposed to filebased keys that are stored on disk and are convenient for everyday use. Insert yubikey with subkeys on it, verify these subkeys by gpg cardstatus. I love using the yubikey neo with nfc, having my gpg keys on it and using it also for ssh connections, but mostly i love it for the otp feature. Start with empty gpg keychain, verify by gpg listkeys. Many of the principles in this document are applicable to other smart card devices. First, we need to check that gpg can see the yubikey when it is plugged in if it does not, check section extras. Use my yubikey with gpg keys to ssh with a guest computer.
Im using macgpg, also known as gpg suite or gpg tools for mac. This gave me a great opportunity to update my somewhat popular gpgssh with yubikey guide. Openkeychain openkeychain is an android app that brings secure communication, through the openpgp standard, to your mobile phone. Although the concepts of doing this under linux and windows are the same. Simply insert into a usb slot and authenticate with a touch. The upside is that even in the case a piece of malware manages to get onto your machine and intercepts your pin, it still will not be able to use the gpg keys on your yubikey. Usage the openpgp functionality of yubikeys is typically used through gnupg so we refer to its documentation for the full reference. Run gpg listsecretkey and the subkeys from the yubikey will appear. If you used gpg inside wsl to generate your keys, you will have to first set up a bridge between gpg agent inside wsl and gpg agent inside windows. When i try to add my yubikey kinda odd thing to do really, the private keys should not and will not leave the key and why would it need the public. The yubikey 4 and yubikey neo support the openpgp interface for smart cards which can be used with gpg4win for encryption and signing, as well as for ssh authentication. Yubikey neo and openpgp key generation and loading on windows.
Jun 01, 2018 sudo killall gpg agent gpg agent daemon writeenvfile. There is an official guide for that, as well as a more evolved instruction on github from the user drduh. You may also run gpg armor exportsecretkey and a private key will be printed this private key does not. It is great, because using it by nfc with open keychain and k9 i do. Previous versions of the yubikey, including the yubikey neo, only support keys up to 2048 bits. Now you need to either generate your pgp keys directly on the yubikey or create them locally and copy over. You also find that gpg is used to verify packages when you install software on your ubuntu or fedora box. If you used gpg inside wsl to generate your keys, you will have to first set up a bridge between gpgagent inside wsl and gpgagent inside windows. This means that to use any of the gpg keys on the yubikey, you need to do 2 things. This is an attempt to do a quick start guide for properly generating openpgp keys and loading them into your yubikey neo on windows. The following needs to be run for the yubikey to work.
Besides typing in your password, you need to insert the yubikey, wait a second, and press on the touchtosign metal area on the key. Print the text, save the text in password managers, save the text on a usb storage device. Yubikey personalization tools and neo manager can detect and read the yubikey but gpg cannot. Sign in sign up instantly share code, notes, and snippets. On windows, gpg and related settings are in appdataroaminggnupg. On debiantesting a conflict exists between gpg agentgpg2 and pcscd. Note that yubikey requires you to be running windows 10. The yubikey 4 combines hardwarebased authentication and public key cryptography to eliminate account takeovers. Gpg keyring can also be used for authenticating ssh. Further, it is desirable to have gpg agent start automatically when a yubikey is inserted. Its rigid body is designed to be carried on a keyring. It also functions as a powerful embedded gpg smartcard for use with the pgp system of publickey cryptography.
The yubikey neo is a keysized device that provides an additional multifactor level of security in addition to normal passwords that can be accessed via usb or nfc. Yubikey gpg key for ssh authentication in this post im going to go over the steps to configure your yubikey for ssh authentication using a gpg key stored on the yubikey itself. As of the time of writing, some windows versions have issues using yubikey after the system sleeps or any number of other events. Windows gnupg gpg information security stack exchange. Note that this is the passphrase, and not the pin or admin pin. Jan 20, 2020 openkeychain helps you communicate more privately and securely. In this tutorial, were going to explore using the yubikey as a smart card for storing our pgp signing, encryption, and authentication subkeys. You can also use a yubikey neo, but this will only work with 2048bit keys. Yubikey 5c is a twofactor security key that authenticates and secures login credentials via usbc ports.
You can also manage your public keys, import public keys from the web, export your public keys to the web, etc. Yubikey for windows hello makes logging in to your pc a breeze. Youll probably be working with a single smartcard, so youll want only one primary key 1. The goal of this walkthrough is to help you configure your gpg identity and port your keys to a secure hardware token i recommend a yubkey 4 as it supports 4096bit rsa keys. Force gpg agent to restart by running the following command in command prompt windows or terminal macos linux.
The reason for doing this is so that you can use your gpg key as an ssh key. Yubico just announced the new yubikey 5 and of course i needed to buy one. Now lets back up our keys quickly, as importing the encryption key to the yubikey will remove it from the gpg keyring. Pinentry is a collection of passphrase entry dialogs which is required for almost all usages of gnupg.
The yubikey 4 can store gpg keys up to 4096 bits, which is the keysize i use. Use gpg suite to encrypt, decrypt, sign and verify files or messages. Gpg is a command line software to encrypt, decrypt files with a symmetric or assymetric key. Openkeychain stores and manages your keys, and those of the people you communicate with, on your android smartphone. After all that is done, you need to enable your ssh client the builtin terminal app, for instance to read pgp keys directly from yubikey. Use a yubikey for pgp signing, encryption, and authentication.
These in turn can be used by several other useful tools, like git, pass, etc. The problem with this is that if the main key is in your keychain, the. The yubikey 5 series provides a pivcompatible smart card application. However, this has also caused issues for many other people. This guide will help you set up the required software for getting things to work. If gpg is still not detecting the yubikey, you may need to change some of gpg s options.
Aug 31, 2018 a yubikey with openpgp support yubikey 44c and nano variants, neo and neon. Enter the pin this is usually cached for a couple of hours touch the yubikeys touch sensor. Openkeychain is based on the well established openpgp standard making encryption. Pair this lanyard with a yubikey 4 nano for easy usba port removal. Using a yubikey for ssh authentication mcqueen lab. All you need to know about yubikey for windows hello and. All you need to do know to authenticate over ssh in a true hardware fashion is to turn on your laptop, put a stick in the usb and push a button on it. On linux you can also use yubikeytouchdetector to have an indicator or notification that yubikey is waiting for a touch. Once the key is encrypted, transfer the file to your mobile using any method, decrypt the file with openkeychain. Ecc keys are supported on yubikey 5 devices with firmware version 5. Resistant to breakage and watertight, yubikey 5 nfc is practically indestructible during normal use, weighs only 3g and attaches to your keychain next to your house and car keys integration within minutes with free and open source server software. Nov 29, 2015 i generated my 4096 bit subkeys on an offline machine a laptop booted from a debian live cd and backed them up before using keytocard in gpg to write them to the yubikey.
It also helps you find others keys online, and exchange keys. If your yubikey can only hold 2048 bits rsa keys, you will need to generate. Pgp is a crypto toolbox that can be used to perform all common operations. While a mac is not a requirement, if youre using windows, the steps will. This app manages your keys and can also decryptencrypt data. May 04, 2020 gpg keys on yubikey can be used with ease to encrypt andor sign emails and attachments using thunderbird and enigmail. If you want to use a yubikey for windows macos linux login as part of a multifactor authentication, then yubico advises having a second yubikey as backup. Manage your gpg keychain with a few simple clicks and experience the full power of gpg easier than ever before. Technical guide for using yubikey series 4 for gpg and ssh. Use gpg as shown above to generate a random password, then export and encrypt your key with it. The goal here is for you to make sure gpg for windows knows that theres a private key on the smart card, and associates a signing key id with that private key so when git wants to sign a. It also functions as a powerful embedded gpg smartcard for use with the pgp system of publickey cryptography pictured are two alternative hardware tokens, a symantec vip and rsa securid. Gpg keys on yubikey can be used with ease to encrypt andor sign emails and attachments using thunderbird and enigmail.
This is a guide to using yubikey as a smartcard for storing gpg encryption, signing and authentication keys, which can also be used for ssh. Using a yubikey for gpg and ssh sebastian neef 0day. Purchase download os image required software debian and ubuntu arch rhel7. On windows, the smart card functionality can be extended with the yubikey smart card minidriver. For example, the yubikey neo and yubikey 5 have support for u2f, fido2, openpgp, otp, and a bunch of other crazy technologies.
868 1092 1527 1038 102 870 660 977 651 1396 596 463 510 1264 345 64 1570 810 363 1155 510 1174 480 242 199 1049 1209 627 1026 974 459 7 562 1124 1312 716 1375 490