Lock down your security with GPG on a YubiKey
Gnu Privacy Guard (GnuPG or GPG) is a tool we use a lot at End Point. Its ubiquity and quite decent security is a perfect fit for us — and there’s a way to make it even safer.
GPG uses the OpenPGP standard to encrypt files. Normally, one creates a PGP key on their computer and just keeps the keyfile safe. A password is generally used, but as with any private key, it’s only as safe as the computer it’s on.
Got a YubiKey and not sure what to do with it? Want to get a little more secure with your encryption?
In case you haven’t heard of them, YubiKeys are hardware USB keys that can be used as a multi-factor authentication (MFA) token, or to fill in one-time password (OTP) fields (like those generated by Google Authenticator) on sites that don’t support the YubiKey directly as an MFA token.
Using a smart card like a YubiKey can increase GPG’s security, especially if the key is generated on an air-gapped machine. This way the keyfile is stored in the hardware security token, and is never exposed to the internet.
In addition, you can even store an SSH key on the card, which will enable you to log in to remote Linux machines while keeping your private key secured.
While there isn’t full password locking on hardware tokens, YubiKey and almost all OpenPGP keys have two PINs — a user PIN and an administrative PIN to reset the user PIN. If you enter either or both three times incorrectly, the card will lock and you’ll need to reload from backup (or, in some cases, throw the card away) which is why it’s critical to have a backup.
There are several options for smart cards beyond the YubiKey. You can use any OpenPGP compatible card and reader, or an all-in-one solution that’s compatible with OpenPGP.
The following instructions do require a basic understanding of the command line and of how to create a live CD/USB stick, but if you need to use GPG, you’re probably already at least somewhat familiar with these requirements.
An air-gapped machine isn’t required for these instructions. You could do this on any machine you trust, but using a machine with a fresh OS that hasn’t been connected to the internet affords the highest level of security. Simply booting from a live CD/USB is fairly easy. Choosing an operating sytem that comes with the smart card daemon (scdaemon) will help. If you don’t, make sure you download the scdaemon package for your operating system to use with the live CD/USB.
Before you begin, you’ll need:
- A smart card solution as described above.
- A backup smart card, or external media on which to store an encrypted copy of the key.
- A machine on which to generate the key.
- A live OS. For this demonstration I used Tails, The Amnesic Incognito Live System. It’s specifically designed to not store logs or keep data from one reboot to another.
- A way to access these instructions, like a second computer, phone, printout, or a very good memory.
Boot up the live machine. Note that if you’re using Tails, there are two settings you’ll need to choose on the welcome screen. Click the plus button and do the following:
- Set an administrative password. Tails doesn’t set a root password by default, and thus disallows root access for better security. You can set one yourself.
- Disable networking in the ‘Network Connection’ section.
Access and configure the card
Once booted, run an admin terminal, or load a terminal and run
sudo -i. It’ll prompt you for the password you just set.
Ensure you can access the card and that the smart card daemon is installed by running
gpg --edit-card. It should display information about your smart card.
If you’re using an air-gapped machine and your live OS is missing requisite packages, don’t access the internet with the machine in order to install it, since that would break the air gap. Instead, copy the installation files across using sneakernet: Add the files to a USB drive, perhaps the one you’ll be using to back up your PGP key). The packages for a Debian-based machine are:
gnupg2. Debian has instructions on how to get packages to an air-gapped machine.
Set a PIN for your card, if you haven’t already. Start with:
$ gpg --edit-card
The default PIN for a YubiKey should be 123456, and the default admin PIN should be 12345678. Check the documentation that came with your key, though!
Enable admin features first:
This should return
Admin commands are allowed.
Set the passwords, both for the regular PIN and the admin PIN:
1 - change PIN <- Default 123456 2 - unblock PIN <- To reset the pin with the AdminPin / Reset Code 3 - change Admin PIN <- Default 12345678 4 - set the Reset Code <- See below Q - quit
Do not mix up your PIN and admin PIN! You can lock up your card, which will require a factory reset.
The reset code is set if you are setting up the card for someone else to use, and wish to give them a way to reset the PIN without having full access to the rest of the admin functions.
Generate the keys
Run the following to generate the key:
$ gpg --expert --full-gen-key
- Key type: 1 (RSA & RSA). (You can also use “ECC & ECC” if you’re brave. These types of keys may not work with older systems and implementations of GPG, however, so your mileage may vary. If you do want to use ECC & ECC, use Curve 25519 in the next step.)
- Key size: this should be the maximum supported by your key. YubiKey 4 or 5 can support up to 4096. Use this for both main and subkey.
- Expiry: This is your choice. I’d set it to a year or two.
- Real name, email, and comment: I recommend leaving the comment blank, since most of the time the email address will be enough information.
- Next, GPG will ask you to move your mouse around — don’t sprain anything while generating entropy!
Now your key is generated. If you only have one spare storage device which you want to use for backups, copy the revocation certificate and the SSH public key to storage, sneak this on to your main computer, and only then copy the keys over to the backup drive. Don’t attach the backup drive to anything but an air-gapped machine once it holds your key!
You might as well generate an SSH key now. Even if you don’t use it, there’s no harm in having it.
$ gpg --expert --edit-key <your email/key id>
gpg/card> addkeyto add a key.
- Type 8, RSA (set your own capabilities). If this option doesn’t show up, ensure you used
- Enable authentication and disable signing and encrypting — type
- 4096 bits is the best number to use, at least for RSA on modern YubiKeys. If you have an older key you may be limited to 3072 or 2048.
- You can choose to have the key expire, but ensure you have a backup method of logging in.
- Confirm your choices, then quit, confirming you want to save.
For more in-depth instructions, visit https://opensource.com/article/19/4/gpg-subkeys-ssh
Export the public keys:
$ gpg --export --armor <key ID> > /path/to/thumbdrive/<email>_pub.asc $ gpg --export-ssh <key ID> > /path/to/thumbdrive/YubiKey_id_rsa.pub
Move the keys to your card
Once you have the key added to your keyring, you’ll need to transfer that key to your card:
$ gpg --edit-key <key id>
To export the public SSH key you’ll need to put on remote servers, you can run the command:
gpg --export-ssh-key 0x123456789ABCDE
gpg> keytocard— confirm you want to move the primary key and store this in position 1 of the card.
- To select the encryption key, type
keytocardto store the encryption key in the encryption slot.
- To select the encryption key, type
- If you have an encryption key:
- To select the authentication key, run
- To deselect the key first key, run
key 1. You should only have one key with
- Store in the authentication slot:
- To select the authentication key, run
- Repeat this for as many subkeys as you have.
- Once you’re done, quit and confirm the saved changes.
Time to test your new key!
And that’s it. Publish your new public GPG key, use your new SSH key, secure in the knowledge that your private key is protected from malicious attacks by an additional hardware layer.
What do I do if it all went wrong or I locked up the card?
You can start again. The following command will restore the GPG-compatible portion of your YubiKey to factory settings. You will lose any keys stored on the card. I don’t believe it’ll cause any OTP/2FA set up with the card to be lost, but I make no guarantees.
ONLY RUN THE FOLLOWING IF YOUR PIN IS LOCKED AND THE SMART CARD IS UNUSABLE:
$ gpg --edit-card gpg/card> factory-reset
Follow the confirmation steps on screen.