Gpg Generate Key On Card
- Gpg Generate Key On Card Template
- Gpg Generate Key On Card Template
- Gpg Create Public Key
- Gpg Generate Key On Card Account
- Gpg Generate Key On Card Game
Your 'GPG key ID' consists of 8 hex digits identifying the public key. In the example above, the GPG key ID is 1B2AFA1C. In most cases, if you are asked for the key ID, prepend 0x to the key ID, as in 0x6789ABCD. Fwiw, i've just tried loading the same keyfile that the s390x (64-bit big-endian) implementation choked on into a running gpg-agent on an amd64 machine (64-bit little-endian) and gpg -full-generate-key succeeded with that same key on amd64. Likewise, i've taken a.key S-expression file from an amd64 machine where it was used successfully to generate a key and put it on an s390x machine; it.
Updated by Alex FornutoContributed byHuw Evans
If you are on version 2.1.17 or greater, paste the text below to generate a GPG key pair. $ gpg -full-generate-key; If you are not on version 2.1.17 or greater, the gpg -full-generate-key command doesn't work. Paste the text below and skip to step 6. $ gpg -default-new-key-algo rsa4096 -gen-key.
- Nov 24, 2013 Generating More Secure GPG Keys: A Step-by-Step Guide (this post) Using an OpenPGP Smartcard with GnuPG In this post, I’ll will cover the generation of a new GPG key and removal of the primary key, one of two mitigation strategies mentioned in the previous post.
- @OMGtechy How did you try to recover the key(s)? I could restore public keys by gpg -import-options restore -import backupkeys.pgp, but that does not restore secret keys, only the public ones, if backupkeys.pgp was created by gpg -output backupkeys.pgp -armor -export -export-options export-backup.In that -armor is not necessary and export-backup could be replaced by backup.
- GPG's AES-256 symmetric encryption is believed to be as secure as it is difficult to. Guess the passphrase; or compromise the machine used to perform encryption and decryption. Guessing the passphrase should be harder if one uses. Gpg -s2k-mode 3 -s2k-count 65011712 -s2k-digest-algo SHA512 -s2k-cipher-algo AES256.
- Gpg/card quit Moving your GPG private key to the YubiKey. Now we're ready to move the GPG private key to the card. We do this with the -edit-key option to GPG, with your email address as the second argument. $ gpg -edit-key malcolm@juxt.pro The procedure is explained more fully here. You have to select each key in turn and enter keytocard.
Report an Issue View File Edit File
You may be familiar with public key authentication for Secure Shell (SSH) on your Linode. But you may not have known that you can also use a GNU Privacy Guard (GPG) keypair to authenticate with SSH.
The chief benefit of this method is that instead of having separate keys for GPG messaging and SSH authentication, they can both belong to the same GPG keyring. This configuration really shines, however, when used with a GPG smartcard or YubiKey, because the card/dongle can store the underlying private key and only authenticate SSH sessions when it’s plugged in. WIRED reported that engineers at Facebook use this method for authenticating with local servers, so why shouldn’t you?
This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.
Before You Begin
NoteThis guide assumes:
- You have a fully functional Linode
- You have followed the Getting Started and Securing Your Server guides, and updated your Linode with
sudo apt-get update && sudo apt-get upgrade
) - You are familiar with the command line
You don’t necessarily need to be familiar with SSH public key authentication or GPG encryption, but an understanding of their operation will help you out if you run into problems.
Generate a GPG Keypair
This section explains how to generate a new GPG keypair. If you already have one, you may skip these steps, as the next section will include instructions for how to create a subkey to use specifically for authentication. You will just need the 8-digit ID for your existing key to do so.
CautionAll of these steps should be performed on a local machine, not your Linode.
Install GPG:
On Debian and its derivatives:
On OS X:
GPGTools provides the simplest implementation of GPG for OS X. Otherwise, you could run
brew install gnupg2
if you have Homebrew.On other operating systems, this process should be fairly clear. GPG is likely already installed, but if it isn’t, a quick internet search should give you the instructions you need.
Open a command prompt and execute:
When prompted to select the kind of key you want, select
(1) RSA and RSA
.When asked for a keysize, type
4096
. If you want to store your key on a YubiKey Neo or certain smartcards, you may be restricted to a 2048-bit key size, so ensure that you aware of limitations for your device, if applicable.Choose an expiration period that you think will be suitable for this key. After that date, the key will no longer work, so choose carefully.
Enter your full name, email address, and a comment (if you want). Select
O
for ‘Okay’.After looking over your shoulders for secret agents, enter a long and secure passphrase that will be used to encrypt your key in local storage. Write this down somewhere you know to be physically secure while your computer generates the keypair.
Once this is done, your output should resemble the following:
This process has created a master GPG key and a subkey for encrypting messages and files. To authenticate with SSH, we need to generate a second subkey for authentication.
Generating the Authentication Subkey
In a command prompt or terminal, type:
Replace
key-id
with the eight-character string output from the key generation process. This will be found in the line beginning withpub
. In the example above, the ID is71735D23
.At the new
gpg>
prompt, enter:When prompted, enter your passphrase.
When asked for the type of key you want, select:
(8) RSA (set your own capabilities)
.Enter
S
to toggle the ‘Sign’ action off.Enter
E
to toggle the ‘Encrypt’ action off.Enter
A
to toggle the ‘Authenticate’ action on. The output should now includeCurrent allowed actions: Authenticate
, with nothing else on that line.Enter
Q
to continue.When asked for a keysize, choose
4096
. The same limitation from Step 4 in the first section applies, so ensure your card/YubiKey can support this key size.Enter an expiration date, just as before. You should probably keep this the same as the first one. If you choose a lower expiration date, your main private key will continue to function but your SSH authentication will break on this date.
When you’re sure all of the information entered is correct, enter
y
at theReally create? (y/N)
prompt to complete the process.Once the key is created, enter
quit
to leave the gpg prompt, andy
at the prompt to save changes.
Your terminal should now look like this:
Secure Your GPG Key
CautionYou should always have a backup of your private key in case something goes wrong and you end up locked out of everything that requires it. This private key, along with the instructions in this guide, will be enough to get your setup working again if you need to start afresh on a new computer.
Back up your
~/.gnupg
folder with the following command, replacingUSB_DEVICE
with the name of your device:This assumes you have a storage device mounted at
/Volumes/USB_DEVICE/
. Different operating systems may use different naming conventions for this path. You can safely ignore anyOperation not supported on socket
warnings that appear when you enter this command.Back up your private key, replacing
key-id
with the eight-character key ID for your private key:Back up your subkeys, replacing
key-id
with the eight-character key ID for each subkey:
If something bad happens and you lose your keys, you can re-import them by overwriting the ~/.gnupg
directory with your copy, and using:
Be sure to replace key-file
with the location of each of your files.
Export Your Public Key
If you’re working on a VM or offline machine, you’ll also need to export your public key to be reimported later:
Be sure to replace key-id
with your own key ID.
You can reimport it with the ever-handy gpg2 --import key-file
command.
Move Your Key to a Smartcard or YubiKey (Optional)
Gpg Generate Key On Card Template
Noteykpersonalise -m82
. ykpersonalise
can be installed through your package manager.Secure Your Card
It is assumed that you have already configured your card/YubiKey’s (herein referred to as ‘GPG device’) owner information. It is highly recommended that you secure your card before you start this section.
Note123456
, and the default Admin PIN is usually 12345678
. If these don’t work, contact the manufacturer or review online documentation.Plug in the device and execute:
Enable admin commands:
Enter the password change menu:
Change the password to your device by selecting
2 - unblock PIN
. This will unblock your PIN, and prompt you to change it. This PIN will be required every time you want to access your GPG key (e.g. every time you authenticate with SSH), and has a limit of eight characters.Change the admin PIN by selecting
3 - change Admin PIN
. This PIN is required to make administrative changes, like in step 2, and has a limit of 6 characters. For optimum security, never store this PIN in a digital location, since it will be unnecessary for daily use of the YubiKey.Exit these menus by selecting
Q
and then typingquit
.
For reference, your window should resemble the following. This example is abbreviated:
Transfer Your Subkey
Enter the key edit menu from a normal command prompt, replacing
key-id
with your own key ID:Switch to the private key editor:
Select only the authentication subkey:
Remember, if you have more subkeys this command should be changed as appropriate.
Transfer the key:
Select
(3) Authentication key
to store your key on the third slot of the device. If this is not an option, ensure that you’ve selected the appropriate subkey.Enter your passphrase.
Type
save
to exit this menu.If you’re working on a VM or offline machine, export the subkey stubs (pointers so GPG knows your subkeys are on the device):
Be sure to substitute your own key ID for
key-id
. You can reimport these with an ordinarygpg2 --import <stub file>
on your private machine.
After all this, your output should resemble the following:
Congratulations! You’ve successfully transferred your authentication subkey to your device.
CautionServe Your GPG key Instead of an SSH key
In this section, we’ll configure your local machine so the connection between GPG and SSH works properly.
Return to your local machine, import all of the appropriate GPG keys and insert the appropriate GPG device. Install GPG if you don’t already have it on your local computer (e.g. if you performed all the above steps on a VM).
Edit the
~/.bash_profile
file (or similar shell startup file) to include:Linux:
- ~/.bash_profile
OS X
- ~/.bash_profile
This ensures that SSH can ‘see’ your GPG keys and automatically starts
gpg-agent
as needed.Edit or create
~/.gnupg/gpg-agent.conf
:- ~/.gnupg/gpg-agent.conf
If you’re on OS X and previously installed GPGTools, you can also add the line:
This allows you to use the PIN entry program provided by GPGTools.
Restart the GPG agent: Gpgp 2.0 key generation.
Add the New Key to Your Linode
The steps from the previous sections will take your GPG keys and pipe them through SSH so they can be used for authentication. The result of this process is that you’ve created a new RSA public key for use with SSH authentication.
On your local machine, extract the public key:
You should see a long output of alphanumeric characters. If you see
The agent has no identities
, try the steps to restart the GPG agent from above.Copy the whole string of output, including
ssh-rsa
. If you see multiple strings beginning withssh-rsa
, copy the one that ends withcardno:
. It might look like this:Paste this into a new file (for example,
~/gpg-key.pub
) and save it.Copy the file to your Linode:
Log into your Linode and append the key to the
authorized_hosts
file:
You’re done! Disconnect, and all new logins should now use your GPG key instead of a passphrase. This SSH key can also be used with GitHub, Bitbucket, other SSH-based Version Control Systems, or anywhere else that accepts SSH keys.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
Join our Community
This guide is published under a CC BY-ND 4.0 license.
In last week's post on YubiKey, I explained how to use your YubiKey 4 to log in to various websites that support them.
In another post on secure library distribution, I discussed the problem of trust of third-party libraries and the need for signatures and signature verification. I also postulated an idea of using a service such as keybase.io to publish the keys of trusted library authors.
In order for this scheme to work, we need it to be both trustworthy and popular. Usually, the more secure a system is, the less convenient it is. Longer passwords are harder to remember and take longer to type. However, one advantage with the Yubikey is that it offers great security along with greater convenience.
In this article I'm going to show how to set up your YubiKey to give both greater security and convenience when signing jars, tags and commits and doing other things where proving your identity is required.
YubiKey 4
The YubiKey 4 can store GPG keys up to 4096 bits, which is the key-size I use. Previous versions of the YubiKey, including the YubiKey NEO, only support keys up to 2048 bits.
The advantage of storing your GPG key on a YubiKey instead of a computer is that it's more secure, since it's harder to steal and harder for key-logging malware to get access to it.
Of course, it's possible for someone to steal your YubiKey, but for that reason we can protect it with a 6-digit PIN (where 3 failed PIN attempts locks the hardware, a defense against brute-force attacks).
If you're going to follow my guide, I assume you've already got the following:
- A YubiKey 4
- A GPG key
If you haven't set up your YubiKey 4 as a U2F device, see my previous post.
If you are a Clojure library author and the cost of a YubiKey is prohibitive for you, let me know your clojars username and your shipping address, via a GPG encrypted attachment to and let me know your public key by publishing it on keybase.io. I will then purchase a YubiKey on your behalf from my own funds.
There are plenty of good guides about how to create a GPG key, so I'm not going to try to repeat those. Here's a good one.
Use a proper passphrase when creating your key. Usually a very long passphrase is inconvenient to type every time your use your private key. But once your key is safely on the YubiKey you won't need to keep typing it, so there's no problem using a really long passphrase at this point, so long as you don't lose it.
Backing up your GPG key
Before we start it's important you realise we are going to move your GPG private key to the YubiKey, so do the following now:
- Plug in a USB stick into your computer and mount it
- Copy over your
~/.gnupg
directory - Unmount and remove the USB stick, and lock it away in a safe, lockable drawer or filing cabinet.
If you use your YubiKey, you can re-create it using this USB stick (as long as you also have the passphrase).
Enabling CCID your YubiKey
In order for your YubiKey to be a U2F device and behave as a GPG card, you need to put the card into a mode called 'super combo mode'.
Since this is not the mode the card ships in, we need to change it. The way to do this is via the YubiKey Personalization Tool, which is available for most platforms including OS X.
On Arch Linux, I installed yubikey-personalization
and set the 'super combo mode' (86) like this:
Alternatively, Yubico recommends its YubiKey NEO Manager to configure this.
Setting your YubiKey PINs
Gpg Generate Key On Card Template
There are 2 PINs.
The first is the 8-digit admin PIN, which is used for certain operations. It's important to change this because it is used to change the 6-digit user PIN, which is the one you use on a day-to-day basis to use your GPG key to sign or encrypt.
(There is a third PIN called the Reset PIN which can be used to reset your YubiKey to the original factory settings. This will also trash your GPG key. If your YubiKey got stolen, the thief wouldn't get access to your GPG key so it's not so critical to change this).
Create and write down a new 8-digit admin PIN and 6-digit user PIN on a post-it now and lock it away with the USB key you backed-up your GPG key on. Since your admin PIN can't unlock your original GPG key (because that's protected by a pass-phrase), it's OK to keep the together.
If you're doing this for lots of users (e.g. at your company), you may want to keep the admin PIN secret but provide individual users with their user PIN, allowing them to change it, while still retaining the ability to unblock their PIN should the need arise.
Let's change the admin PIN now.
You should then be confronted by a dialog asking for the YubiKey's existing admin PIN which is 12345678
. Then you should get a dialog asking you for the new PIN. Enter your new PIN (twice to confirm).
Now change the user PIN.
This time, you'll be asked for the existing user PIN which is 123456
. Enter a new PIN, which must be 6 digits or more.
Gpg Create Public Key
Now quit the passwd menu with Q:
Personalizing your YubiKey
Now we've set the admin key, let's do a few operations on the key to test it
At this stage you can set your name on your GPG key.
You will now be prompted for your admin key. Enter the 8-digit admin key (the one you just changed to).
If you have a keybase account, set the URL of your public key. In my case this is: https://keybase.io/malcolmsparks/key.asc.
Test your changes with list
Now quit:
Moving your GPG private key to the YubiKey
Now we're ready to move the GPG private key to the card. We do this with the --edit-key
option to GPG, with your email address as the second argument.
The procedure is explained more fully here. You have to select each key in turn and enter keytocard
for each one.
Enabling touch-only mode
It's possible that your YubiKey could be activated by malware on your machine, which you conceivably use a keylogger to capture your PIN and use that information to automatically sign and upload jars and tags when you're not aware.
Therefore, a final step is to activate a new feature for YubiKey 4 devices whereby you must touch the device in order for it to release the result of a cryptographic operation involving its GPG key.
Full details on how to do this are here.
Once you enable touch-only mode, bear in mind this also applies to your U2F logins.
Signing your git tags
Now we've completed all the steps, it's time to try it out.
Remove the YubiKey and re-insert it, just to ensure things work from a fresh injection.
Find a Git repository and type the following
This tells Git to create a signed tag called test-01 (with the message 'Test')
A dialog will appear asking you to enter the user PIN. This only happens the first time when you plug-in your YubiKey, or after a period of inactivity.
You should now see your YubiKey start to flash slowly. This is an invitation for you to press your finger against the flashing LED. When you do so the YubiKey will release the result of the signing operation and the signed tag will be applied. You can also configure git to use your GPG to sign all your commits in the same way.
Deploying jars
From https://github.com/technomancy/leiningen/blob/master/doc/TUTORIAL.md
When deploying a release that's not a snapshot, Leiningen will attempt to sign it using GPG to prove your authorship of the release.
Gpg Generate Key On Card Account
Conclusion
That's it for now. The whole process is fairly straight-forward and shouldn't take more than an hour. Make 2016 the year you improve your operational security. What better way to start than to order your YubiKey 4 from Amazon or yubico.com.