[Bjonnh.net]# _

Article / Moving to hardware keys >

categories computer hack tags gnupg yubikey linux

I’m moving all my old file-based ssh and gpg keys to a YubiKey 4 hardware key. This post will get updated with a few notes along that migration. It also covers how to use pass and pass-tomb with these. And then I fell down the rabbit hole of using those keys everywhere…

There are other useful resources out there:

What I did here is more a collection of the different things that took me more time/effort than I expected to figure them out.

Creating keys on an air-gapped machine

Don’t generate your keys on your machine. Prepare a machine, install everything on it (in that case on a Ubuntu Server):

$ sudo apt-add-repository ppa:yubico/stable
$ sudo apt-get update
$ sudo apt-get install yubikey-personalization yubikey-manager haveged gnupg2 gnupg-agent libpth20 pinentry-curses libccid pcscd scdaemon libksba8 paperkey opensc pcscd scdaemon gnupg2 pcsc-tools

You can now cut the machine from the internet.

set GNUPGHOME to a newly created directory for each key (that way you don’t risk leaking them unintentionaly):

$ mkdir -p ~/keys/myfirstkey
$ export GNUPGHOME=~/keys/myfirstkey

Preparing the key for combo-mode

It is probly the mode the key comes with, but just in case.

$ ykpersonalize -m 86

Generate the key

More on that later.

  • Generate a master key
  • Generate sub keys (sign, encrypt and authenticate)
  • Make a backup (your call for the method, also usually one doesn’t backup signing keys)
  • Move the keys to the hardware thingy (careful they MOVE)

Adding the touch mode to the keys

In order to require a touch on the YubiKey for different actions one has to run:

$ ykman openpgp touch sig on
$ ykman openpgp touch aut on
$ ykman openpgp touch enc on

It has to be done AFTER moving the keys to the device as it gets reset.

Getting Archlinux to manage a smartcard

$ pacman -S pcsc-tools pcsclite ccid

Getting Archlinux to forward the gpg-agent

This one was tricky to find. I found an example here Archlinux AUR Trusted User Guidelines.

Let’s say you have some gpg encrypted files on Machine2.

You are on Machine1 with your Smartcard in the USB port.

You can connect to Machine2 through ssh.

You would like to use your smartcard to open the file on Machine2.

In Machine1 ssh config add:

Host Machine2
  RemoteForward /run/user/$REMOTE_UID/gnupg/S.gpg-agent /run/user/$LOCAL_UID/gnupg/S.gpg-agent.extra
  RemoteForward /run/user/$REMOTE_UID/gnupg/S.gpg-agent.ssh /run/user/$LOCAL_UID/gnupg/S.gpg-agent.ssh

Where $REMOTE_UID and $LOCAL_UID are your remote and local user IDs respectively.

You can refer to GnuPG issue T2406 for information when using GNUPGHOME.

Getting gpg-agent to like my old key

I don’t know why, but when switching from gpg-agent/ssh-agent to a pure gpg-agent solution, my old key added with

$ ssh-add ~/.ssh/id_rsa

wasn’t working properly.

I had the following errors:

gpg-agent[5518]: failed to unprotect the secret key: Operation cancelled
gpg-agent[5518]: failed to read the secret key

Turns out also that:

$ ssh-add -d ~/.ssh/id_rsa

doesn’t do anything


$ ssh-add -E md5 -l
**Gives you the list of added keys with their MD5 fingerprint**
$ gpg-connect-agent
> KEYINFO --ssh-list --with-ssh --ssh-fpr
**This gives a list of keys with their md5 fingerprint and their keygrip on the left
> DELETE_KEY <keygrip>
where keygrip* can be found in ~/.gnupg/sshcontrol

and then readding the key solved the issue

Using these for SSH

When your key is inserted (and you installed all the smartcard packages of your distribution on your client machine), you should see it appear installed

$ ssh-add -l
16384 SHA256:ff5de3ed69c0805f4ec8b95b9bab6cce1ae2283bf01c70ffe978c83a6d493b7a cardno:102893401284021 (RSA)

you can get the SSH public key to add to your server with

$ ssh-add -L

That’s all… It should work out of the box now

Generating a new Tomb using that key

$ tomb dig your.tomb -s 100  # Change 100 to the size you want
$ tomb forge your.tomb.key -gR **KEYID**,**KEYID2**
$ tomb lock your.tomb -k your.tomb.key -gR **KEYID**,**KEYID2**

Note that if you want to use several subkeys from the same key, you have to modify tomb, please see my proposition here: Github dyne/tomb Issue #316.

Then to convert the gpg files of the old tomb to the new tomb (with the old tomb open):

$ rsync -av -f"+ */" -f"- *" **OLDTOMBPATH** **NEWTOMBPATH**  # To sync only directories
$ find  -iname "*.gpg" -exec sh -c "gpg -d {} | gpg -e -r **KEYID** -o **NEWTOMBPATH**/{}" \;