... | ... | @@ -222,26 +222,48 @@ guide. |
|
|
|
|
|
TODO: merge with the above SSH guide?
|
|
|
|
|
|
TODO: give background, why, talk about the stack
|
|
|
We use OpenPGP here because it's still the "standard" (e.g. specified
|
|
|
in RFCs) way to do interoperable offline cryptographic operations in
|
|
|
various locations. It's also heavily used at Tor and, until further
|
|
|
notice, a requirement to get a working email account. Finally, the
|
|
|
OpenPGP applet provides a way to use SSH with YubiKeys that is
|
|
|
somewhat clunky, but doesn't suffer from backwards compatibility
|
|
|
problems that the SSH `sk-` keys suffer from.
|
|
|
|
|
|
Stack, from hardware up to server
|
|
|
The stack we going to setup is as follows:
|
|
|
|
|
|
1. Yubikey
|
|
|
2. scdaemon
|
|
|
3. gpg-agent
|
|
|
4. gpg | ssh
|
|
|
1. YubiKey (hardware)
|
|
|
2. USB connection (or other), bus, CPU, etc (hardware)
|
|
|
2. `scdaemon` (GnuPG software that interacts with "smart cards" like
|
|
|
the YubiKey)
|
|
|
3. `gpg-agent` (GnuPG software that holds private keys or passphrases)
|
|
|
4. GnuPG or SSH commands that interact with the agent
|
|
|
|
|
|
Assertions
|
|
|
### Assertions
|
|
|
|
|
|
* entropy, failing that, this can feed entropy from the YK (from
|
|
|
[drduh's guide](https://github.com/drduh/YubiKey-Guide#yubikey)):
|
|
|
This guide assumes the following:
|
|
|
|
|
|
* a lot of familiarity with the command-line
|
|
|
|
|
|
* a Debian system, but should be easy to adapt to other operating
|
|
|
systems, some hints are provided for Mac OS
|
|
|
|
|
|
* enough entropy; failing that, this can feed entropy from the YK
|
|
|
(from [drduh's guide](https://github.com/drduh/YubiKey-Guide#yubikey)):
|
|
|
|
|
|
echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
|
|
|
|
|
|
* trusted device
|
|
|
* a trusted device that was not previously compromised; we explicitly
|
|
|
do not explain how to do this from an "air-gapped" device, for
|
|
|
example, as this is considered an implementation detail (and
|
|
|
possibly overkill, a full discussion of those trade-offs would be
|
|
|
irrelevant here)
|
|
|
|
|
|
### Install software and preparation
|
|
|
|
|
|
You will need to install [GnuPG](https://gnupg.org/), its `scdaemon` component and a
|
|
|
[yubikey-manager](https://developers.yubico.com/yubikey-manager/), a "command line tool for configuring a YubiKey".
|
|
|
|
|
|
apt install gnupg scdaemon yubikey-manager
|
|
|
|
|
|
If you're on a Mac, you'll also need to explicitly install
|
... | ... | |