... | ... | @@ -405,7 +405,7 @@ comment](https://forum.yubico.com/viewtopicd01c.html?p=9055#p9055) it's designed |
|
|
configure keys for users and do not want to let them change their own
|
|
|
keys. See also [drduh's guide](https://github.com/drduh/YubiKey-Guide#change-pin) for a discussion on this.
|
|
|
|
|
|
### key generation
|
|
|
### Key generation
|
|
|
|
|
|
At this point, if you don't already have a key pair to put on the
|
|
|
YubiKey, you should generate a new OpenPGP key. Follow the procedure
|
... | ... | @@ -416,7 +416,7 @@ TODO: talk about why not generating on the key |
|
|
If you are rotating keys, do not publish the revocation certificate
|
|
|
for the old key just yet, in case the procedure below fails.
|
|
|
|
|
|
### export to backup
|
|
|
### Export to backup
|
|
|
|
|
|
TODO: explain
|
|
|
|
... | ... | @@ -457,7 +457,7 @@ public key, so keep that around. |
|
|
TODO: consider LUKS? or plain text? filesystem? exfat? SSSS? rejected
|
|
|
[drduh's LUKS approach](https://github.com/drduh/YubiKey-Guide#backup)
|
|
|
|
|
|
### moving to key
|
|
|
### Moving to key
|
|
|
|
|
|
WARNING: this MOVES the key to the security card, make sure you have
|
|
|
backups as explained above.
|
... | ... | @@ -603,7 +603,7 @@ Then keys should *not* be present in the keyring: |
|
|
In the above, we can see the secret keys are not present because they
|
|
|
are marked `sec>` and `ssb>`, not `sec` and `ssb`.
|
|
|
|
|
|
### touch policy
|
|
|
### Touch policy
|
|
|
|
|
|
This is optional.
|
|
|
|
... | ... | @@ -654,7 +654,7 @@ operation (sign, authenticate, decrypt) will hang without warning |
|
|
until the button is touched. The only indication is the blinking LED,
|
|
|
there's no other warning from the user interface.
|
|
|
|
|
|
#### troubleshooting
|
|
|
#### Troubleshooting
|
|
|
|
|
|
if this fails, check if GnuPG can see the card with:
|
|
|
|
... | ... | |