... | @@ -779,6 +779,54 @@ YubiKey. If you are following this procedure because you have lost |
... | @@ -779,6 +779,54 @@ YubiKey. If you are following this procedure because you have lost |
|
your previous YubiKey, you should actually make *another* copy of the
|
|
your previous YubiKey, you should actually make *another* copy of the
|
|
YubiKey at this stage, to be able to recover when *this* key is lost.
|
|
YubiKey at this stage, to be able to recover when *this* key is lost.
|
|
|
|
|
|
|
|
### Using the YubiKey on a new computer
|
|
|
|
|
|
|
|
One of the beauties of using a YubiKey is that you can somewhat easily
|
|
|
|
use the same secret key material material across multiple machines
|
|
|
|
without having to copy the secrets around.
|
|
|
|
|
|
|
|
This procedure should be enough to get you started on a new machine.
|
|
|
|
|
|
|
|
1. install the required software:
|
|
|
|
|
|
|
|
apt install gnupg scdaemon
|
|
|
|
|
|
|
|
2. restore the public key:
|
|
|
|
|
|
|
|
gpg --import $BACKUP_DIR/public.key
|
|
|
|
|
|
|
|
Note: this assumes you have a backup of that public key in
|
|
|
|
`$BACKUP_DIR`. If that is not the case, you can also fetch the key
|
|
|
|
from key servers or another location, but you *must* have a copy
|
|
|
|
of the public key for this to work.
|
|
|
|
|
|
|
|
If you have lost even the public key, you may want to read this
|
|
|
|
guide: [recovering lost GPG public keys from your YubiKey –
|
|
|
|
Nicholas Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/), untested.
|
|
|
|
|
|
|
|
3. confirm GnuPG can see the secret keys:
|
|
|
|
|
|
|
|
gpg --list-secret-keys
|
|
|
|
|
|
|
|
you should not see any `Card serial no.`, `sec>`, or `ssb>` in
|
|
|
|
there. If so, it might be because GnuPG got confused and still
|
|
|
|
thinks the old key is plugged in.
|
|
|
|
|
|
|
|
4. set the trust of the new key to `ultimate`:
|
|
|
|
|
|
|
|
gpg --edit-key $FINGERPRINT
|
|
|
|
|
|
|
|
Then, in the `gpg>` shell, call:
|
|
|
|
|
|
|
|
trust
|
|
|
|
|
|
|
|
Then type `5` for "I trust ultimately".
|
|
|
|
|
|
|
|
5. test signing and decrypting a message:
|
|
|
|
|
|
|
|
gpg --clearsign < /dev/null
|
|
|
|
gpg --encrypt -r $FINGERPRINT < /dev/null | gpg --decrypt
|
|
|
|
|
|
### git
|
|
### git
|
|
|
|
|
|
git config --global user.signingkey $FINGERPRINT
|
|
git config --global user.signingkey $FINGERPRINT
|
... | @@ -820,12 +868,6 @@ At this point, SSH should be able to see the key: |
... | @@ -820,12 +868,6 @@ At this point, SSH should be able to see the key: |
|
|
|
|
|
If not, make sure `SSH_AUTH_SOCK` is pointing at the GnuPG agent.
|
|
If not, make sure `SSH_AUTH_SOCK` is pointing at the GnuPG agent.
|
|
|
|
|
|
TODO: recovery on new computer, basically import and trust, see
|
|
|
|
[drduh's guide](https://github.com/drduh/YubiKey-Guide#using-keys)
|
|
|
|
|
|
|
|
TODO: see also [Recovering lost GPG public keys from your YubiKey – Nicholas
|
|
|
|
Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) if even public key is missing.
|
|
|
|
|
|
|
|
TODO: https://github.com/drduh/YubiKey-Guide#troubleshooting
|
|
TODO: https://github.com/drduh/YubiKey-Guide#troubleshooting
|
|
|
|
|
|
### exporting SSH public key from GnuPG
|
|
### exporting SSH public key from GnuPG
|
... | @@ -838,10 +880,6 @@ In older, you can also use: |
... | @@ -838,10 +880,6 @@ In older, you can also use: |
|
|
|
|
|
ssh-add -L
|
|
ssh-add -L
|
|
|
|
|
|
### using the YubiKey on a new computer
|
|
|
|
|
|
|
|
TODO: using the YubiKey on a new computer
|
|
|
|
|
|
|
|
TODO: talk about nylon vs steel
|
|
TODO: talk about nylon vs steel
|
|
|
|
|
|
### preliminary performance evaluation
|
|
### preliminary performance evaluation
|
... | | ... | |