YubiKey PGP module
Warning
YubiKeys can be a bit hard to learn about at first, before playing with them, I
encourage you to back your cryptographic secrets up. It’s quite easy to make
GPG shred local (sub)keys because it finds them on a live YubiKey and find
yourself without the ability to export the keys anymore.
Prerequisites
A YubiKey
You need a YubiKey to practice the commands described here. A working
YubiKey will have a flashing green led when plugged-in. If it’s USB-C the
plug side doesn’t matter. If it’s a USB-A, then normally the golden button
carved in the key should face up. Anyway, don’t hesitate to check the side to
make sure it’s plugged on the right one. And if you have multiple YubiKeys
like me, make sure you plugged the right one1.
Subkeys, backup, shredding main key on laptop
I’ll assume you’ve generated a signature and an authentication subkey
for your GPG key. There are plenty places where one can find explanations on
how to generate subkeys, eg Debian’s Wiki.
For the sake of offering a different approach, I have tried to write an
article on the matter, though. An
authentication subkey can be used to do some SSH login (it needs some
prodding to work when not using a YubiKey while it seems to be smoothly
handled by ssh-agent itself when the key is on a YubiKey), and will be via
the YubiKey.
For my own key, assuming it would be on the Laptop I use, then a gpg -K call
would output this:
❯ gpg -K
/home/peb/.gnupg/pubring.kbx
----------------------------
sec rsa4096 2012-03-31 [SCA] [expires: 2025-07-10]
9AE04D986400E3B67528F4930D442664194974E2
uid [ultimate] Pierre-Elliott Bécue <becue@crans.org>
uid [ultimate] Pierre-Elliott Bécue <peb@pimeys.fr>
uid [ultimate] Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
uid [ultimate] Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
uid [ultimate] Pierre-Elliott Bécue <peb@debian.org>
uid [ultimate] Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
ssb rsa4096 2022-02-25 [S] [expires: 2025-07-10]
ssb rsa4096 2022-02-25 [E] [expires: 2025-07-10]
ssb nistp521 2023-03-02 [A] [expires: 2025-07-10]
(note what I endure to make this tutorial, being forced to have my nice french translated commands print in English!)
Here the display claims I have one secret key, and three secret subkeys (ssb)
present. First things first, plug any backup device (a USB key), make sure it’s
encrypted (LUKS), and run this command:
[/media/sda1] ❯ gpg --export-secret-keys 9AE04D986400E3B67528F4930D442664194974E2 > secring.gpg
(password prompt)
The command exports the main private and the three subkeys in a gpg file.
It’s your backup, do not lose it, and do not play with anything GPG related
before having properly umounted and removed the key. You can also spare a
local copy on your computer for the duration of the setup, if your hard drive
is encrypted, but remember to shred it afterwards.
First things first, we want to get rid of the main GPG key, as a YubiKey can’t
store a certification key, and also because you probably want to keep this one
offline (see this article about subkeys
for more informations about Certification et al).
To do so, gpg has no nice tool. The best way is to export all subkeys (and
not the main key), destroy the whole private key and reimport the secret
subkeys.
[/media/sda1] ❯ gpg --export-secret-subkeys 9AE04D986400E3B67528F4930D442664194974E2 > subkeys.gpg
(password prompt)
[/media/sda1]❯ gpg --delete-secret-keys 9AE04D986400E3B67528F4930D442664194974E2
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa4096/0D442664194974E2 2012-03-31 Pierre-Elliott Bécue <becue@crans.org>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[/media/sda1] ❯ gpg --import subkeys.gpg
gpg: key 0D442664194974E2: 344 signatures not checked due to missing keys
gpg: key 0D442664194974E2: "Pierre-Elliott Bécue <becue@crans.org>" not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 0D442664194974E2: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
❯ gpg -K
/home/peb/.gnupg/pubring.kbx
----------------------------
sec# rsa4096 2012-03-31 [SCA] [expires: 2025-07-10]
9AE04D986400E3B67528F4930D442664194974E2
uid [ultimate] Pierre-Elliott Bécue <becue@crans.org>
uid [ultimate] Pierre-Elliott Bécue <peb@pimeys.fr>
uid [ultimate] Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
uid [ultimate] Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
uid [ultimate] Pierre-Elliott Bécue <peb@debian.org>
uid [ultimate] Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
ssb rsa4096 2022-02-25 [S] [expires: 2025-07-10]
ssb rsa4096 2022-02-25 [E] [expires: 2025-07-10]
ssb nistp521 2023-03-02 [A] [expires: 2025-07-10]
The sec# bit means that the secret key is inaccessible. The ssb bits don’t
have any # symbol, so they are indeed accessible.
Packages
To be able to work properly with the key, one needs to install at least pcscd
and scdaemon packages. It is also recommended to install
yubikey-personalization and yubikey-manager, which will be required anyway
in other cases.
❯ sudo apt install yubikey-manager yubikey-personalization pcscd scdaemon
Let’s spend a second describing the purpose of each package:
pcscdis the standard daemon available inDebianto allow interaction with PC/SC (Personal Computer/Smart Card) SmartCards and SmartCard readers;scdaemonis aGnuPGplug-in allowingGnuPGto interact with SmartCards;yubikey-managerprovides theykmancommand which allows one to interact with aYubiKeyto configure it and manage some of its modules;yubikey-personalizationprovides some commands which will be useful to play with other modules, eg to create a challenge-response interaction, which can make the key able to be used to generate a passphrase for LUKS based on a challenge (another passphrase) the user sends to it - you may leave this one out as it will serve no purpose in this article.
(no output because I already have these packages installed)
Configuration files
If you need to add specific configurations for scdaemon, you can do so by
creating a ~/.gnupg/scdaemon.conf file.
Note
All scdaemon parameters are explained here
In my case, as I rely on the YubiKey for multiple applications concurrently, I
had some conflicts to access the key through multiple apps in parallel, so I
added one line in the file with:
pcsc-shared
Depending on your workflow, this might not be needed.
Configure the YubiKey OpenPGP app
Managing the YubiKey OpenPGP app can be done either through ykman or through
the gpg --card-edit command.
First, let’s inspect what key is there:
❯ ykman list
YubiKey 5 NFC (5.2.4) [OTP+FIDO+CCID] Serial: XXXXXXXX
Then let’s see whether GPG sees it:
❯ gpg --card-edit
Reader ...........: 1050:0407:X:0
Application ID ...: YYYYYYY
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card>
Go in admin mode:
gpg/card> admin
Admin commands are allowed
Force the PIN to be prompted for each signature:
gpg/card> forcesig
(prompts for the admin PIN, default is 12345678)
Enable Key Derived Function (KDF) so that PINs are not sent in plaintext.
gpg/card> kdf-setup
Change the PIN, the Admin Pin and the Reset Code:
gpg/card> passwd
gpg: OpenPGP card no. YYYYYYY detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
(prompts for current PIN, default is 123456, prompts twice for new PIN)
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
(prompts for current admin PIN, default is 12345678, prompts twice for new admin PIN)
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 4
(directly prompts for new reset code)
Reset Code set.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? Q
The reset code is only useful to reset the PIN code, it doesn’t give access to
administration command. For a personal YubiKey it’s not really useful, but in a
company this allows admins to give the key to an user with a PIN and a reset
code, so they’re autonomous to unlock/change the PIN if they miss it, while not
being able to change the OpenPGP module parameters.
With ykman, change the number of retry attempts for the different PIN/codes:
❯ ykman openpgp access set-retries 5 5 5
Enter Admin PIN:
Set PIN retry counters to: 5 5 5? [y/N]: y
Feel free to change the login, salutation and name for the OpenPGP
module in the admin mode of gpg --card-edit.
If you want to add an extra layer of security, you can force the OpenPGP
module to request a touch of the key for the access to the different keys:
❯ ykman openpgp keys set-touch sig cached
Enter Admin PIN:
Set touch policy of SIG key to cached? [y/N]: y
❯ ykman openpgp keys set-touch aut cached
Enter Admin PIN:
Set touch policy of AUT key to cached? [y/N]: y
❯ ykman openpgp keys set-touch dec cached
Enter Admin PIN:
Set touch policy of DEC key to cached? [y/N]: y
The different values for the first argument are:
- sig: signature key
- aut: authentication key
- dec: decryption key
- att: to generate attestation certificates for a key
The different values for the second argument are:
- OFF: no touch required
- ON: touch required each time
- FIXED: touch required each time, can’t revert the parameter without
resetting the whole
OpenPGPmodule - CACHED: touch required each time, but keep a 15 seconds cache
- CACHED-FIXED: same as CACHED, but can’t revert the parameter without
resetting the whole
OpenPGPmodule.
Error
In my case, these parameters don’t seem to work.
In the end, check how your key is configured:
❯ ykman openpgp info
OpenPGP version: 3.4
Application version: 5.2.4
PIN tries remaining: 5
Reset code tries remaining: 5
Admin PIN tries remaining: 5
Require PIN for signature: Always
Touch policies:
Signature key: Cached
Encryption key: Cached
Authentication key: Cached
Attestation key: Off
Import the keys
Before doing the import, let’s just highlight the three subkeys I want to
import (having done multiple subkeys rotation, my key is not the easiest one
to read):
ssb rsa4096/EE215B9FB8C45B0B
created: 2022-02-25 expires: 2025-07-10 usage: S
ssb rsa4096/5D5FF73A02045D5C
created: 2022-02-25 expires: 2025-07-10 usage: E
ssb nistp521/BE872C1D800F2E73
created: 2023-03-02 expires: 2025-07-10 usage: A
Ok, now, let’s finally import the subkeys! I’ll show a full example for the
signing subkey (which in my case is key 8, key 9 being an encryption subkey
and key 10 an authentication subkey)
❯ gpg --edit-key 9AE04D986400E3B67528F4930D442664194974E2
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret subkeys are available.
pub rsa4096/0D442664194974E2
created: 2012-03-31 expires: 2025-07-10 usage: SCA
trust: ultimate validity: ultimate
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/F558025BF486FDF6
created: 2012-03-31 revoked: 2016-08-31 usage: E
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/48DED357A02C6CA0
created: 2012-03-31 revoked: 2016-08-31 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/4FE6586D9AD0FB60
created: 2012-06-27 revoked: 2012-09-03 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/9AD8D455800E4924
created: 2012-06-28 revoked: 2012-09-03 usage: E
The following key was revoked on 2018-12-21 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/73F984B66B39EF31
created: 2014-05-11 revoked: 2018-12-21 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/29BFA0D079290ACA
created: 2016-08-31 revoked: 2023-03-08 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/BF9857A73C371C72
created: 2016-08-31 revoked: 2023-03-08 usage: E
ssb rsa4096/EE215B9FB8C45B0B
created: 2022-02-25 expires: 2025-07-10 usage: S
ssb rsa4096/5D5FF73A02045D5C
created: 2022-02-25 expires: 2025-07-10 usage: E
ssb nistp521/BE872C1D800F2E73
created: 2023-03-02 expires: 2025-07-10 usage: A
[ultimate] (1). Pierre-Elliott Bécue <becue@crans.org>
[ultimate] (2) Pierre-Elliott Bécue <peb@pimeys.fr>
[ revoked] (3) Pierre-Elliott Bécue <becuepe@ia.lip6.fr>
[ revoked] (4) Pierre-Elliott Bécue <pierre.elliott.becue@gmail.com>
[ revoked] (5) Pierre-Elliott Bécue <pierre-elliott.becue@ens-cachan.fr>
[ultimate] (6) Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
[ultimate] (7) Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
[ultimate] (8) Pierre-Elliott Bécue <peb@debian.org>
[ultimate] (9) Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
[ revoked] (10) [jpeg image of size 5711]
gpg> key 8
pub rsa4096/0D442664194974E2
created: 2012-03-31 expires: 2025-07-10 usage: SCA
trust: ultimate validity: ultimate
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/F558025BF486FDF6
created: 2012-03-31 revoked: 2016-08-31 usage: E
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/48DED357A02C6CA0
created: 2012-03-31 revoked: 2016-08-31 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/4FE6586D9AD0FB60
created: 2012-06-27 revoked: 2012-09-03 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/9AD8D455800E4924
created: 2012-06-28 revoked: 2012-09-03 usage: E
The following key was revoked on 2018-12-21 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/73F984B66B39EF31
created: 2014-05-11 revoked: 2018-12-21 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/29BFA0D079290ACA
created: 2016-08-31 revoked: 2023-03-08 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/BF9857A73C371C72
created: 2016-08-31 revoked: 2023-03-08 usage: E
ssb* rsa4096/EE215B9FB8C45B0B
created: 2022-02-25 expires: 2025-07-10 usage: S
ssb rsa4096/5D5FF73A02045D5C
created: 2022-02-25 expires: 2025-07-10 usage: E
ssb nistp521/BE872C1D800F2E73
created: 2023-03-02 expires: 2025-07-10 usage: A
[ultimate] (1). Pierre-Elliott Bécue <becue@crans.org>
[ultimate] (2) Pierre-Elliott Bécue <peb@pimeys.fr>
[ revoked] (3) Pierre-Elliott Bécue <becuepe@ia.lip6.fr>
[ revoked] (4) Pierre-Elliott Bécue <pierre.elliott.becue@gmail.com>
[ revoked] (5) Pierre-Elliott Bécue <pierre-elliott.becue@ens-cachan.fr>
[ultimate] (6) Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
[ultimate] (7) Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
[ultimate] (8) Pierre-Elliott Bécue <peb@debian.org>
[ultimate] (9) Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
[ revoked] (10) [jpeg image of size 5711]
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
(prompts for GPG passphrase, and then for the Admin PIN twice)
pub rsa4096/0D442664194974E2
created: 2012-03-31 expires: 2025-07-10 usage: SCA
trust: ultimate validity: ultimate
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/F558025BF486FDF6
created: 2012-03-31 revoked: 2016-08-31 usage: E
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/48DED357A02C6CA0
created: 2012-03-31 revoked: 2016-08-31 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/4FE6586D9AD0FB60
created: 2012-06-27 revoked: 2012-09-03 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/9AD8D455800E4924
created: 2012-06-28 revoked: 2012-09-03 usage: E
The following key was revoked on 2018-12-21 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/73F984B66B39EF31
created: 2014-05-11 revoked: 2018-12-21 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/29BFA0D079290ACA
created: 2016-08-31 revoked: 2023-03-08 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/BF9857A73C371C72
created: 2016-08-31 revoked: 2023-03-08 usage: E
ssb* rsa4096/EE215B9FB8C45B0B
created: 2022-02-25 expires: 2025-07-10 usage: S
ssb rsa4096/5D5FF73A02045D5C
created: 2022-02-25 expires: 2025-07-10 usage: E
ssb nistp521/BE872C1D800F2E73
created: 2023-03-02 expires: 2025-07-10 usage: A
[ultimate] (1). Pierre-Elliott Bécue <becue@crans.org>
[ultimate] (2) Pierre-Elliott Bécue <peb@pimeys.fr>
[ revoked] (3) Pierre-Elliott Bécue <becuepe@ia.lip6.fr>
[ revoked] (4) Pierre-Elliott Bécue <pierre.elliott.becue@gmail.com>
[ revoked] (5) Pierre-Elliott Bécue <pierre-elliott.becue@ens-cachan.fr>
[ultimate] (6) Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
[ultimate] (7) Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
[ultimate] (8) Pierre-Elliott Bécue <peb@debian.org>
[ultimate] (9) Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
[ revoked] (10) [jpeg image of size 5711]
(and don't forget to unmark the subkey)
gpg> key 8
pub rsa4096/0D442664194974E2
created: 2012-03-31 expires: 2025-07-10 usage: SCA
trust: ultimate validity: ultimate
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/F558025BF486FDF6
created: 2012-03-31 revoked: 2016-08-31 usage: E
The following key was revoked on 2016-08-31 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/48DED357A02C6CA0
created: 2012-03-31 revoked: 2016-08-31 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/4FE6586D9AD0FB60
created: 2012-06-27 revoked: 2012-09-03 usage: S
The following key was revoked on 2012-09-03 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
sub rsa4096/9AD8D455800E4924
created: 2012-06-28 revoked: 2012-09-03 usage: E
The following key was revoked on 2018-12-21 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/73F984B66B39EF31
created: 2014-05-11 revoked: 2018-12-21 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/29BFA0D079290ACA
created: 2016-08-31 revoked: 2023-03-08 usage: S
The following key was revoked on 2023-03-08 by RSA key 0D442664194974E2 Pierre-Elliott Bécue <becue@crans.org>
ssb rsa4096/BF9857A73C371C72
created: 2016-08-31 revoked: 2023-03-08 usage: E
ssb rsa4096/EE215B9FB8C45B0B
created: 2022-02-25 expires: 2025-07-10 usage: S
ssb rsa4096/5D5FF73A02045D5C
created: 2022-02-25 expires: 2025-07-10 usage: E
ssb nistp521/BE872C1D800F2E73
created: 2023-03-02 expires: 2025-07-10 usage: A
[ultimate] (1). Pierre-Elliott Bécue <becue@crans.org>
[ultimate] (2) Pierre-Elliott Bécue <peb@pimeys.fr>
[ revoked] (3) Pierre-Elliott Bécue <becuepe@ia.lip6.fr>
[ revoked] (4) Pierre-Elliott Bécue <pierre.elliott.becue@gmail.com>
[ revoked] (5) Pierre-Elliott Bécue <pierre-elliott.becue@ens-cachan.fr>
[ultimate] (6) Pierre-Elliott, Charles, Maxime, Antoine Bécue (DOB: 1990-07-25, POB: Saint Germain-En-Laye, France)
[ultimate] (7) Pierre-Elliott Bécue <pierre-elliott.becue@inria.fr>
[ultimate] (8) Pierre-Elliott Bécue <peb@debian.org>
[ultimate] (9) Pierre-Elliott Bécue <pierre-elliott.becue@gandi.net>
[ revoked] (10) [jpeg image of size 5711]
Keys 9 and 10 are imported following the same protocol. You may have realized
that I was offered to add my signing subkey as an authentication subkey in
the YubiKey. It’s because virtually both subkey types serve the same kind
of purpose, they sign blobs, one to attest their content, the other for
challenge-response activities. The only distinction is their capability flag.
Afterwards, one can check what’s on the key with a gpg --card-status call:
❯ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: YYYYYYY
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: Becue Pierre-Elliott
Language prefs ...: [not set]
Salutation .......: Mr.
URL of public key : [not set]
Login data .......: peb
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 nistp521
Max. PIN lengths .: 127 127 127
PIN retry counter : 5 5 5
Signature counter : 0
KDF setting ......: on
Signature key ....: E424 1EB6 1EEE 216E DE84 8CFC EE21 5B9F B8C4 5B0B
created ....: 2022-02-25 13:10:17
Encryption key....: A9C4 C253 4E4F 6BF1 57AD 53C4 5D5F F73A 0204 5D5C
created ....: 2022-02-25 13:10:54
Authentication key: 9ACD C542 9C72 CC35 1468 0ABA BE87 2C1D 800F 2E73
created ....: 2023-03-02 10:15:21
General key info..: sub rsa4096/EE215B9FB8C45B0B 2022-02-25 Pierre-Elliott Bécue <becue@crans.org>
sec# rsa4096/0D442664194974E2 created: 2012-03-31 expires: 2025-07-10
ssb rsa4096/F558025BF486FDF6 created: 2012-03-31 expires: 2017-07-22
ssb rsa4096/48DED357A02C6CA0 created: 2012-03-31 expires: 2017-07-22
ssb# rsa4096/4FE6586D9AD0FB60 created: 2012-06-27 expires: never
ssb# rsa4096/9AD8D455800E4924 created: 2012-06-28 expires: 2016-07-21
ssb rsa4096/73F984B66B39EF31 created: 2014-05-11 expires: 2019-03-02
ssb rsa4096/29BFA0D079290ACA created: 2016-08-31 expires: 2022-05-26
ssb rsa4096/BF9857A73C371C72 created: 2016-08-31 expires: 2022-05-26
ssb> rsa4096/EE215B9FB8C45B0B created: 2022-02-25 expires: 2025-07-10
card-no: 0006 XXXXXXXX
ssb> rsa4096/5D5FF73A02045D5C created: 2022-02-25 expires: 2025-07-10
card-no: 0006 XXXXXXXX
ssb> nistp521/BE872C1D800F2E73 created: 2023-03-02 expires: 2025-07-10
card-no: 0006 XXXXXXXX
If you decide to use your authentication subkey as an SSH key, you need to
be export the associated SSH public key fingerprint in order to put it on the
authorized_keys on the remote machines.
❯ gpg --export-ssh-key BE872C1D800F2E73
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACzeZKoSkcDSEdTaF9PcxfUr3rkZyB7TLzOALwvglwQh6wvZ7HBqxbwAfBF0jRT+CfVnBwEhGqx5DjrXxhaTHSqNQAT8JqWrWWeM14GH1JLTLHVivNSdP3KThgmSZAQNfSwmJHn5hzYKtrENFxpcYCtcgebdXCUw4Wm/VMEGCUE99v5jQ== openpgp:0x800F2E73
With this, you’re all set regarding GPG usage.
-
Once, I lost 15 minutes trying to unlock my laptop which requires my
YubiKeyto be unlockable before realizing I was using the wrong key… ↩