expand yubikey docs to include gpg
This commit is contained in:
@@ -1,7 +1,99 @@
|
|||||||
# Yubikey
|
# Yubikey
|
||||||
|
|
||||||
|
- [Yubikey](#yubikey)
|
||||||
|
- [Configuration](#configuration)
|
||||||
|
- [Software](#software)
|
||||||
|
- [GPG](#gpg)
|
||||||
|
- [Saving GPG key to card](#saving-gpg-key-to-card)
|
||||||
|
- [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
|
||||||
|
- [Factory Reset](#factory-reset)
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
1. You will likely need the [udev
|
1. You will likely need the [udev
|
||||||
rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux)
|
rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux)
|
||||||
to use the AppImage configuration tool on linux even if your udev version is above 244.
|
to use the AppImage configuration tool on linux even if your udev version is above 244.
|
||||||
|
|
||||||
|
## Software
|
||||||
|
|
||||||
|
The [Yubikey Manager](https://www.yubico.com/support/download/yubikey-manager/) is deprecated.
|
||||||
|
|
||||||
|
Use the [Yubikey Authenticator](https://www.yubico.com/products/yubico-authenticator/) for GUI.
|
||||||
|
|
||||||
|
## GPG
|
||||||
|
|
||||||
|
### Saving GPG key to card
|
||||||
|
|
||||||
|
<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
|
||||||
|
|
||||||
|
On Fedora you'll need to add the following polkit rules to access your smart card.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export MY_USER=ducoterra
|
||||||
|
echo <<EOF > /etc/polkit-1/rules.d/10-pcsc-custom.rules
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
|
||||||
|
subject.user == "${MY_USER}") {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
if (action.id == "org.debian.pcsc-lite.access_card" &&
|
||||||
|
action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
|
||||||
|
subject.user == "${MY_USER}") {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you can add your key to your card.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg --edit-key 1234ABC
|
||||||
|
|
||||||
|
# Save both the signature and authentication keys
|
||||||
|
> keytocard
|
||||||
|
|
||||||
|
# Do not save or your key will be deleted locally
|
||||||
|
> quit
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the keys on the yubikey with
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg --card-status
|
||||||
|
```
|
||||||
|
|
||||||
|
Once your keys have been loaded, change the pin.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg --change-pin
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using the GPG key on a Yubikey
|
||||||
|
|
||||||
|
<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export GPG_EMAIL='myemail@example.com'
|
||||||
|
|
||||||
|
# Import the public key. Without this the key won't show up.
|
||||||
|
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL}
|
||||||
|
|
||||||
|
# Trust the key
|
||||||
|
gpg --quick-set-ownertrust ${GPG_EMAIL} full
|
||||||
|
|
||||||
|
# Yubikey should now show up
|
||||||
|
gpg --list-secret-keys
|
||||||
|
```
|
||||||
|
|
||||||
|
### Factory Reset
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg --edit-card
|
||||||
|
|
||||||
|
> admin
|
||||||
|
> factory-reset
|
||||||
|
```
|
||||||
|
|||||||
Reference in New Issue
Block a user