expand yubikey docs to include gpg
This commit is contained in:
@@ -1,7 +1,99 @@
|
||||
# Yubikey
|
||||
|
||||
- [Yubikey](#yubikey)
|
||||
- [Configuration](#configuration)
|
||||
- [Software](#software)
|
||||
- [GPG](#gpg)
|
||||
- [Saving GPG key to card](#saving-gpg-key-to-card)
|
||||
- [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
|
||||
- [Factory Reset](#factory-reset)
|
||||
|
||||
## Configuration
|
||||
|
||||
1. You will likely need the [udev
|
||||
rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux)
|
||||
to use the AppImage configuration tool on linux even if your udev version is above 244.
|
||||
|
||||
## Software
|
||||
|
||||
The [Yubikey Manager](https://www.yubico.com/support/download/yubikey-manager/) is deprecated.
|
||||
|
||||
Use the [Yubikey Authenticator](https://www.yubico.com/products/yubico-authenticator/) for GUI.
|
||||
|
||||
## GPG
|
||||
|
||||
### Saving GPG key to card
|
||||
|
||||
<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
|
||||
|
||||
On Fedora you'll need to add the following polkit rules to access your smart card.
|
||||
|
||||
```bash
|
||||
export MY_USER=ducoterra
|
||||
echo <<EOF > /etc/polkit-1/rules.d/10-pcsc-custom.rules
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
|
||||
subject.user == "${MY_USER}") {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.debian.pcsc-lite.access_card" &&
|
||||
action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
|
||||
subject.user == "${MY_USER}") {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
EOF
|
||||
```
|
||||
|
||||
Now you can add your key to your card.
|
||||
|
||||
```bash
|
||||
gpg --edit-key 1234ABC
|
||||
|
||||
# Save both the signature and authentication keys
|
||||
> keytocard
|
||||
|
||||
# Do not save or your key will be deleted locally
|
||||
> quit
|
||||
```
|
||||
|
||||
Check the keys on the yubikey with
|
||||
|
||||
```bash
|
||||
gpg --card-status
|
||||
```
|
||||
|
||||
Once your keys have been loaded, change the pin.
|
||||
|
||||
```bash
|
||||
gpg --change-pin
|
||||
```
|
||||
|
||||
### Using the GPG key on a Yubikey
|
||||
|
||||
<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
|
||||
|
||||
```bash
|
||||
export GPG_EMAIL='myemail@example.com'
|
||||
|
||||
# Import the public key. Without this the key won't show up.
|
||||
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL}
|
||||
|
||||
# Trust the key
|
||||
gpg --quick-set-ownertrust ${GPG_EMAIL} full
|
||||
|
||||
# Yubikey should now show up
|
||||
gpg --list-secret-keys
|
||||
```
|
||||
|
||||
### Factory Reset
|
||||
|
||||
```bash
|
||||
gpg --edit-card
|
||||
|
||||
> admin
|
||||
> factory-reset
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user