Archive for May 24th, 2015
This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.
If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See my previous post to get started. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.
After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.
YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.
Generating your initial key pair
Open a command prompt and run:
gpg --expert --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
For ‘kind of key’, select 8 (RSA: Set your own capabilities)
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.
Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.
Take note of your 8-character key ID. You will need it for future steps.
Adding the sub-keys
You need to add two sub-keys; one for encryption, and one for authentication.
From the command line, run (where keyID is your 8-character key ID) :
gpg --expert --edit-key keyID
Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.
Repeat addkey one last time, and toggle abilities so you have an authentication-only key.
Then q to quit, and y to save changes.
Backing up the keys
Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:
gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID
Moving the keys to the YubiKey
Run the following command:
gpg –expert –edit-key keyID
Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.
card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:
If this comes back with data (and not an error), then run this again and continue:
gpg –expert –edit-key key-ID
Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.
This is a continuation of my previous post on YubiKey.
In order for the most painless “Quick Start” of YubiKey on Windows, you will need a few tools:
First, the YubiKey NEO Manager, available here, will enable you to toggle the various modes (OTP, CCID, U2F) of your YubiKey on and off. Since the YubiKey ships with only OTP mode enabled, you will need this to turn on CCID (SmartCard) and U2F (Fido) mode. This will also let you check and verify the installed apps on your NEO, once you’ve enabled CCID mode. (Important: Check the version of your OpenPGP app. If it is 1.0.9 or lower, read this security advisory and take appropriate action).
Second, the YubiKey Personalization Tool, available here, will enable you to personalize the various configuration slots of your YubiKey. There are two slots available, and slot 1 is programmed with the YubiCo OTP (or RSA key, depending). It is strongly advised not to overwrite slot 1 unless you really know what you are doing. You can program slot 2 for whatever other implementation you would like. Please note that these two slots are independent of the applets that run on the CCID side of the card. Although that may be slightly confusing, it will be clear as you use your key.
Third, the YubiKey NEO contains the YubiOATH applet for generating those familiar 6-digit OTP codes that various websites use as two-factor authentication. Your YubiKey NEO can store many of those 6 digit codes and secrets in the key itself, but it requires the YubiOATH-desktop helper app, available here. This helper app is required because OATH codes are time-based, and the YubiKey has no internal clock. Also, this requires that CCID mode is enabled.
If you have anything to contribute, please do so in the comments below, or contact me using the form.