This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.
If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See my previous post to get started. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.
After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.
YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.
Generating your initial key pair
Open a command prompt and run:
gpg --expert --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
For ‘kind of key’, select 8 (RSA: Set your own capabilities)
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.
Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.
Take note of your 8-character key ID. You will need it for future steps.
Adding the sub-keys
You need to add two sub-keys; one for encryption, and one for authentication.
From the command line, run (where keyID is your 8-character key ID) :
gpg --expert --edit-key keyID
Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.
Repeat addkey one last time, and toggle abilities so you have an authentication-only key.
Then q to quit, and y to save changes.
Backing up the keys
Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:
gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID
Moving the keys to the YubiKey
Run the following command:
gpg –expert –edit-key keyID
Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.
card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:
If this comes back with data (and not an error), then run this again and continue:
gpg –expert –edit-key key-ID
Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.
This is a continuation of my previous post on YubiKey.
In order for the most painless “Quick Start” of YubiKey on Windows, you will need a few tools:
First, the YubiKey NEO Manager, available here, will enable you to toggle the various modes (OTP, CCID, U2F) of your YubiKey on and off. Since the YubiKey ships with only OTP mode enabled, you will need this to turn on CCID (SmartCard) and U2F (Fido) mode. This will also let you check and verify the installed apps on your NEO, once you’ve enabled CCID mode. (Important: Check the version of your OpenPGP app. If it is 1.0.9 or lower, read this security advisory and take appropriate action).
Second, the YubiKey Personalization Tool, available here, will enable you to personalize the various configuration slots of your YubiKey. There are two slots available, and slot 1 is programmed with the YubiCo OTP (or RSA key, depending). It is strongly advised not to overwrite slot 1 unless you really know what you are doing. You can program slot 2 for whatever other implementation you would like. Please note that these two slots are independent of the applets that run on the CCID side of the card. Although that may be slightly confusing, it will be clear as you use your key.
Third, the YubiKey NEO contains the YubiOATH applet for generating those familiar 6-digit OTP codes that various websites use as two-factor authentication. Your YubiKey NEO can store many of those 6 digit codes and secrets in the key itself, but it requires the YubiOATH-desktop helper app, available here. This helper app is required because OATH codes are time-based, and the YubiKey has no internal clock. Also, this requires that CCID mode is enabled.
If you have anything to contribute, please do so in the comments below, or contact me using the form.
First, a little background. I was on a Skype call a short time ago and noticed that Skype would randomly zoom in and zoom out during the call. It seemed to happen at random, and I couldn’t figure out why, nor could I find any way of controlling it.
My Asus T100’s camera does have a user-controllable zoom, but it is zoomed all the way out when this is happening. It does not have face-following, a feature commonly blamed for this issue in Skype.
Here’s a shot of the Video Settings dialog in Skype, for anyone interested.
After some digging around the web, I’ve found a logical chain of forum posts that seem to indicate what the issue is, and point to a potential fix.
First, this blog post from another user who had the same issue, and he worked around it by installing and using ManyCam. This did work to resolve the issue, but requires ManyCam be running and adds the extra resources that it requires. If you decide to go this route, I strongly recommend areful reading during the ManyCam installer. It’s full of add-ons.
Second, this thread on yCombinator suggests a few things: 1) That lack of bandwidth is causing Skype to switch the camera to a lower resolution, resulting in the zoom; and that 2) lack of movement in portions of the cameras image is causing it to zoom. Theory 1 seems more plausible.
Third, this post on the Skype forums suggests that Skype’s video resolution can be forced by editing an xml file. Quoted with edits:
It’s impossible to change either the capture or stream video resolution in the Skype GUI. But the capture resolution can be changed by adding for example this:<Video> <CaptureWidth>1280</CaptureWidth> <CaptureHeight>960</CaptureHeight> </Video>
directly under the
<Lib>tag in %AppData%\Skype\shared.xml. The other supported resolutions also work. Check that it works from Call -> Call Technical Info.
Of course, make sure that you are forcing a resolution that your camera supports, that your PC has enough processing power to support, and that you have sufficient bandwidth for. Otherwise, you will experience undesirable effects. 640×480 is a good choice for many. 1280×720 would require a webcam capable of 720p HD capture. A 1.2 MP camera could give a resolution of 1280×960.
I used 1280×960 above as my camera is 1.2 megapixel. However, in my Call Technical Info, my camera is capturing at 1280×720, and zoom is correct. In one instance the camera zoomed in, and the Call Technical Info showed that it was capturing at 240×360. The zoom is definitely connected to the capture resolution, but changing the xml settings does not guarantee that Skype will force the resolution under all (or any) circumstances.
I’m also going to add that this is directly targeted at Skype for Desktop, not the Windows 8 app. If you are able to try this, please let me know your results.
(I realize this is far from being a new thing, but I also know that some people don’t know how to do this, so I’m going to explain this for today’s lucky 10,000.)
I have a lot of very useful bookmarks, as I’m sure many of you readers do as well. I also tend to use more than one web browser. It’s a huge pain to constantly export/import bookmarks across browsers, back up favorites before re-installing an OS, etc. What if you could just have your favorites saved to disk, and use them however and whenever you wanted? That would be great.
Firefox and Chrome both have features where you can sync your bookmarks to their cloud services, but that only works with that one browser.
So, actually, you can save them to disk. And I’m not talking about saving the page to disk (via file > save). No. Not that. That saves the whole page and all of the content to your disk. No. I’m talking about saving just the link. Not in a text file, but in a simple file you can double-click to open in your web browser.
Sounds awesome, right? It is.
So here’s how you do it. In your favorite web browser, just locate the page favicon (that’s what that little icon next to the web address is called. It’s a favicon.) and drag it to your desktop, or other such folder. Screenshots below for Internet Explorer and Chrome:
Now you can save those files anywhere you want, even such places such as Dropbox, OneCloud, etc. Even a USB stick.
OneDrive users: If your link does something unexpected when you double-click on it (like trying to print), make sure it’s an Offline file. Right-click your link and select Make available offline. You can select multiple files and do this to many at once, or even an entire folder.
If you have an XBox 360 hooked up to your TV over HDMI, you very well may experience popping, crackling, or static sounds while playing games.
It took me a bit of Googling to find the solution to this problem. Most people think it’s bad HDMI ports, cables, interference, or other. When in fact, I found the simplest solution (and the correct one) was to go into the console settings, under sound, and notice that the XBox by default is configured for Dolby 5.1 surround sound. On a 2-speaker system, this is not correct and will result in distorted sound. Change this setting to digital stereo and that will solve the issue.
The Windows “Backup and Restore” utility that was present in the control panel in Windows 7 could easily do full-system bare-metal backup and restore. Unfortunately, this tool was removed from the control panel in Windows 8.
However, it looks like that tool is still present on the hard drive and can be used. Here’s how to find it.
Click Start, and in the search box, type SDCLT.EXE . Right-click the and click Run As Administrator.
As always, a test restore is good practice.
Comments are welcomed below!
I currently have a portion of my backups on S3, with a life-cycle policy that includes moving the objects to Glacier after a period of time. This makes the storage much cheaper ($0.01/GB/Mo from $0.03/GB/Mo – Source), but has the downside that objects require a 4-hour restore period before they can become available for download. I have had need for some objects quickly, and so the 4-hour restore time isn’t worth the savings. Unfortunately, once an object has had this life-cycle applied to it, it can only be temporarily restored. In order to make it a standard object again, you have to download it, delete the Glacier object, and then re-upload it. Unfortunately, doing it all wasn’t quite as straightforward as I thought it might be. But, (I think) I figured out a way to get it done rather painlessly.
I’m going to be using s3cmd and a few cron jobs to automate this.
First, get s3cmd version 1.5. This version supports initiating restores on the Glacier objects. You can recursively initiate a restore on every object in the bucket, but when it hits a non-Glacier object it will stop. You can also use s3cmd to initiate a download of all the objects in the bucket, but when it hits a Glacier object, the download will stop. And you will end up with a zero-byte file. (Hey s3cmd developers, would you mind fixing this behavior, or at least writing in something to force progression on a failure, so we can walk through the entire bucket in one go?)
The solution had to involve initiating restores, waiting at least 4 hours for the restore, then going back for the restored data and deleting it from the buckets, then deleting any zero-byte files, and then doing it all over again later.
Ain’t nobody got time for that. Except cron. Cron has plenty of time for that.
First of all, make sure you have s3cmd installed and configured (with
s3cmd --configure). Then you can configure the following script to run every 4 hours. I’m not going to go into much detail on this. If you’re familiar with s3cmd and Amazon S3/Glacier, you can probably figure out how it works. I wrote it as a short-term fix, but it’s worth sharing.
#!/bin/bash # This script should be fired every 4 hours from a cron job until all # data from the desired bucket is restored. # Requires s3cmd 1.5 or newer # Temp file TEMPFILE=~/.s3cmd.restore.tmp # Bucket to restore data from. Use trailing slash. BUCKET="s3://bucketname/" # Folder to restore data to. Use trailing slash. FOLDER="/destination_folder/" # Because of the way s3cmd handles errors, we have to run in a certain method # 1: download/delete files from bucket, # 2: run restore on the remaining objects # 3: Do housekeeping on the downloaded data if [ ! -f $TEMPFILE ] then touch $TEMPFILE echo === Starting Download Phase s3cmd -r --delete-after-fetch --rexclude "/$" sync $BUCKET $FOLDER echo === Starting Restore Phase s3cmd -r -D 30 restore $BUCKET echo === Starting cleanup # s3cmd doesn't delete empty folders, and can create empty files. Clean this up. find $FOLDER -empty -delete # but it might accidentially delete the target directory if the download didn't # happen, so we have to fix that now mkdir $FOLDER rm $TEMPFILE fi
Note that restore, download, and delete operations can incur extra costs. Be aware of that before proceeding.
So that’s it. I *should* have my entire S3 bucket downloaded completely within the next few days, and then I can migrate to what I hope is a more simplified archiving plan.
A reader got in touch with me regarding my previous post, Quick sh script cronjob to fix user homes permissions on Synology. That script was initially intended to fix user homes file ownership, but this reader shared a script that uses the synoacltool to fix the Access Control List on directories.
A few thoughts regarding this script:
First, it was mentioned that these issues may be fixed in the latest DSM release. If you’re still experiencing file ownership and permissions issues, please feel free to use the solution linked to above or posted below.
Second, the script linked to above and the script below take different approaches on the problem. You may find a solution in one, or you may elect to use both.
Third, it was mentioned that this was a “one and done” solution. Due to the changing nature of filesystem content, I don’t believe that to be the case. You may want to save this as a sh script and run it as a scheduled task, or you may want it to run on every boot up. If you decide you want to run it on every boot, edit (or create) the file /etc/rc.local, and paste the below. I can’t say for certain whether this script is preserved on an upgrade, though this page strongly suggests that it would be preserved.
I don’t have a Synology unit right now to test this on, so I can’t offer any insight other than what I’ve shared above.
Here’s the script:
synouser --enum all > user.list
sed -i 's/\\/\\\\/g' user.list
cat user.list | while read line
echo -n "$line: "
USERDIR=`synouser --get "$line" | grep "User Dir"`
if [ $? != 0 ]; then
echo "user: [$line] not found"
HOMEPATH=`echo "$USERDIR" | cut -d'[' -f2 | cut -d']' -f1`
synoacltool -get-archive "$HOMEPATH" | grep is_support_ACL > /dev/null 2>&1
if [ $? != 0 ]; then
echo "[$HOMEPATH] not support ACL or not exist"
synoacltool -get "$HOMEPATH" | grep -F "user:$line:allow:rwxpdDaARWcCo:fd--" > /dev/null 2>&1
if [ $? = 0 ]; then
echo "[$HOMEPATH] exist user's Full Control ACL"
synoacltool -add "$HOMEPATH" "user:$line:allow:rwxpdDaARWcCo:fd--"
Any feedback is welcome and appreciated. Thank you!
I’ve seen issues with the Asus T100 where the Wi-Fi will frequently not reconnect after coming out of standby, hibernate, or a power off. Toggling airplane mode or rebooting the device will fix it, but not always the first time.
I found a fix for this, after reviewing the fix for frequently disconnecting Bluetooth devices, and the issues appear related.
Again, go into device manager and right-click the wireless network adapter, and click Properties. Go to the Advanced tab and change Minimum Power Consumption to Disabled.
After doing this, no more Wi-Fi issues!