undefined | Better HN

0 pointsbockafer8y ago0 comments

I've had good experiences with Yubikeys thus far. I still have two of the Symantec VIP tokens from years ago that I've never had issues with. I recently bought a Neo to test out NFC (NFC support on the HTC 10 seems deplorable for smart card reading btw). I also purchased a few 4c tokens and so far they've worked great although I haven't been using them for very long.

The gotchas I've encountered while using them on OSX:

  - The pins for PIV and OpenPGP are separate as these are separate modules on the card.
  - You can't use the PIV or NEO GUI managers and gpg at the same time. You might have to unplug and plug the token
    back in when switching back and forth between GUI/cmdline Yubico tools and gpg.
  - Forgetting to change my environment to use gpg-agent instead of ssh-agent.
  - Typing in my local password instead of the PIV pin when logging into OSX while I have a token with PIV enabled
    plugged in.

The "setup" instructions that are referenced in the packaging and on parts of the site are for basic use of OTP. Real documentation is here: https://www.yubico.com/support/knowledge-base/categories/gui...

For people asking about backing up material on OpenPGP modules: these are write only. Generate your material locally with gpg instead of generating them on the smart card itself and use the keytocard command to copy the keys to the card. You can backup your keyring prior to moving keys and restore it before copying keys to each card or ctrl c out of gpg without saving the keyring references for the material that was moved to the smart card.

I used bits and pieces from a few guides to get the setup I wanted as this was my first experience with smart cards and advanced use of pgp:

https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike...

https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac

http://suva.sh/posts/gpg-ssh-smartcard-yubikey-keybase/

https://www.jfry.me/articles/2015/gpg-smartcard/

https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-gui...

https://alexcabal.com/creating-the-perfect-gpg-keypair/

Overview of my process (on an air gapped machine):

  - Configure gpg.conf.
  - Generate master, subkey, and revocation material on an encrypted USB drive for offline backup of materia
    along with revocation certificates.
  - Backup original .gnupg directory to another folder on the encrypted USB drive. 
  - Copy .gnupg directory to second encrypted USB drive for offsite backup.
  - For each smart card I wanted the same material on:
  -- Change default user and admin pins.
  -- keytocard subkeys for (S)ign, (E)ncrypt, (A)uthenticate (without saving keyring).
  -- Require local touch for all material ( Yubico specific: https://developers.yubico.com/PGP/Card_edit.html ).
  -- move on to next card.
  -- save keyring after running keytocard on the last card so the subkey material no longer exists in the local keyring, only
     references to it (this might not be necessary, I need to test).
  - Generate a copy of the keyring without master key to use on daily machine(s). Might also only need to have the master 
    material minus the key in the keyring as noted above. I haven't tested how 
  - Copy new keyring to another USB drive for transferring to daily machine(s).
  - Configure gpg-agent.conf and gpg.conf on daily machine.

Resetting the applet if you messed up or want to start fresh:

https://developers.yubico.com/ykneo-openpgp/ResetApplet.html

https://www.yubico.com/support/knowledge-base/categories/art...

0 comments

No comments yet.