I’ve always been mindful of my online presence, privacy and security. I’ve tried to choose strong passwords, enable two factor authentication and always been hesitant of putting stuff in the “cloud”. Since a while back I’m trying to quit all Google services (getting my own domain and a FastMail account was the big step). I’ve avoided connecting my Facebook account with other services and in general always gone for security rather than usability. Whenever I have been forced to register an account for a one-off web service I’ve used a temporary email service.
At least that’s what I thought. Then GDPR came along and my inbox were flooded with notifications from companies holding my personal information. It was a wake up call. Apperently have not been so good at enforcing my own policies. I was using the same few passwords for many accounts that I had since long forgotten, passwords that had been leaked (Have I Been Pwned). For my key services I was using so many different passwords that it became a cognitive burden. It was clearly time to step up the game and start using a password manager.
In the spirit of avoiding cloud services and proprietary software I went for pass - the standard unix password manager. Pass stores each password (or whatever you want to store) as a gpg encrypted file. It’s integrated with git which makes it easy to sync up with a server (e.g. a VPS) and has a good-enough firefox add-on (passff) that simplifies your life. What about mobile, you ask? There are a bunch of apps for Android and iPhone listed on the homepage. I haven’t bothered about that.
Since I had to create my very first PGP key I decided to buy a YubiKey 4 to store my private keys (sub-keys that is - my master key is of course stored in a fire and water proof place, safe from robbery, law enforcement and alien invasion) and introduce an extra layer of security. As a bonus I’m also using the YubiKey for SSH authentication to my VPS and other services. YubiKey also supports U2F which is awesome. Read about why you should use in this great post.
You’ll find my public PGP key in the end of this post. What follows is a write-up of the essential steps needed to get it up and running.
Creating Open PGP keys
There are many step-by-step guides (Google it) for how to generate a key so I will not repeat it here in detail. I booted a Tails image from a USB drive on an air-gapped computer and created a master key using gpg. Then I went on to create three sub-keys for signing, encryption and authentication. I exported and backed up my secret keys to an encrypted USB drive. The master key was then deleted, and the sub-keys transferred to my YubiKey. The public key was also exported.
Setting up the YubiKey
I followed this guide to configure my YubiKey. The YubiKey was configured as a smartcard using gpg --card-edit. I changed the pin and added some information before transferring the sub-keys.
Using the key
Install required software:
$ sudo apt-get update
$ sudo apt-get install -y \
gnupg2, gnupg-agent \
scdaemon, pcscd, pass
Create a hardened GPG configuration (from the guide):
$ cat ~/.gnupg/gpg.conf
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
use-agent
$ chmod 600 ~/.gnupg/gpg.conf
Import the public key (exported when creating the keys) and trust the master key:
$ gpg --import /path/to/pubkey.txt
$ gpg --edit-key <KEYID>
gpg> trust
...
Your Decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> save
Plug-in the YubiKey again and verify that everything looks alright using gpg --card-status. Finally, set up the password store:
$ pass init "Password Storage Key"
Here, Password Storage Key is the ID of the GPG key. Now we are good to go!
Use the YubiKey for SSH Authentication
Setup configuration for the gpg-agent:
$ cat ~/.gnupg/gpg-agent.conf
enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 60
max-cache-ttl 120
To launch gpg-agent for use by SSH we need to add this to the shell rc file:
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
Extract the public ssh key:
ssh-add -L | grep "cardno:<Card number>" > ~/.ssh/id_rsa_yubikey.pub
The public key should also be copied to the server’s authorized_keys file. Finally set up some SSH configuration to explicitly associate this YubiKey-stored key with the host:
$ cat << EOF >> ~/.ssh/config
Host mydomain.com
Port <custom-port-number>
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa_yubikey.pub
EOF
As you can tell from the configuration, I also took some extra steps to harden my SSH configuration at the server by using a cusom SSH port (not 22) and disable passwords (by editing /etc/ssh/sshd_config). I also set up a second YubiKey as backup. For my own future reference: to switch key we need to kill the gpg-agent, delete the secrete key stubs, do gpg –card-status to learn of the new smartcard and restart gpg-agent.
killall -9 ssh-agent gpg-agent
#Repeat for all three subkeys
rm ~/.gnupg/private-keys-v1.d/<KEYID>.key
#Insert the other YubiKey
gpg --card-status
#Relaunch gpg-agent, I do it by running my bashrc that contains the commands above
source ~/.bashrc
Here you find my public gpg key: mypublickey.asc
—— Eric