Skip to content

Instantly share code, notes, and snippets.

@smoser
Last active January 12, 2024 14:31
Show Gist options
  • Save smoser/5182522fa4769d4be6deaf87d5f9459f to your computer and use it in GitHub Desktop.
Save smoser/5182522fa4769d4be6deaf87d5f9459f to your computer and use it in GitHub Desktop.
yubikey / gpg

Yubikey and GPG setup

A change in process at work meant that internal IT would be managing my work-provided laptop. While I do not expect management to leak any personal sensitive data that was on the machine, it does represent an increase in the potential for such a thing to happen.

I bought a Yubikey (5c). The goal was to store "personal" GPG and SSH credentials on the yubikey so that they would not be available to a compromised system, or inadvertantly get backed up.

The setup seems to work pretty well. Here is what I did.

GPG

I follwed the the wonderful Yubikey Guide almost entirely. The only thing that was different for me was that I had an existing primary GPG key, so I used that rather than creating a new one.

Along the way I actually even used 'paperkey' and now have offline and paper backups of my primary key. So I am grateful to the doc for suggesting that.

The only sticking point was mentioned in the guide under "Multiple Yubikeys". I also have a work-provided yubikey that I have use for signing internal git commits (and hopefully at some point internal ssh credentials).

I didn't want to deal with 'gpg connect agent' comnmands as described there. The solution I am using is a simple gpg wrapper called 'mgpg' (see below). 'mgpg' just selects and sets GNUPGHOME based on the "personality".

Basically I have two .gnupg directories, one named '.gnupg' and one named '.gnupg-brickies'.

To tell git to use 'mgpg-brickies' like this:

git config --local gpg.openpgp.program mgpg-brickies
git config --local user.signingkey 0x1E4410A4024BC6F0

The result seems to work. When you attempt to sign something, you get a dialog that says "Insert the yubikey with serial XXXX". Then hit "OK", type in the PIN and it signs.

The end result is that:

  • All GPG key material lives on the yubikey.
  • Yubikey requires a pin before it will sign something
  • Removing the yubikey fully removes any ability for any attacker to use the key
  • I can trivially take the yubikey to another system to get the same!

SSH

Todo: I haven't set this up yet. There is seemingly good doc here on how to set up resident keys with or without pin verification.

#!/bin/sh
fail() { echo "$@" 1>&2; exit 1; }
Usage() {
cat <<EOF
${0##*/} [personality] args
set environment to use provided personality and call gpg with args.
EOF
}
pers="brickies"
me=${0##*/}
# you can 'ln -s mgpg ~/bin/mgpg-work' and then
# 'mgpg-work' behaves like 'mgpg work'
case "$me" in
mgpg-*) pers="${me#*-}";;
esac
# Use first argument as personality if present.
case "$1" in
work|brickies)
[ -d "$HOME/.gnupg-${1}" ] || fail "no $HOME/.gnupg-${1}"
pers="$1"
shift;;
esac
gdir="$HOME/.gnupg-${pers}"
[ -d "$gdir" ] || fail "pers=$pers: no $gdir"
GNUPGHOME="$gdir" exec gpg "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment