So you want to be super secure and awesome with a GitHub verified
badge to your name? Read on!
The below has been tested and verified with a new 'Yubico YubiKey 5c NFC', note that FIPS versions don't seem to support SSH usage, and e.g. the BIO is missing support for several standards).
The idea is you end up with a YubiKey 5 with:
- a signing key for commit signing
- an authorization key for SSH authentication
- protected by PIN cached for X amount of time (if someone steals it)
- protected by touch for each operation (to prevent unattended use)
- custom PINs setup so it can't be reset
- Create or export a GPG secret key (you can e.g. use your ProtonMail exported secret key 😎)
- Create yubikey-only signing and authentication keys
- Set custom PINs and settings
- Test it :party:
Assuming you are on macOS, have brew
installed and are running zsh
:
# Use brew-managed openssh to be on latest featureset
brew install openssh gpg-suite ykman
# Setup gpg-agent and shell integration properly
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
echo 'export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)' >> ~/.zshrc
echo 'gpgconf --launch gpg-agent' >> ~/.zshrc
echo 'gpg-connect-agent /bye' >> ~/.zshrc
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
Make sure you have your secret key either created using gpg --expert --full-generate-key
or downloaded securely from e.g. ProtonMail.
# Find your SOME_KEY_ID
gpg --list-secret-keys --with-keygrip
gpg --expert --edit-key SOME_KEY_ID
# add the existing secret key
keytocard
# add the existing encryption key
key 1
keytocard
# add a device only signing key
addcardkey
1
# add a device only authentication key
addcardkey
3
# SAVE it!
save
quit
echo "test" | gpg -u YOUR_KEY_USER_ID --clearsign