Skip to content

Instantly share code, notes, and snippets.

@andreicek

andreicek/yubikey.md

Created January 17, 2018 20:35
Show Gist options
  • Save andreicek/203e2ae47ea31f50632a05f12ffa4e12 to your computer and use it in GitHub Desktop.
Save andreicek/203e2ae47ea31f50632a05f12ffa4e12 to your computer and use it in GitHub Desktop.
Download ZIP
Markdown my talk about GPG and Yubikey
Raw
yubikey.md

Security with

[fit] Yubikey and GPG

--

@andreicek

about me

  • JavaScript Engineer @ Infinum
  • Open source fanatic and contributor
  • Strong believer in overdoing security

--

  • twitter: @andreicek
  • site: andrei.im

PGP vs. OpenPGP vs. GnuPG

  • PGP (1991.), commercial and closed product, later know as Symantec's software suite of encryption tools
  • OpenPGP, a standard that was proposed in 1997. to IETF and accepted
  • GnuPG and implementation of OpenPGP standard (the one we'll use today)

What is this talk about?

  1. Installing GnuPG
  2. Encrypting and decrypting
  3. Signing stuff - what and what not
  4. GPG keys (sig/enc/auth)
  5. Hardware (aka. spending a bunch of money)

What this talk is not about?

  1. Math behind the thing
  2. Commercial tools and implementations
  3. SmartCard standard :(

Installing GnuPG

Win/Linux/MacOS/*BSD

  • on most systems you might already have it
  • install version 2.x.x (! - a bit safer and easier to use)
sudo apt-get install gnupg2
sudo brew install gnupg2
sudo pkg install gnupg2

on Windows systems use Linux on Windows if possible

❤️ Your first key ❤️

gpg --gen-key # and follow the interactive setup

tips 'n' tricks for a safer key:

  • use RSA (for now)
  • 4096 key size
  • setup a passphrase, DO NOT skip this
  • you can add (and you should) all of your email addresses

fit

fit

Signing private stuff

  • don't. it's better to encrypt, always
  • bad guys will be able to verify it's you and see the contents - making you liable

What you should sign?

  • git commits
  • packages on package managers (apt-get, bundler, etc.)

Git commits

  • verify that the code is yours

  • don't forget to upload your public key to a git service provider of your choosing

git config --global commit.gpgsign true

[fit] Why package managers should

[fit] always sign their packages?

fit

Ok, so we know how to use this. GPG all the things!

Structure of a GPG key

  • Encrypting and decrypting key
  • Signing key
  • Authorization key (think SSH!)
pub   rsa4096 2016-10-02 [SC]
      11F34CE458A1481802115140F611EAEFA07D5401
uid           [ultimate] Andrei Zvonimir Crnkovic (My GPG key) <andrei@infinum.co>
uid           [ultimate] Andrei Zvonimir Crnkovic (My GPG key) <crnkovic.a.z@gmail.com>
uid           [ultimate] Andrei Zvonimir Crnkovic <hello@taco.services>
sub   rsa4096 2016-10-02 [E]
sub   rsa2112 2017-11-13 [A]

All of this is for nothing if you don't have friends

  • sharing your keys using your website or using a keyserver

    • pgp.mit.edu
    • Keybase.io (would not recommend)

  • upload your keys

  • fetch your friends keys

  • sign them, and upload them

fit

fit

Selecting a correct Yubikey

  • anything from a Yubikey 4 lineup + Neo
  • prices start from $40 and go up to $60
  • you should really buy two (but don't)
  • other vendors are fine too! but the tooling is great

Moving keys to the device

  • back up all of the keys, both private and public somewhere you trust
    • my method: export, gzip, encrypt with openssl, upload to S3 and Google Drive
    • second recommended option: store on an encrypted drive!
  • once on the device - always on the device
  • Change PINs! DO NOT FORGET THIS
  • https://github.com/drduh/YubiKey-Guide#configure-smartcard

[fit] A Yubikey should

[fit] never

[fit] leave your person

Taking physical sec to a new level

  • once left unattended you don't trust the device
  • once another person touched the device you don't trust the device
  • never let bad guys see the device or know that you have one

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment