Setting up YubiKeys Notes
To setup a YubiKey 4 and YubiKey 5 NFC to both authenticate myself for the following services:
- U2F for Google Advanced Protection, GitHub, etc.
- OpenPGP smart card (using same private key on both devices) for signing, encrypting, and auth (including SSH)
- Yubico OTP (for some legacy services, etc)
The YubiKey 5 NFC will be carried around with me on my keychain and will be my daily driver. The YubiKey 4 will be stored in a safe place.
The best manual I can find for securing things is the YubiKey FIPS manual: https://support.yubico.com/support/solutions/articles/15000012643-yubikey-manager-cli-ykman-user-manual
- Lock slot 1 on both cards with a 6 byte password that only I know. This will prevent the Yubico OTP credentials from being changed and should also disallow enabling/disabling of other operations that the card can do.
ykman otp --access-code=<access code> settings 1
- Configure Google Advanced Protection to use these two keys, then log in correctly on Chrome/Chromium and on my phone: https://landing.google.com/advancedprotection/
- Add both YubiKeys' Yubico OTP to Bitwarden.
- Setup U2F 2nd factor auth for all providers who support it that I use (ie: github, bitwarden, etc).
- On live CD running machine, gerenate a long living GnuPG private/public RSA4096 master signing key pair, use password and store in tmpfs.
- Print a copy of the private key and store somewhere safe.
- Burn master key pair to an archival CD/DVD and store somewhere safe.
- Transfer master key pair onto Yubikey 4 OpenPGP applet.
- Generate shorter living RSA4096 signing, encryption, and authentication sub keys. Have master key sign all of these as sub keys.
- Transfer new sub keys to Yubikey 5.
- Delete all keys from tmpfs. Power off laptop and remove battery for an hour.
- Now master private key only exists in safe place on paper and CD, and on Yubikey 4. Now subkey private keys only exist on Yubikey 5.
- Boot normal Linux machine.
- Push master public key to a keyserver. It will show that it has signed my subkeys.
- Output SSH key from Yubikey 5 auth subkey and upload to all services which I currently use key based SSH auth for (ie: github, gitlab, servers @work, etc).
- Store printed key, archive CD with key, and Yubikey 4 somewhere safe.
- Document this stuff!
I should then revoke my old Yubikey NEO public keys with the key server.
When I need to make new subkeys (every year or so) or to sign someone else's key for them, I will use the Yubikey 4. For everything else I'll use just the Yubikey 5.