Bootstrap Security - Encrypted USB + Yubikey + GPG + SSH

00_intro.md

Bootstrap Security - Encrypted USB Storage + Yubikey + GPG + SSH

The purpose of this guide is to provide step by step instructions to bootstrap a secure identity with GPG + SSH Keys.

1. Format USB Storage Device with LUKS Encryption
2. Create GPG master keypair and subkey
3. Move GPG master keypair to Encrypted USB Storage
4. Create SSH Keys and backup to Encrypted USB Storage

01_encrypted_usb_key.md

Setup Encrypted USB Storage Device

1. Insert USB Device and determine fs node - dmesg
2. Wipe the usb device - sudo wipefs --all /dev/sdb1
3. Setup the encryption container on the usb device - sudo cryptsetup -y -v luksFormat /dev/sdb1
4. Create a standard device mapper name - sudo cryptsetup luksOpen /dev/sdb1 bram-swenson-secret-data
5. Check new mapping was created - ls -l /dev/mapper/bram-swenson-secret-data
6. Check the status of the new mapping - sudo cryptsetup -v status bram-swenson-secret-data
7. Format the mapped device with ext4 - sudo mkfs.ext4 /dev/mapper/bram-swenson-secret-data
8. Close the encrypted container on the usb device - sudo cryptsetup luksClose bram-swenson-secret-data
9. Remove and replace the USB Storage device from the computer and Arch should ask for your password

01_gpg_master_and_subkey.md

Create GPG master and subkeys

Follow this guide with the exceptions listed below https://github.com/drduh/YubiKey-Guide#creating-keys

1. Set your GNUPGHOME to a directory on your Encrypted USB Storage device - export GNUPGHOME=/run/media/bram/9e09a803-2c9d-4fcb-bf2f-3b5bcfaed225/gpg/GNUPGHOME ; echo $GNUPGHOME
2. Ensure you get all the prompts on master key creation: gpg --full-generate-key
3. Select a 1 year expiration for your master key and set a calendar event for a few weeks before expiration
4. Really SET A CALENDAR EVENT for a few weeks in advance!

• Renew your expired key