(audience: Karmic Labs engineering team)
You're smart. You use full disk encryption. You have a passphrase on your ssh key, perhaps even pbkdf2+pkcs8 if you're really paranoid. Unfortunately that shell command you pasted in from that site the other week had some hidden shellcode that you didn't notice... or was it that neat little utility that you downloaded after reading the hacker news article? Doesn't matter, they got the private key files. Now they can get cracking on their own terms or phish away with fake keychain/ssh-askpass popups. You'll never know until your account logs in from halfway around the world and tries to snag a snapshot of our prod databases.
On the other hand, if you'd just use the a Neo to manage your RSA keys, your ssh keys won't be on your laptop. This little thing signs ssh handshakes on its own doped-silicon-turf instead handing the keys over to some userland program. Hell, it'll eat your damn keys if you get your password wrong six times in a row. If this thing gets stolen then you'll either know about it or have a knot on your head when you wake up. (Disclaimer: a malicious program could still use your ssh keys from your computer while your yubikey is plugged and authenticated or if your SSH agent is forwarded to a compromised host)
The YubiKey NEO[-Nano] contains a Javacard loaded with an openpgp applet. This will let you securely genrate & store RSA keys for ssh + gpg (you do encrypt your secrets, right?).
brew install ykpers
(yubikey personalization)- Configure the Yubikey to enable ccid
ykpersonalize -m82
(NOTE: DOUBLE CHECK INman ykpersonalize
) - Install
gpg2
withgpg-agent
. https://gpgtools.org/ should work. - Use
gpg2 --card-edit
to generate keys. Note the key id values. - Make sure you update both the pin AND the admin pin.
- Run
gpg2 --card-status
and pick out the "Authentication Key" - the last 8 hex digits make "key id" - Extract the ssh public key with
gpgkey2ssh <8-hex-digit-key-id>
- Start gpg-agent:
gpg-agent --daemon --enable-ssh-support --log-file ~/.gpg-agent.log --write-env-file "~/.gpg-agent-info"
(note, this may need - When you're ready to use that ssh key:
source ~/.gpg-agent-info
- List keys with
ssh-add -l
... you sould see one with a card id. - Note:
source ~/.gpg-agent-info
takes over from ssh-agent in that shell; add to ~/.(bash|zsh)_profile if you want gpg agent to take over always.
(This section from Garrett)
gpg2 --card-status
may error.
Gnome keyring is in the way and will cause you to question your sanity.
Here are a few notes to help keep guide the way. Do these before you follow the MacOS setup instructions for Yubikey.
sudo apt-get install gnupg2 gpgsm gnupg-agent
cp /etc/xdg/autostart/gnome-keyring-gpg.desktop ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart
- Edit the ~/.config/autostart/gnome-keyring-*.desktop files, change NoDisplay from true to false. NoDisplay=false
- Search for the 'Startup Applications' in Unity (windows key). Launch it, then uncheck 'GPG Password Agent' and 'SSH Key Agent', close.
- Log out and then log back in to apply these changes.
gpg2 --card-status
should function.