- Get the chromebook recovery app
- Download the latest xubuntu iso
- Zip the iso
- Use the chrome recovery app to create a bootable USB
- Put chromebook into dev mode (esc+refresh+power)
- Press Ctrl + D when the warning pops up
- Press Ctrl + D when asked about OS verification
- Get the chromeos firmware update instructions
- Ctrl+Alt+t to open a crosh shell, type
shell
to get a real shell - Paste commands
- Set RW_LEGACY
- Reboot, Ctrl+L -> 1 to get boot options, boot from you usb
sudo apt update && sudo apt install yubikey-manager scdaemon
mkdir gpg; cd gpg
gpg --expert --full-gen-key
gpg> 9 # ECC and ECC
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # This is correct
Fill out your info and enter a password
Make sure to get keyid from the output line key <keyid> marked as ultimaltey trusted
echo "<keyid>" > keyid
Next, add some subkeys
gpg --expert --edit-key $(cat keyid)
gpg> addkey
gpg> 11 # ECC (set your own capabilities)
gpg> Q # Only 'Sign' should be selected
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # Yep
gpg> y # One more time
gpg> addkey
gpg> 11 # ECC (set your own capabilities)
gpg> A
gpg> S
gpg> Q # Only 'Authenticate' should be selected
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # Yep
gpg> y # One more time
# Should have 3 subkeys for E, S, A
gpg> save
Export your keys
gpg --armor --export-secret-keys $(cat keyid) > mastersub.key
gpg --armor --export-secret-subkeys $(cat keyid) > sub.key
gpg --armor --export $(cat keyid) > public.key
Make an encrypted backup of this folder
cd ..
tar cz gpg | gpg --batch --cipher-algo AES256 --symmetric --output gpg.tar.gz.enc
Mount your usb drive and copy over the encrypted backup
export TEMPDIR=$(mktemp -d)
cd $TEMPDIR
mkdir -p mount
sudo mount </dev/sdb> mount
cp mount/gpg.tar.gz.enc .
gpg --batch --cipher-algo AES256 --decrypt gpg.tar.gz.enc | tar xz
You'll want a copy of your keys if you're gonna do this more than once
export GNUPGHOME=$(mktemp -d)
cp -r gpg $GNUPGHOME
cd $GNUPGHOME/gpg
Now we can copy your keys to your yubikey
gpg --import mastersub.key
gpg --edit-key $(KEYID)
gpg> key 1
gpg> 2 # (2) Encryption key
gpg> key 1
gpg> key 2
gpg> 1 # (1) Signature key
gpg> key 2
gpg> key 3
gpg> 3 # (3) Authentication key
gpg> key 3
gpg> save
gpg --edit-card
gpg/card> name
gpg/card> sex
gpg/card> url
gpg/card> login
gpg/card> lang
Default pins are 123456
and 12345678
gpg/card> admin
gpg/card> passwd
Your selection? 3
Your selection? 1
Your selection? q
ykman openpgp keys set-touch aut on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch sig on
ykman otp static -f --no-enter -k US 2 <1password secret key>
ykman otp delete -f 1
ykman fido access change-pin --new-pin <pin>
Mostly stolen from: