Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc
To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/
Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122
You have to install GPG of course ;).
Very good guide here: https://github.com/drduh/YubiKey-Guide
Read the key info to be sure the card is connected:
$ gpg2 --card-status
Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.
$ gpg2 --import < key.asc
Fetch the private key on the smartcard:
It will download the public key if you don't have it already.
$ gpg2 --card-edit
gpg/card> fetch
Then run the GPG Agent:
killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)
Check if the key is present:
ssh-add -l
If no, try the gpg2 --card-status
again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.
If the key was in the agent before (you lost your card, and you are using your backup card), then you can remove the cached keys in the ~/.gnupg/private-keys-v1.d
directory.
You can safely remove all the items in this directory, it is just cache.
Put this into your ~/.profile
file:
#!/bin/bash
gpg-agent --daemon --enable-ssh-support \
--write-env-file "${HOME}/.gpg-agent-info"
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
GPG_TTY=$(tty)
export GPG_TTY
A good way to restart the agent is:
killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
. ~/.profile
Few steps to follow.
- Remove your GPG key from your machine.
- Fetch the key using
gpg --cart-edit
as shown above. - Clear the GPG agent cache if you have to.
- You're all set.
See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html