→ Great great documentation about all this (so much better): https://github.com/drduh/YubiKey-Guide
Documentation for PIV: https://github.com/Yubico/yubikey-piv-manager/tree/master/doc
To manage the certificates: https://www.yubico.com/support/knowledge-base/categories/articles/unpair-yubikey-piv-login-macos-sierra/
Personnalization tool : https://itunes.apple.com/us/app/yubikey-personalization-tool/id638161122
You have to install GPG of course ;).
Very good guide here: https://github.com/drduh/YubiKey-Guide
Read the key info to be sure the card is connected:
$ gpg2 --card-status
Then load the public key if it is not available online. If you use keybase.io, your key is available online using the keybase keys server.
$ gpg2 --import < key.asc
Fetch the private key on the smartcard:
It will download the public key if you don't have it already.
$ gpg2 --card-edit
gpg/card> fetch
Then run the GPG Agent:
killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)
Check if the key is present:
ssh-add -L
If no, try the gpg2 --card-status
again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.
If the key was in the agent before (you lost your card, and you are using your backup card), then you have to remove the cached private key in the ~/.gnupg/private-keys-v1.d
directory.
DO NOT REMOVE ALL FILES because if you do, you'll loose all private keys that you have.
You can get the list of all keygrips you would like to remove bu using: gpg2 --list-secret-keys --with-keygrip KEYID
.
Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status
. If you keep your Yubikey inserted when you reimport the public key you'll have a "no secret key" issue. (see here)
Put this into your ~/.profile
file:
#!/bin/bash
GPG_TTY=$(tty)
export GPG_TTY
if [ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
fi
A good way to restart the agent is:
killall ssh-agent gpg-agent
unset GPG_AGENT_INFO SSH_AGENT_PID SSH_AUTH_SOCK
eval $(gpg-agent --daemon --enable-ssh-support)
You can find the list of your key's keygrip into ~/.gnupg/sshcontrol
.
In this file you'll find all the keygrips.
If at one moment you need to use a GPG key for SSH without smartcard, you need to add the keygrip into this file.
To find the keygrip of your key (you need to have an authentication subkey A
) use the following:
gpg2 --with-keygrip -k
Then find you'll be able to find the keygrip of your A
subkey.
Insert the backup key and run:
gpg-connect-agent "scd serialno" "learn --force" /bye
See: https://developers.yubico.com/PGP/SSH_authentication/Windows.html
Using fetch to import the private key somewhat implies that it is publicly available.