Overview

This section aims to get your Yubikey-neo set up and ready to load the GPG subkeys onto.

Now that we have a livecd that has the Yubikey tools we need set up the Yubikey.
For our needs this has two parts :

  • Setting the mode for OTP/U2F/CCID
  • Personalising the card and setting PIN's

Requirements

  • Yubikey-neo(s)
  • Custom systemrescue cd from the post "Custom systemrescuecd to support pcsc/smartcards"
  • USB keys created in "Creating secure GPG keys with subkeys"

Steps

Booting the Live media

Using the media from the post Custom systemrescuecd to support pcsc/smartcards boot your off-line machine the same way as outlined in the post Creating secure GPG keys with subkeys.

Ensure you have the USB stick mounted at /mnt/custom and GNUPGHOME exported to the correct path as stated in the "Creating secure GPG keys with subkeys" post.

Changing the Yubikey mode

By default the Yubkey-neo does not ship with the CCID mode enabled. CCID is the standard that allows GPG(and other apps) to talk to smart cards. At a minimum you must enable CCID or more to be able to store GPG subkeys.

I want to enable all the modes supported by the Yubikey-neo, after all who knows what I will need later on. For this we use the "ykpersonalize" command line tool on the custom livecd.

Lets take a look at this section from the man page :

              -m mode
                     set  device  configuration  for  the  YubiKey.   It  is parsed in the form
                     mode:cr_timeout:autoeject_timeout
                     where mode is:
                     0    OTP device only.
                     1    CCID device only.
                     2    OTP/CCID composite device.
                     3    U2F device only.
                     4    OTP/U2F composite device.
                     5    U2F/CCID composite device.
                     6    OTP/U2F/CCID composite device.
                     Add 80 to set MODE_FLAG_EJECT, for example: 81
                     cr_timeout is the timeout in seconds for the YubiKey  to  wait  on  button
                     press for challenge response (default is 15)
                     autoeject_timeout  is  the timeout in seconds before the card is automati‐
                     cally ejected in mode 81

I want to enable all functions, so that would be mode "6" from the above list. You also need to add mode "8" to allow touch eject/insert support. Mode '8" is needed for the touch sensor on the top of the key. So the full mode becomes "86".

Lets see it in action :

% ykpersonalize -v -m 86
Firmware version 3.4.3 Touch level 1541 Program sequence 2
Serial number : 3646853

The USB mode will be set to: 0x86

Commit? (y/n) [n]: y
Attempting to write configuration to the yubikey... success
%

Now you must remove the Yubikey from the USB slot and re-insert it, this will activate the new mode.

Starting PCSC and gpg-agent services

Two services need to be running for GPG to be able to access the card.
The first one is PCSC. The custom live CD has this already installed, you just need to start it.

/etc/init.d/pcscd start

Next you need to start the gpg-agent, this service talks between PCSC and GPG. Make sure you run the following command from the same shell you exported GNUPGHOME.

You want to run the command "gpg-agent --daemon" :

% gpg-agent --daemon
gpg-agent[2622]: directory `/mnt/custom/gnupghome/private-keys-v1.d' created
GPG_AGENT_INFO=/tmp/gpg-hx0OYL/S.gpg-agent:2623:1; export GPG_AGENT_INFO;
gpg-agent[2623]: gpg-agent (GnuPG) 2.0.26 started
%

Next try query the Yubikey via GPG. The command you need to run is "gpg --card-status"

% gpg --card-status
Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
%

You can see from the above that GPG can read the Yubikey.

Personalising and securing the Yubikey

As you saw from the "card-status" output in the last section there are a few fields that we should fill in.

Notes :

  • Default Yubikey "user pin" is "123456"
  • Default Yubikey "admin pin" is "1235678"
  • Aside from changing the PIN the other fields are optional. You can add later if you like.
  • To view the cards current config hit enter at any blank "gpg/card>" prompt.

Run the command "gpg --card-edit" and follow along with the steps outlined below :

% gpg --card-edit

Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000006036475550000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card>

gpg/card> url
URL to retrieve public key: https://brendan.horan.hk/76E0A15A-pub-key.txt

gpg/card> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> login
Login data (account name): brendan

gpg/card> name
Cardholder's surname: Horan
Cardholder's given name: Brendan

gpg/card>

Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: Brendan Horan
Language prefs ...: en
Sex ..............: male
URL of public key : https://brendan.horan.hk/76E0A15A-pub-key.txt
Login data .......: brendan
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>
gpg/card> quit

That is it for this post. The Yubikey is ready to use.
In the next post I will show you how to load the subkeys onto the Yubikey.

References :