Date

Overview

Now that you have the Yubikey setup and the sub keys correctly created it is time to move the sub keys to the Yubikey. This will allow you to use the Yubikey and your sub keys with out the need to have your master key online. I will also show you a small trick to load the same sub keys onto many Yubikeys.

Requirements

  • Yubikey-neo(s)
  • Custom systemrescue cd from the post "Custom systemrescuecd to support pcsc/smartcards"
  • USB keys created in "Creating secure GPG keys with subkeys"
  • PCSC and gpg-agent services running on the livecd as detailed in the post "Configuring and securing the Yubikey neo"

Steps

Booting the Live media

Using the media from the post Custom systemrescuecd to support pcsc/smartcards boot your off-line machine the same way as outlined in the post Creating secure GPG keys with subkeys.

Ensure you have the USB stick mounted at /mnt/custom and GNUPGHOME exported to the correct path as stated in the "Creating secure GPG keys with subkeys" post.

Checking the card status

Insert your Yubikey and make sure you can issue the command :

gpg --card-status

That should output something similar to this :

Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: Brendan Horan
Language prefs ...: en
Sex ..............: male
URL of public key : https://brendan.horan.hk/76E0A15A-pub-key.txt
Login data .......: brendan
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 2
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Obviously you will have your own details set.

Moving the subkeys

Next up we will transfer the sub keys to the Yubikey. Small tip, If you want to copy the same sub keys to multiple Yubikeys. Do not type "save" after copying the keys instead hit "Ctrl-C" to kill gpg. This will allow you to repeat they sub key copy process as many times as you like. Once your done then you an issue the "save"command inside gpg.

gpg> key 1

sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb* 2048R/0B16AD9B  created: 2015-09-22  expires: never     
ssb  2048R/1360580A  created: 2015-09-22  expires: never     
ssb  2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "Brendan Horan <brendanhoran@basstech.net>"
2048-bit RSA key, ID 0B16AD9B, created 2015-09-22


sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb* 2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/1360580A  created: 2015-09-22  expires: never     
ssb  2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> 

gpg> key 1

sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb  2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb* 2048R/1360580A  created: 2015-09-22  expires: never     
ssb  2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> keytocard
Signature key ....: 1C9B 6940 B360 826A 51E3  A869 9C52 FFF7 0B16 AD9B
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (2) Encryption key
Your selection? 2

You need a passphrase to unlock the secret key for
user: "Brendan Horan <brendanhoran@basstech.net>"
2048-bit RSA key, ID 1360580A, created 2015-09-22


sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb  2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb* 2048R/1360580A  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> key 2

sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb  2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/1360580A  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg>  key 3

sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb  2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/1360580A  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb* 2048R/0EECD0AE  created: 2015-09-22  expires: never     
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> keytocard
Signature key ....: 1C9B 6940 B360 826A 51E3  A869 9C52 FFF7 0B16 AD9B
Encryption key....: 0D85 5A98 E9D6 2E80 65D8  B0DB 0B4C F791 1360 580A
Authentication key: [none]

Please select where to store the key:
   (3) Authentication key
Your selection? 3

You need a passphrase to unlock the secret key for
user: "Brendan Horan <brendanhoran@basstech.net>"
2048-bit RSA key, ID 0EECD0AE, created 2015-09-22


sec  4096R/76E0A15A  created: 2015-09-22  expires: never     
ssb  2048R/0B16AD9B  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb  2048R/1360580A  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
ssb* 2048R/0EECD0AE  created: 2015-09-22  expires: never     
                     card-no: 0006 03646614
(1)  Brendan Horan <brendanhoran@basstech.net>
(2)  Brendan Horan <brendan@horan.hk>

gpg> 

At this point you can hit "Ctrl-C", remove the Yubikey , insert a new Yubikey and re-run the above steps. If you only have one card or are done, issue the following command to finish the process :

gpg> save

Thats it for this post. You can now use your Yubikeys on any machine.


Comments

There are no comments yet. Email me and I will add your comment.