Yubikey's and GPG clients
Overview
Now that you have your Yubikeys configured you can make use of them on your daily machines.
Requirements
- Configured Yubikeys
- gpg software installed
- pcsc software installed
For my gentoo machines I use the following packages:
sys-apps/pcsc-lite
app-crypt/gnupg (USE: smartcard)
Ensure your version of app-crypt/gnupg is 2.x and above.
Since I can't write steps for every distro, your going to need to install the packages yourself.
Steps
The gpg-agent config
Create or edit the following file:
~/.gnupg/gpg-agent.conf
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200
This file controls the gpg-agent, the gpg-agent will interact with the pcsc application.
Spawning the gpg-agent
You also need a way to start the gpg-agent, I use the following in my .bashrc file:
~/.bashrc
envfile="$HOME/.gnupg/gpg-agent.env"
if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
eval "$(cat "$envfile")"
else
eval "$(gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO # the env file does not contain the export statement
export SSH_AUTH_SOCK # enable gpg-agent for ssh
Checking access
With the above in place when you spawn a new shell you will be able to see the following
$ export | grep gpg
declare -x GPG_AGENT_INFO="/home/brendan/.gnupg/S.gpg-agent:29109:1"
declare -x SSH_AUTH_SOCK="/home/brendan/.gnupg/S.gpg-agent.ssh"
$ ps -ef | grep gpg
brendan 4358 29098 0 16:16 pts/8 00:00:00 grep --colour=auto gpg
brendan 29109 1 0 16:10 ? 00:00:00 gpg-agent --daemon --enable-ssh-support --write-env-file /home/brendan/.gnupg/gpg-agent.env
Now you test access to the Yubikey by running the "gpg --card-status" command.
$ gpg --card-status
Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: Brendan Horan
Language prefs ...: en
Sex ..............: male
URL of public key : https://brendan.horan.hk/76E0A15A-pub-key.txt
Login data .......: brendan
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 2
Signature key ....: 1C9B 6940 B360 826A 51E3 A869 9C52 FFF7 0B16 AD9B
created ....: 2015-09-22 06:52:32
Encryption key....: 0D85 5A98 E9D6 2E80 65D8 B0DB 0B4C F791 1360 580A
created ....: 2015-09-22 07:00:43
Authentication key: AB73 B37E 760C D6B3 5C9B 86D7 F2D5 C074 0EEC D0AE
created ....: 2015-09-22 07:02:24
General key info..: pub 2048R/0B16AD9B 2015-09-22 Brendan Horan <brendanhoran@basstech.net>
sec# 4096R/76E0A15A created: 2015-09-22 expires: never
ssb> 2048R/0B16AD9B created: 2015-09-22 expires: 2016-03-20
card-no: 0006 03647555
ssb> 2048R/1360580A created: 2015-09-22 expires: 2016-03-20
card-no: 0006 03647555
ssb> 2048R/0EECD0AE created: 2015-09-22 expires: 2016-03-20
card-no: 0006 03647555
You can now make use of the Yubikey to encrypt/decrypt/sign and authenticate on your machines.
References
GPG Agent config options
GPG command man page
ArchLinux GPG wiki