GPG with Yubikey 4

0. Pre

Before you proceed, make sure you fully understand following jargons: open GPG, GPG master key and sub keys, Yubi Key by Yubico.
Reference info can be found at:

http://cfig.github.io/2015/09/22/GPG-usage/ describes basic operations of GPG
Yubikey 4, which can be bought at Amazon.
Others: https://lmy441900.github.io/security/yubikey/2016/09/10/about-yubikey-4.html

This guide has been tested on Debian(Jessie).

1. Set up Yubikey4 env for Debian

First, please read https://wiki.debian.org/Smartcards/YubiKey4 carefully.

# apt-get install scdaemon gnupg2 dirmngr

We need to enable normal user(not only root!) to use YubiKey4 on Debian by adding udev rules as /etc/udev/rules.d/99-yubikeys.rules

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess"

Then reboot system to let it take effect. Verify smart card status:

$ gpg2 --card-status

2. Move sign/encrypt/authenticate subkeys to smartcard

What we should work on is always subkey. Master key is always stored at some safe airgapped media.
Assuming you have sign/encrypt/authenticate private subkeys locally.

$ gpg2 --edit-key $KEYID
$ toggle
gpg> key 1
gpg> keytocard

Finally verify the smart card status as:

$ gpg2 --card-status

We can see “Signature key”, “Encryption key”, “Authentication key” should have valid values.

3. Set up misc values for Yubikey4

After we push pubkey to server like this,

gpg --keyserver hkp://pgp.mit.edu --send-keys 1370401F

We can search our keys at:

http://pgp.mit.edu/pks/lookup?op=get&search=0xD6F140FF1370401F

Then we should edit our Yubikey4 as:

$ gpg2 --card-edit
admin
url
http://pgp.mit.edu/pks/lookup?op=get&search=0xD6F140FF1370401F
quit

4. Try out Yubikey4 on another machine:

Or if you are using the same machine for testing, you can delete all pub/priv keys manually before testing.

get pubkey from server

gpg2 --card-edit
fetch
quit

get private key stub

gpg2 --card-status

Verify key status

gpg2 -K
gpg2 -k

5. Using GPG for SSH login

I am using GnuPG 2.1.
Generate gpg-agent config

echo enable-ssh-support > ~/.gnupg/gpg-agent.conf

Add this to .bashrc, which will tell ssh to ask for gpg-agent:

#GPG
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpg-connect-agent updatestartuptty /bye
#GPG - END

Logout and login, check status:

ssh-add -l
ssh-add -L

Copy and paste the key to remote .ssh/authorized_keys
Then have a try with ‘ssh ‘.

6. misc references

https://demo.yubico.com/u2f.php