Steps to add a GPG key to  Yubikey4.

• Backup your keys.
• Create a new GPG key pair.
• Create subkeys for enctryption, signing and authorisation.
• Move the key to the card.
• Upload public keys to a server.

Create a new GPG key because using an existing will mean that once you move it to the key, you will no longer be able to access that proivate key again without the Yubikey.  This may be what you intend, but it's probably not.  Make a backup of your keys before doing anything though. You can use GPG to create the backup or, what I did, was to tar up the .gnupg directory and make it safe with appropriate permissions or encrypt it.  Of course un-encrypting it again without your keys may be an issue.

Don't generate the new key-pair on the key for two reasons, there is a security advisory (YSA-2017-01  – Infineon weak RSA key generation for early Yubikey 4) and it's easier to make a backup if off-key generation is used.  This of course has it's own security issues but...

• gpg --generate-key, then follow the prompts
• gpg -K, to find the ney key ID then
• gpg --expert --edit-key YOURNEWKEYID, to add new subkeys
• addkey Add three RSA keys for signing, encrypting and auth by selecting option 8 and toggling the capabilites.
• q and save when prompted.
• Make another backup!  Do this BEFORE you move keys to the card.
• gpg -expert --edit-key YOURNEWKEYID, again.
• key N.  Mark the key you want to move to the card.  This is the one you just created.
• keytocard.  Do this three times choosing the appropriate key type each time.
• q and save.

At this point the private key will be MOVED to the card and a "stub" created in your keyring that points to the card's private key.  You will NO LONGER be able to backup your private key!  Or to use it for signing and decryption without the Yubikey.  Hence all the backups.

Now to customise your card, and here is where it got interesting regarding keyservers.

In order to use the Yubikey on another computer you need to get a copy of the public key into that computer's GPG keyring.  I tried uploading the public key to several key servers and then setting that keyserver's URL, on the Yubikey. None of them worked. I suspect this is partly because I generated the key on a computer that did not have GPG2 installed and tried to download the key using another computer with only GPG2 installed.  No idea TBH.  What I did was to upload the public key to this server and set the URL in the Yubikey to point to it.  That seemed to work.  You could of course secure copy (scp) the public key to the other computers you wish to use the key on.  This all implies of course that the computers are internet connected.  If not then an additional USB stick will be required to transfer the public key.

I am somewhat dissillusioned by the need to separately move a software key around. I had assumed, before researching all this that once the Yubkey was programmed you were good-to-go.  Turn up anywhere, plug it in and start decrypting/signing, whatever.  I'm sure there are sound technical reasons why this is not possible but it just illustrates, yet again, why PGP is not suitable for every-day use.

https://www.millstream-computing.co.uk/media/yubi_public.txt is the address.  Since that's the public key, it's safe for me to publlsh it here.  Doubly so since the associated e-mail address doesn't exist.

I'd suggest following other online tutorials from concerning customising the key, it's quite straight forward.  It was the transfer of the key that screwed me up.  Other aspects of the key are also not covered here.

TBC...

Last changed: 23. August, 2020 at 12:31

Comments