The Yubikey is small USB device which can be used as a simple HSM for use with GPG. Above this it can also be used as a generator for OTPs etc.
Basic Usage as HSM
Detection
To check if the device is detected use gpg --card-status
The result should look something like this:
Reader ...........: xxxx:xxxx:X:0
Application ID ...: Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Interactive Use via GPG
Then go into interactive mode to configure the card gpg --card-edit
. Then type admin
to activate admin commands. ?
will show the available commands.
quit quit this menu
admin show admin commands
help show this help
list list all available data
name change card holder's name
url change URL to retrieve key
fetch fetch the key specified in the card URL
login change the login name
lang change the language preferences
sex change card holder's sex
cafpr change a CA fingerprint
forcesig toggle the signature force PIN flag
generate generate new keys
passwd menu to change or unblock the PIN
verify verify the PIN and list all data
unblock unblock the PIN using a Reset Code
factory-reset destroy all keys and data
Signing a File
The command gpg --sign -u **keyID** **filename**
can be used to create a signature for a file.
gpg --sign -u 793D4D2929B2CEC7 test.txt
This will create a file called test.txt.gpg
.
Change PIN
To set a PIN use passwd
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection?
The default PINs should be
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You will have to set both a user and an admin PIN.
Generating Keys
The generate
command can be used to generate keys.
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
What keysize do you want for the Signature key? (2048)
What keysize do you want for the Encryption key? (2048)
What keysize do you want for the Authentication key? (2048)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at So 07 Apr 2019 11:14:33 CEST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Tester
E-mail address: tester@nope.nope
Comment: Only for testing
You selected this USER-ID:
"Tester (Only for testing) <tester@nope.nope>"
Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
gpg: key 793D4D2929B2CEC7 marked as ultimately trusted
gpg: revocation certificate stored as '/home/Tester/.gnupg/openpgp-revocs.d/72CEC465A553A414A2C4B760793D4D2929B2CEC7.rev'
public and secret key created and signed.
Listing Keys
The list
command will show all keys.
Signature key ....: 72CE C465 A553 A414 A2C4 B760 793D 4D29 29B2 CEC7
created ....: 2017-04-07 09:15:37
Encryption key....: 3D51 6E23 CFE5 45FB B7C6 EAD2 4D63 9B15 8768 F01B
created ....: 2017-04-07 09:15:37
Authentication key: 2768 B94E F631 B636 806F B98C C511 AD6A 09C2 6A66
created ....: 2017-04-07 09:15:37
General key info..: pub rsa2048/793D4D2929B2CEC7 2017-04-07 Tester (Only for testing) <tester@nope.nope>
sec> rsa2048/793D4D2929B2CEC7 created: 2017-04-07 expires: 2019-04-07
card-no: 0006 05029630
ssb> rsa2048/C511AD6A09C26A66 created: 2017-04-07 expires: 2019-04-07
card-no: 0006 05029630
ssb> rsa2048/4D639B158768F01B created: 2017-04-07 exxpires: 2019-04-07
card-no: 0006 05029630