|
| 1 | +# Setting up debian to work with your OpenPGP keys stored on a YubiKey Neo |
| 2 | +This guide assumes that you have already configured your yubikey with your private keys and a pin. By the end of this guide you will have configured the machine to be able to use the yubikey to decypt and sign documents on your machine. |
| 3 | + |
| 4 | +## Requirements |
| 5 | +* A linux box |
| 6 | +* Yubikey Neo configured as a smart card |
| 7 | +* Internet access (to install packages and download udev rules) |
| 8 | + |
| 9 | +## Ensure gpg2 and scdaemon is installed |
| 10 | +```` |
| 11 | +$ su -c "apt-get install gpg2 scdaemon" |
| 12 | +$ gpg2 --version |
| 13 | +gpg (GnuPG) 2.0.26 |
| 14 | +libgcrypt 1.6.3 |
| 15 | +Copyright (C) 2013 Free Software Foundation, Inc. |
| 16 | +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> |
| 17 | +This is free software: you are free to change and redistribute it. |
| 18 | +There is NO WARRANTY, to the extent permitted by law. |
| 19 | +
|
| 20 | +Home: ~/.gnupg |
| 21 | +Supported algorithms: |
| 22 | +Pubkey: RSA, RSA, RSA, ELG, DSA |
| 23 | +Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, |
| 24 | + CAMELLIA128, CAMELLIA192, CAMELLIA256 |
| 25 | +Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 |
| 26 | +Compression: Uncompressed, ZIP, ZLIB, BZIP2 |
| 27 | +```` |
| 28 | + |
| 29 | +## Disable seahorse from intercepting gpg stuff |
| 30 | +Stuff which starts on boot is stored in ```/etc/xdg/autostart```. We don't want gnome-keyring to be responsible for our gpg authentication because it can't deal with smart cards (which our yubikey neo is). After doing this you will need to log out and in again. |
| 31 | + |
| 32 | +``` |
| 33 | +su -c "mv /etc/xdg/autostart/gnome-keyring-gpg.desktop /etc/xdg/autostart/gnome-keyring-gpg.desktop.disabled" |
| 34 | +``` |
| 35 | + |
| 36 | +## Ensure you have the udev rules for the yubikey |
| 37 | +Your card should now work as the root user, but in order to use your yubikey as your standard user you will need to ensure that you have the neccary udev rules added to your system. The rules you need can be obtained from the yubikey github account. You can also install the ```yubikey-personalization``` package on debian based distributions. |
| 38 | + |
| 39 | +``` |
| 40 | +# copy the udev rules to our downloads and then copy them (as root) to /etc/udev/rules.d to prevent wget being run as root |
| 41 | +wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules -P ~/Downloads/ && su -c "mv $HOME/Downloads/69-yubikey.rules /etc/udev/rules.d/" |
| 42 | +wget https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules -P ~/Downloads/ && su -c "mv $HOME/Downloads/70-yubikey.rules /etc/udev/rules.d/" |
| 43 | +``` |
| 44 | + |
| 45 | +## run gpg2 --card-status to check you can see your card |
| 46 | +I've removed most of the identifable infomation but the format should be the same. This should also create a key stub in your gpg keyring which tells gpg that in order to decrypt/sign documents using this key it will need to ask your yubikey. |
| 47 | + |
| 48 | +``` |
| 49 | +gpg2 --card-status |
| 50 | +webpigeon@desktop:~# gpg2 --card-status |
| 51 | +scdaemon[10004]: updating slot 0 status: 0x0000->0x0007 (0->1) |
| 52 | +Application ID ...: D2760001240102000006035077540000 |
| 53 | +Version ..........: 2.0 |
| 54 | +Manufacturer .....: Yubico |
| 55 | +Serial number ....: 00000000 |
| 56 | +Name of cardholder: Fred Bloggs |
| 57 | +Language prefs ...: en |
| 58 | +Sex ..............: male |
| 59 | +URL of public key : [not set] |
| 60 | +Login data .......: bloggsf |
| 61 | +Signature PIN ....: forced |
| 62 | +Key attributes ...: 2048R 2048R 2048R |
| 63 | +Max. PIN lengths .: 127 127 127 |
| 64 | +PIN retry counter : 3 3 3 |
| 65 | +Signature counter : 00 |
| 66 | +Signature key ....: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF |
| 67 | + created ....: 0000-00-00 00:00:00 |
| 68 | +Encryption key....: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF |
| 69 | + created ....: 0000-00-00 00:00:00 |
| 70 | +Authentication key: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF |
| 71 | + created ....: 0000-00-00 00:00:00 |
| 72 | +General key info..: [none] |
| 73 | +``` |
| 74 | + |
| 75 | +## Check it worked |
| 76 | +In order to check that we can now use our smart card to decrypt things which have been encrypted for us, we can encrypt a test document then try to decrypt it. If everything worked as we expected you should be asked for your pin when you attempt to decrypt the file. Enter your pin when prompted. The encrypted text should now be decrypted and displayed on standard out. |
| 77 | + |
| 78 | +``` |
| 79 | +echo "this is a test" | gpg2 --output test.gpg --encrypt --recipient [email protected] |
| 80 | +gpg2 --decrypt test.gpg |
| 81 | +scdaemon[2119]: updating slot 0 status: 0x0000->0x0007 (0->1) |
| 82 | +scdaemon[2119]: DBG: asking for PIN '||Please enter the PIN' |
| 83 | +gpg: encrypted with 2048-bit RSA key, ID 033F1F3D, created 2015-05-14 |
| 84 | + "Joseph Walton-Rivers (WebPigeon) <[email protected]>" |
| 85 | +this is a test |
| 86 | +``` |
| 87 | + |
| 88 | +## Troubleshooting |
| 89 | +### selecting openpgp failed: Card error |
| 90 | +If you get an error when calling gpg2 --card-status you might need to reboot after adding the udev rules. |
0 commit comments