Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon Jan 30, 2017 5:02 pm 
Offline

Joined: Sat Jan 28, 2017 4:02 pm
Posts: 6
Hi,

Have a few questions as a newbie on PGP and YubiKey.

1) gpg --gen-key
This installs by default both a Signature and Certify certificate in Key 0 and Encryption as sub in Key 1
By using add-key I add Authenticate as sub in Key 2.
[QUESTION 1]: I see in an article that somebody also add the Signature as a standalone as sub in Key 3. What is the purpose of this?

2) gpg --export
[QUESTION 2]: When I do an export of public, private and revoke, are these full backups of all 3 certificates?

3) gpg --key-edit
Here I MOVE keys from the local keyring to the Yubikey.
[QUESTION 3]: What are the advantages and disadvantages of moving all keys to the YubiKey? This is one of the questions I really have not found a good answer of.

4) What I want to achieve
[QUESTION 4]:
a) I want to use the YubiKey for Windows Logon - This is setup using Challenge-Response mode HMAC-SHA1
b) I want to use the YubiKey for signing, certifying, encrypt/decrypt and Autheticate (none will work without the YubiKey inserted). This relates to question 3. Should I also then completely delete the certificate from Kleopatra?
c) I want to move the same config to a PC number 2, how do I do this?

5) Finally, making a backup key
[QUESTION 5]: I need to make a backup YubiKey of the final result after question 4, how do I do this?

This is a lot of questions, but I hope somebody will offer me the minutes of their life to answer me.
As a note: I do know how to use gen-key, addkey and key-edit, this is not the info I want.

Kind regards from cold Norway :)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 01, 2017 5:24 pm 
Offline

Joined: Sat Jan 28, 2017 4:02 pm
Posts: 6
I've actually managed to solve some of these myself.
If I've written something wrong, please correct me and I will update it for future readers...


TheStigh wrote:
1) gpg --gen-key
This installs by default both a Signature and Certify certificate in Key 0 and Encryption as sub in Key 1
By using add-key I add Authenticate as sub in Key 2.
[QUESTION 1]: I see in an article that somebody also add the Signature as a standalone as sub in Key 3. What is the purpose of this?

Just seems this is the way GPG work. All the different keys you need must be individually created as subs.

TheStigh wrote:
2) gpg --export
[QUESTION 2]: When I do an export of public, private and revoke, are these full backups of all 3 certificates?

gpg --armor --export-secret-keys $KEYID > mastersub.key
gpg --armor --export-secret-subkeys $KEYID > sub.key
gpg --armor --export $KEYID > pubkey.txt

The export of private must be done before moving the keys to the YubiKey.
When creating the revoke is actually not stored any other place than the file you made during the creation of revoke.

TheStigh wrote:
3) gpg --key-edit
Here I MOVE keys from the local keyring to the Yubikey.
[QUESTION 3]: What are the advantages and disadvantages of moving all keys to the YubiKey? This is one of the questions I really have not found a good answer of.

By moving all the keys to the YubiKey, there is nothing local on the computer except the Public key and stubs, no full keys on the computer to worry about.
It is also easy to have multiple computers using same certificate by moving the YubiKey with you to each computer and only fetch/import the Public key and trust it.

TheStigh wrote:
4) What I want to achieve
[QUESTION 4]:
a) I want to use the YubiKey for Windows Logon - This is setup using Challenge-Response mode HMAC-SHA1
b) I want to use the YubiKey for signing, certifying, encrypt/decrypt and Autheticate (none will work without the YubiKey inserted). This relates to question 3. Should I also then completely delete the certificate from Kleopatra?
c) I want to move the same config to a PC number 2, how do I do this?

This was more the tricky one.
a) Just follow the How To: https://www.yubico.com/wp-content/uploa ... ion_en.pdf
b) By moving with keytocard all keys, this is achieved
c) As explained in 3)

TheStigh wrote:
5) Finally, making a backup key
[QUESTION 5]: I need to make a backup YubiKey of the final result after question 4, how do I do this?

Still not solved!

Source document for most if the replies are: https://github.com/drduh/YubiKey-Guide/ ... public-key


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 16, 2017 7:27 am 
Offline

Joined: Sat Mar 21, 2015 9:44 am
Posts: 15
You might find this article and this one a little detailed and good at answering most of your questions.

If you still have question or concerns, I'd be glad to offer any suggestions or knowledge that I can!


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 10, 2017 10:36 am 
Offline

Joined: Thu Sep 07, 2017 5:16 pm
Posts: 9
question 1: the default key is a Signature and Certify (master key) and an Encryption subkey
some people, me included, prefer to not have the secret key of the master key on the pc because that is "your identity". if it get compromised is a big problem. while if a subkey is compromised you can simply revoke it and make a new one. that's why another signature key, because the master one in my pc has been deleted; and without a second one i couldn't sign anything.

question 2: i'm not sure as to export i use kleopatra (simple gui) but secret key is all what you need.
after importing the secret key on new pc you can export public key. and having access to secret key you can generate a revocation cert. anyway having a separate copy of revocation cert might be a good idea.

question 3: move there all keys you plan to use, but keep a backup offline somewhere because yubikeys can be maliciously blocked (guessing wrong pin three times). and this force you to reset the key.

question 4A: i don't care about win logon so i haven't read any documentation sorry. my reason is that windows login is useless, it doesn't protect anything you can boot linux or move the hdd in other pc and see every file.

question 4B: no, from what i understand the only thing left on the pc/kleopatra is a public key stub that sais that private key is on smartcard.
remember to enable (and lock in enabled mode) the use of phisical yubikey button before using any key otherwise a virus might use your keys to decrypt/sign anything while your key is inserted without you noticing. note that the pin is useless as it can be keylogged by the virus.

question 4C: copy there the public key (seems that you can't export/get it from the yubikey) than from terminal/cmd write "gpg --card-status" seems that this command let gpg understand that the private key side is on the card. after this in kleopatra you should see the smarcard icon as in the first pc. also set ultimate trust on your key.

question 5: follow the same procedure used to import keys on the first yubikey. you must make a backup before pushing private keys as they are deleted from pc when you ush them.

question: This is a lot of questions, but I hope somebody will offer me the minutes of their life to answer me.
someone helped me with a lot of answers and i think is correct to do the same ^_^

also:
"By moving all the keys to the YubiKey ... no full keys on the computer to worry about."
NOT sure about this as usual way computers delete files are mark them as garbage so that can be overwritten with new files when needed.
shred/sdelete might be a better option. also depnds on how paranoid (or better security aware) you are consider also:
-defragmentation process might leave copys
-journalled filesystems like ntfs or ext(3 and 4???) might leave copys
-solid state drives/usb can't be securely deleted due to wear leveling
-page file / swap might have on disk part of the keys that were on ram
take a look at truecrypt manual it has many more things


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group