Yubico Forum

Hi,

Have a few questions as a newbie on PGP and YubiKey.

1) gpg --gen-key
This installs by default both a Signature and Certify certificate in Key 0 and Encryption as sub in Key 1
By using add-key I add Authenticate as sub in Key 2.
[QUESTION 1]: I see in an article that somebody also add the Signature as a standalone as sub in Key 3. What is the purpose of this?

2) gpg --export
[QUESTION 2]: When I do an export of public, private and revoke, are these full backups of all 3 certificates?

3) gpg --key-edit
Here I MOVE keys from the local keyring to the Yubikey.
[QUESTION 3]: What are the advantages and disadvantages of moving all keys to the YubiKey? This is one of the questions I really have not found a good answer of.

4) What I want to achieve
[QUESTION 4]:
a) I want to use the YubiKey for Windows Logon - This is setup using Challenge-Response mode HMAC-SHA1
b) I want to use the YubiKey for signing, certifying, encrypt/decrypt and Autheticate (none will work without the YubiKey inserted). This relates to question 3. Should I also then completely delete the certificate from Kleopatra?
c) I want to move the same config to a PC number 2, how do I do this?

5) Finally, making a backup key
[QUESTION 5]: I need to make a backup YubiKey of the final result after question 4, how do I do this?

This is a lot of questions, but I hope somebody will offer me the minutes of their life to answer me.
As a note: I do know how to use gen-key, addkey and key-edit, this is not the info I want.

Kind regards from cold Norway

I've actually managed to solve some of these myself.
If I've written something wrong, please correct me and I will update it for future readers...



Just seems this is the way GPG work. All the different keys you need must be individually created as subs.


gpg --armor --export-secret-keys $KEYID > mastersub.key
gpg --armor --export-secret-subkeys $KEYID > sub.key
gpg --armor --export $KEYID > pubkey.txt

The export of private must be done before moving the keys to the YubiKey.
When creating the revoke is actually not stored any other place than the file you made during the creation of revoke.


By moving all the keys to the YubiKey, there is nothing local on the computer except the Public key and stubs, no full keys on the computer to worry about.
It is also easy to have multiple computers using same certificate by moving the YubiKey with you to each computer and only fetch/import the Public key and trust it.


This was more the tricky one.
a) Just follow the How To: https://www.yubico.com/wp-content/uploa ... ion_en.pdf
b) By moving with keytocard all keys, this is achieved
c) As explained in 3)


Still not solved!

Source document for most if the replies are: https://github.com/drduh/YubiKey-Guide/ ... public-key

You might find this article and this one a little detailed and good at answering most of your questions.

If you still have question or concerns, I'd be glad to offer any suggestions or knowledge that I can!

question 1: the default key is a Signature and Certify (master key) and an Encryption subkey
some people, me included, prefer to not have the secret key of the master key on the pc because that is "your identity". if it get compromised is a big problem. while if a subkey is compromised you can simply revoke it and make a new one. that's why another signature key, because the master one in my pc has been deleted; and without a second one i couldn't sign anything.

question 2: i'm not sure as to export i use kleopatra (simple gui) but secret key is all what you need.
after importing the secret key on new pc you can export public key. and having access to secret key you can generate a revocation cert. anyway having a separate copy of revocation cert might be a good idea.

question 3: move there all keys you plan to use, but keep a backup offline somewhere because yubikeys can be maliciously blocked (guessing wrong pin three times). and this force you to reset the key.

question 4A: i don't care about win logon so i haven't read any documentation sorry. my reason is that windows login is useless, it doesn't protect anything you can boot linux or move the hdd in other pc and see every file.

question 4B: no, from what i understand the only thing left on the pc/kleopatra is a public key stub that sais that private key is on smartcard.
remember to enable (and lock in enabled mode) the use of phisical yubikey button before using any key otherwise a virus might use your keys to decrypt/sign anything while your key is inserted without you noticing. note that the pin is useless as it can be keylogged by the virus.

question 4C: copy there the public key (seems that you can't export/get it from the yubikey) than from terminal/cmd write "gpg --card-status" seems that this command let gpg understand that the private key side is on the card. after this in kleopatra you should see the smarcard icon as in the first pc. also set ultimate trust on your key.

question 5: follow the same procedure used to import keys on the first yubikey. you must make a backup before pushing private keys as they are deleted from pc when you ush them.

question: This is a lot of questions, but I hope somebody will offer me the minutes of their life to answer me.
someone helped me with a lot of answers and i think is correct to do the same ^_^

also:
"By moving all the keys to the YubiKey ... no full keys on the computer to worry about."
NOT sure about this as usual way computers delete files are mark them as garbage so that can be overwritten with new files when needed.
shred/sdelete might be a better option. also depnds on how paranoid (or better security aware) you are consider also:
-defragmentation process might leave copys
-journalled filesystems like ntfs or ext(3 and 4???) might leave copys
-solid state drives/usb can't be securely deleted due to wear leveling
-page file / swap might have on disk part of the keys that were on ram
take a look at truecrypt manual it has many more things