wiki:gpgOnYubiKey4

prepare Yubikey with GPG and SSH keys

This article is largely based on Eric Severance's blog entry, but updated for gpg2 and my own requirements.

Create .gnupg dir and set correct privileges:

mkdir ~/.gnupg
chmod 700 ~/.gnupg

Avoid an key generation error by:

mkdir -p ~/.gnupg/private-keys-v1.d
chmod 700 ~/.gnupg/private-keys-v1.d

Set GnuPG to prefer strong hash and encryption algorithms

echo "cert-digest-algo SHA512" >> ~/.gnupg/gpg.conf
echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf

Install pinentry-tty and modify gpg-agent.conf to get rid of annoying Gnome Shell password prompt.

Disable annoying Gnome Shell password pop-up for gpg

echo "pinentry-program /usr/bin/pinentry-tty" >> ~/.gnupg/gpg-agent.conf

Generate key

gpg2 --full-gen-key --expert
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/home/jorrit/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Jorrit Jorritsma
Email address: jsj@xs4all.nl
Comment: 
You selected this USER-ID:
    "Jorrit Jorritsma <jsj@xs4all.nl>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase: 
Repeat: 
gpg: /home/jorrit/.gnupg/trustdb.gpg: trustdb created
gpg: key C2D3C98C511F9CF8 marked as ultimately trusted
gpg: revocation certificate stored as '/home/jorrit/.gnupg/openpgp-revocs.d/94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8.rev'
public and secret key created and signed.

pub   rsa3072 2017-07-24 [C] [expires: 2018-07-24]
      94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8
uid                      Jorrit Jorritsma <jsj@xs4all.nl>

Generating the encryption subkey

The next step is to create an encryption subkey. I chose to generate the encryption key using GnuPG, rather than with the Yubikey because private keys that are generated on the Yubikey cannot be removed from the Yubikey. This has a benefit that the private key is never physically on the computer, but it also has the disadvantage that access to all encrypted data is lost if the Yubikey is ever stolen or lost or a new key is generated.

gpg2 --edit-key 94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/C2D3C98C511F9CF8
     created: 2017-07-24  expires: 2018-07-24  usage: C   
     trust: ultimate      validity: ultimate
[ultimate] (1). Jorrit Jorritsma <jsj@xs4all.nl>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at di 24 jul 2018 23:15:08 CEST
Is this correct? (y/N) y
Really create? (y/N) y
Please enter the passphrase to unlock the OpenPGP secret key:
"Jorrit Jorritsma <jsj@xs4all.nl>"
3072-bit RSA key, ID C2D3C98C511F9CF8,
created 2017-07-24.

Passphrase: 
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa3072/C2D3C98C511F9CF8
     created: 2017-07-24  expires: 2018-07-24  usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa2048/ED815E1D36A718D2
     created: 2017-07-24  expires: 2018-07-24  usage: E   
[ultimate] (1). Jorrit Jorritsma <jsj@xs4all.nl>

gpg> save

Make a backup of private master keys

mkdir /tmp/gpg
gpg2 -a --export-secret-key 94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8 > /tmp/gpg/jsj.asc

Make QR codes out of them, as the information is too big to put in one QR code I've decided to generate a QR code per 10 lines and combined in a pdf.

cd /tmp/gpg
split -l 10 jsj.asc
for i in xa*; do cat $i | qrencode -s 10 -t png -o $i.png ; done
convert xa*.png jsj@xs4all.nl.pdf

Print this doc and store it somewhere secure. Recovery can be done with the zbar tools, I zbarcam seems to work best.

Generate the signing and authentication subkeys

The subkeys for signing and authentication will be unique for each Yubikey. This allows the subkeys to be generated directly on the Yubikey, where the private key cannot be accessed from the computer.

Before using GnuPG with the Yubikey, download the ykpersonalize tool and make sure the eject flag is set to 82 for OTP and CCID compatibility.

sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-personalization yubikey-personalization-gui
sudo ykpersonalize -m82
Firmware version 4.3.5 Touch level 517 Program sequence 1

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y

Create signing and authentication subkeys opn yubikey

install the required dependencies first

apt-get install scdaemon pcscd
gpg2 --edit-key BCA15A0BB95DC50BD20DF30E0ABF3A02F7869441
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 1
Please enter the PIN
PIN: 
What keysize do you want for the Signature key? (2048) 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at zo 29 jul 2018 00:17:37 CEST
Is this correct? (y/N) y
Really create? (y/N) y
Please enter the Admin PIN
Admin PIN: 
Please enter the passphrase to unlock the OpenPGP secret key:
"Bersih NL Administration <contact@bersih.nl>"
3072-bit RSA key, ID 0ABF3A02F7869441,
created 2017-07-28.

Passphrase: 

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
ssb  rsa2048/A3DF39D25C12B3CE
     created: 2017-07-28  expires: 2018-07-28  usage: S   
     card-no: 0006 05668664
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> addcardkey
Signature key ....: 39C2 822E 41A1 2320 4388  6492 A3DF 39D2 5C12 B3CE
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 3
What keysize do you want for the Authentication key? (2048) 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at zo 29 jul 2018 00:24:03 CEST
Is this correct? (y/N) y
Really create? (y/N) y

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
ssb  rsa2048/A3DF39D25C12B3CE
     created: 2017-07-28  expires: 2018-07-28  usage: S   
     card-no: 0006 05668664
ssb  rsa2048/197D4148DB406665
     created: 2017-07-28  expires: 2018-07-28  usage: A   
     card-no: 0006 05668664
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> toggle

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
ssb  rsa2048/A3DF39D25C12B3CE
     created: 2017-07-28  expires: 2018-07-28  usage: S   
     card-no: 0006 05668664
ssb  rsa2048/197D4148DB406665
     created: 2017-07-28  expires: 2018-07-28  usage: A   
     card-no: 0006 05668664
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> key 1

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb* rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
ssb  rsa2048/A3DF39D25C12B3CE
     created: 2017-07-28  expires: 2018-07-28  usage: S   
     card-no: 0006 05668664
ssb  rsa2048/197D4148DB406665
     created: 2017-07-28  expires: 2018-07-28  usage: A   
     card-no: 0006 05668664
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
Please enter your passphrase, so that the secret key can be unlocked for this session
Passphrase: 
gpg: KEYTOCARD failed: No passphrase given

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
Please enter your passphrase, so that the secret key can be unlocked for this session
Passphrase: 

sec  rsa3072/0ABF3A02F7869441
     created: 2017-07-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb* rsa2048/DA2E2FE728D32A1C
     created: 2017-07-28  expires: 2018-07-28  usage: E   
ssb  rsa2048/A3DF39D25C12B3CE
     created: 2017-07-28  expires: 2018-07-28  usage: S   
     card-no: 0006 05668664
ssb  rsa2048/197D4148DB406665
     created: 2017-07-28  expires: 2018-07-28  usage: A   
     card-no: 0006 05668664
[ultimate] (1). Bersih NL Administration <contact@bersih.nl>

gpg> save

Distribute the public key

gpg2 --keyserver pgp.mit.edu --send-keys BCA15A0BB95DC50BD20DF30E0ABF3A02F7869441
gpg2 --card-edit

Reader ...........: Yubico Yubikey 4 OTP CCID 00 00
Application ID ...: D2760001240102010006056686640000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 05668664
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 1
Signature key ....: 39C2 822E 41A1 2320 4388  6492 A3DF 39D2 5C12 B3CE
      created ....: 2017-07-28 22:17:34
Encryption key....: 0494 8517 84D9 391A 9774  04F0 DA2E 2FE7 28D3 2A1C
      created ....: 2017-07-28 21:27:23
Authentication key: 62B4 B5DA E381 CDFB B382  9005 197D 4148 DB40 6665
      created ....: 2017-07-28 22:23:40
General key info..: sub  rsa2048/A3DF39D25C12B3CE 2017-07-28 Bersih NL Administration <contact@bersih.nl>
sec   rsa3072/0ABF3A02F7869441  created: 2017-07-28  expires: never     
ssb>  rsa2048/DA2E2FE728D32A1C  created: 2017-07-28  expires: 2018-07-28
                                card-no: 0006 05668664
ssb>  rsa2048/A3DF39D25C12B3CE  created: 2017-07-28  expires: 2018-07-28
                                card-no: 0006 05668664
ssb>  rsa2048/197D4148DB406665  created: 2017-07-28  expires: 2018-07-28
                                card-no: 0006 05668664

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102010006056686640000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
Please enter the PIN
PIN:                 # default is "123456"
New PIN
PIN: 
Repeat this PIN
PIN: 
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
Please enter the Admin PIN
Admin PIN:                 # default is "12345678"
New Admin PIN
Admin PIN: 
Repeat this PIN
Admin PIN: 
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> forcesig
Please enter the Admin PIN
Admin PIN: 
Last modified 7 years ago Last modified on 07/29/17 00:43:29