Creating Airgapped keys for Yubikey

Introduction

Before you begin, it would probably be a good idea to have three flash drives and a Yubikey.

1. Your first USB stick will be a Live USB that will boot the airgapped system.
2. The second will store the packages that you will need to install on the newly booted airgapped machine
3. The last USB stick will hold the newly generated master key. It would probably be a good idea to store this stick in a safe
4. Your Yubikey will hold a copy of your generated subkeys for use going forward

Purpose

The goal of this post is to document the process I used to add keys to my Yubikey, please do plenty of research before simply following this guide as best practices may have changed.

Booting up an airgapped machine

In this guide, as in the tutorial this is based on, we will be using an Ubuntu live USB.

When running on an Ubuntu machine, "Startup Disk Creator" can be used to make the live USB if you don't already have one created.

# add-apt-repository universe

# add-apt-repository ppa:yubico/stable

# apt update

# apt-get --download-only install \
    scdaemon yubikey-personalization \
    libccid pcscd rng-tools gnupg2 ykpersonalize

$ mkdir /media/usb/MyPackages
$ cp -a /var/cache/apt/archives/*.deb /media/usb/MyPackages

Installing the packages

Reboot your live system after ensuring the computer is no longer connected to the internet (i.e. unplug any Ethernet cables)

Install the packages copied to the USB earlier:

# dpkg -i /media/usb/MyPackages

Generating keys

First start rngd to ensure computed has plenty of random bits available:

# rngd -r /dev/urandom

The default GPG workspace for GPG is ~/.gnupg. We can set this to something easier to work with by setting $GNUPGHOME.

$ export GNUPGHOME="$HOME/workspace"
$ mkdir $GNUPGHOME

In this guide, we will generate one master key and three subkeys, each with a single responsibility:

• sign-only key
• encryption key
• authentication key

Generating master key

$ gpg2 --full-gen-key

Running this command will open a menu to configure options before creating the new key

• Select key type: Select (4) sign-only
• Choose the larger size (4096 bit.)
• Enter your personal information (name and email)
• Select an expiration date for the key

List public keys:

$ gpg2 --list-keys

List private keys:

$ gpg2 --list-secret-keys

Using the output from the above command, save the key id to a variable for use later, for example:

$ export KEYID=AD2A33A5833064D4065EF6D7AFC3D78A4CB7C59D

Generate a revocation certificate

Since we are going to kept the master key on a USB key in storage, it is a good idea to generate a revocation certificate while we have access to the master key.

$ gpg2 --output $GNUPGHOME/revocation-certificate.txt --gen-revoke $KEYID

Select option (1) "Key has been compromised" and add a comment when asked.

Creating subkeys

$ gpg2 --expert --edit-key $KEYID

$ gpg2 --expert --edit-key $KEYID

$ gpg2 --expert --edit-key $KEYID

$ gpg2 --edit-key $KEYID

Check the keyring

Listing keys should produce output like this now:

$ gpg2 --list-keys
pub   rsa4096 2018-06-23 [SC] [expires: 2023-06-22]
    68207CD9783F93ECBFF9653640D9D08813E47FC4
uid           [ultimate] Paul Schwendenman <schwendenman.paul@example.com>
uid           [ultimate] Paul Schwendenman <paul@example.org>
sub   rsa2048 2018-06-23 [S] [expires: 2023-06-22]
sub   rsa2048 2018-06-23 [E] [expires: 2023-06-22]
sub   rsa2048 2018-06-23 [A] [expires: 2023-06-22]

Export Public key

$ gpg2 -a --export $KEYID > public-key.asc

Copy your public key to a USB for later use, I'd recommend the one we used to store the air gapped packages.

Importing the public key on your machine later:

$ gpg2 --import < public-key.asc

Backing up master key to USB drive

Create a backup copy of your GNUPGHOME before adding subkeys to Yubikey:

$ cp -r $GNUPGHOME{,.bak}

Check connection to your Yubikey

Insert your Yubikey

Ensure that gpg is able to see your smart card:

$ gpg2 --card-status

Also check that the detected serial number matches the one on the key.

If your key is not present, you may need to restart pcscd:

$ sudo service pcscd restart

You may need to disable OTP on your Yubikey, I believe that newer Yubikeys are shipped configured to run all three modes (OTP, U2F and PGP) simultaneously. However, if you have issues perhaps look into enabling CCID or disabling OTP and deleting it from the configured slots using the yubikey-personalization tool.

Setting up your Yubikey

The Yubikey has two PINs. The admin pin is used to manage the user pin, and the user pin is used to manage access to the keys.

Change the admin pin (default: 123456678):

$ gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3

And then user pin (default: 123456):

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1

You can now leave the passwd menu:

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? Q

Be sure to write both pins down to be stored with the USB with your backed-up GPG key, since the pin can't be used to open the backed up GPG key, it is fine to store them together. Otherwise you'll have to repeat the moving key steps after resetting the Yubikey if you ever forgot the pins.

After changing both pins, change the other registration fields: "Name", "Login", "URL", etc. After changing the desired values, you can exit with quit.

For example, changing the name:

gpg/card> name
Cardholder's surname: Schwendenman
Cardholder's given name: Paul

To list fields and check your settings use the list command:

gpg/card> list

Manufacturer .....: Yubico
Name of cardholder: Paul Schwendenman
Language prefs ...: en
URL of public key : https://whatsdoom.com/40D9D08813E47FC4.txt
Login data .......: paul

If you have a keybase account you can use it to host public keys, for example:

https://keybase.io/whatsdoom/key.asc

Obviously, you would have to add the newly created key to keybase using you public after you restart to your normal system at the end.

Enabling touch-only mode

If you have a Yubikey 4 (rather than a Neo), you can enable "touch-only" mode which requires a touch to return the result of crytographic operations.

Information can be found on Yubico's site.

Moving subkeys to Yubikey

Note moving keys is destructive ensure you have backed up the keys before proceeding.

Carefully add each key to the correct spot, the sequence should look something like:

$ gpg2 --edit-key $KEYID
> key 1
> keytocard
> 1
> key 1
> key 2
> keytocard
> 2
> key 2
> key 3
> keytocard
> 3
> save

Check that you have successfully moved you keys:

$ gpg2 --card-status

You should now see the key information in the output.

Next steps

You are now ready to use the Yubikey on you normal machine. Ensure that you have copied the backup directory (${GNUPGHOME}.bak) to your flash drive. After you have double checked that the backup directory was safely copied, you can restart you live system and boot the normal system.

On your normal machine, install the following packages to use your Yubikey:

sudo apt-get -y install scdaemon libccid gnupg2 pcsc-tools

Remember to use your yubikey, you'll need to import the public key in to the keyring.

$ gpg2 --import < public-key.asc

You can now use your key to sign git commits, send encrypted messages and ssh into remote machines!

Sources

• Configuring Yubikey for gpg and u2f
• Installing packages on Airgapped system
• GPG with Yubikey
• Adding additional email addresses to key
• Managing GPG keys across multiple systems
• PGP and SSH keys on Yubikey NEO