wiki:gpgOnYubiKey4

Version 3 (modified by jorrit, 7 years ago) (diff)

--

prepare Yubikey with GPG and SSH keys

This article is largely based on Eric Severance's blog entry, but updated for gpg2 and my own requirements.

Create .gnupg dir and set correct privileges:

mkdir ~/.gnupg
chmod 700 ~/.gnupg

Avoid an key generation error by:

mkdir -p ~/.gnupg/private-keys-v1.d
chmod 700 ~/.gnupg/private-keys-v1.d

Set GnuPG to prefer strong hash and encryption algorithms

echo "cert-digest-algo SHA512" >> ~/.gnupg/gpg.conf
echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf

Install pinentry-tty and modify gpg-agent.conf to get rid of annoying Gnome Shell password prompt.

Create ~/.gnupg/gpg-agent.conf with following content:

pinentry-program /usr/bin/pinentry-tty

Generate key

gpg2 --full-gen-key --expert
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/home/jorrit/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at di 24 jul 2018 22:49:09 CEST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Jorrit Jorritsma
Email address: jsj@xs4all.nl
Comment: 
You selected this USER-ID:
    "Jorrit Jorritsma <jsj@xs4all.nl>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase: 
Repeat: 
gpg: /home/jorrit/.gnupg/trustdb.gpg: trustdb created
gpg: key C2D3C98C511F9CF8 marked as ultimately trusted
gpg: revocation certificate stored as '/home/jorrit/.gnupg/openpgp-revocs.d/94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8.rev'
public and secret key created and signed.

pub   rsa3072 2017-07-24 [C] [expires: 2018-07-24]
      94D49EC738E0D9519BCDE7D9C2D3C98C511F9CF8
uid                      Jorrit Jorritsma <jsj@xs4all.nl>