I started out making a bootable Ubuntu USB drive with the intention of generating the master key on there while offline, putting the subkeys on the Yubikey, and only importing the public key of the master onto the laptops I would use for day-to-day sign/decrypt. This way the master secret key is never on an internet connected machine. This approach is described in more detail here.
I basically gave up on trying to make the yubikey talk to gpg correctly on linux and used a mac (you can read the whole saga after this). So I followed Trammel's excellent instructions with the following modifications:
- Disconnect from the network.
- Follow Trammel's instructions. If you have the Yubikey 4 you can use 4096 bit keys. ykpersonalize didn't work ("no yubikey present"), so I had to install the Yubikey NEO Manager, which for some reason requires a reboot.
- Using the GUI export the key a second time into a file that is just the public key.
- Copy pub/private exported key and revocation cert onto USB key.
- Use "srm -sz" to remove the exported key and cert, leave the exported public key.
- Delete the key (public and secret) from the GPG keychain using the GUI. The only copy of the master secret key is now on the USB.
- Import the public key using the GUI.
gpg --card-statusShould now show "sec#" as described here, to indicate the master secret key isn't present. Now your key is ready to use. I seem to be having similar problems as described here:
I'll update this post when I know more.
The Linux GPG2 and yubkiey saga
Installing gpg2 (required for yubikey "card" support) turned out to be really painful. Ubuntu ships with gpg 1.4, so I ended up downloading a ton of packages off the gpg ftp server, verifying the signature of each one and doing the configure, make, make install dance. It took ages. Update: I didn't think to look for a gpg2 package, turns out there is one, so this was a big waste of time :)
Then I still had to download and install the yubico tools for interacting with the card. I got ykpersonalize installed, but all the tool ever gave me was this error:
Yubikey core error: no yubikey presentThis bug pointed me to the Yubikey NEO manager, which has a PPA! Hooray! Except I couldn't get it to work on trusty, my errors are below. However, I just re-tried in a clean trusty docker container and it seemed to succeed, so I'm not going to file a bug:
ubuntu@ubuntu:~$ sudo apt-get install yubikey-neo-manager Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: yubikey-neo-manager : Depends: libu2f-host0 (>= 0.0) but it is not going to be installed Depends: python-pyside.qtwebkit but it is not installable Recommends: pcscd but it is not installable E: Unable to correct problems, you have held broken packages. ubuntu@ubuntu:~$ sudo apt-get install python-pyside.qtwebkit Reading package lists... Done Building dependency tree Reading state information... Done Package python-pyside.qtwebkit is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another sourceSo at this point I gave up on linux and used a Mac, which was waaay easier.
Once I had the keys on the card, to use them on linux I had to do this dance to stop gnome-keyring from ruining everything. On trusty if you use gpg2 you get this error:
$ gpg2 --card-status gpg: OpenPGP card not available: No SmartCard daemonbut gpg 1.4 works fine. This appears to be caused by differences in how gpg 1 and 2 are packaged, gpg2 needs more packages to work.
Links to other HOWTOs
Here's a big pile of useful links:
- Yubico Yubikey 4: PGP, U2F and other things
- PGP and SSH keys on a Yubikey NEO
- Yubico on importing keys generated off-device
- Yubikey NEO and PGP
- Why master key expiry is pointless
- Trammel's OS X HOWTO
- Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard
- Yubikey NEO and GPG
- Using GPG with smart cards