Add encrypted USB backup instructions, grammar fixes
This commit is contained in:
parent
e86af76264
commit
1c16d968e9
133
README.md
133
README.md
|
@ -8,7 +8,7 @@ Instructions written on Debian GNU/Linux 8 (jessie) using YubiKey 4 in OTP+CCID
|
||||||
|
|
||||||
Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB keys.
|
Debian live install images are available from [here](https://www.debian.org/CD/live/) and are suitable for writing to USB keys.
|
||||||
|
|
||||||
If you have a comment or suggestion, please open an issue on GitHub.
|
If you have a comment or suggestion, please open an [issue](https://github.com/drduh/YubiKey-Guide/issues) on GitHub.
|
||||||
|
|
||||||
- [Purchase YubiKey](#purchase-yubikey)
|
- [Purchase YubiKey](#purchase-yubikey)
|
||||||
- [Install required software](#install-required-software)
|
- [Install required software](#install-required-software)
|
||||||
|
@ -59,7 +59,7 @@ https://www.yubico.com/store/
|
||||||
|
|
||||||
https://www.amazon.com/Yubico/b/ref=bl_dp_s_web_10358012011?ie=UTF8&node=10358012011
|
https://www.amazon.com/Yubico/b/ref=bl_dp_s_web_10358012011?ie=UTF8&node=10358012011
|
||||||
|
|
||||||
Consider purchasing a pair and programming both in case of loss or damage.
|
Consider purchasing a pair and programming both in case of loss or damage to oneof them.
|
||||||
|
|
||||||
# Install required software
|
# Install required software
|
||||||
|
|
||||||
|
@ -94,9 +94,6 @@ Consider purchasing a pair and programming both in case of loss or damage.
|
||||||
## Create master key
|
## Create master key
|
||||||
|
|
||||||
$ gpg --gen-key
|
$ gpg --gen-key
|
||||||
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
|
|
||||||
This is free software: you are free to change and redistribute it.
|
|
||||||
There is NO WARRANTY, to the extent permitted by law.
|
|
||||||
|
|
||||||
Please select what kind of key you want:
|
Please select what kind of key you want:
|
||||||
(1) RSA and RSA (default)
|
(1) RSA and RSA (default)
|
||||||
|
@ -191,10 +188,6 @@ Consider purchasing a pair and programming both in case of loss or damage.
|
||||||
|
|
||||||
$ gpg --expert --edit-key 0x47FE984F98EE7407
|
$ gpg --expert --edit-key 0x47FE984F98EE7407
|
||||||
|
|
||||||
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
|
|
||||||
This is free software: you are free to change and redistribute it.
|
|
||||||
There is NO WARRANTY, to the extent permitted by law.
|
|
||||||
|
|
||||||
Secret key is available.
|
Secret key is available.
|
||||||
|
|
||||||
pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
|
pub 4096R/0x47FE984F98EE7407 created: 2016-01-30 expires: never usage: SC
|
||||||
|
@ -404,9 +397,108 @@ Consider purchasing a pair and programming both in case of loss or damage.
|
||||||
|
|
||||||
## Back up everything
|
## Back up everything
|
||||||
|
|
||||||
Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made a backup before proceeding.
|
Once keys are moved to hardware, they cannot be extracted again (otherwise, what would be the point?), so make sure you have made an *encrypted* backup before proceeding.
|
||||||
|
|
||||||
$ cp -avi $GNUPGHOME /mnt/offline-encrypted-usb/backup/
|
To use a USB drive, attach it and check its label:
|
||||||
|
|
||||||
|
$ dmesg | tail
|
||||||
|
[ 7667.607011] scsi8 : usb-storage 2-1:1.0
|
||||||
|
[ 7667.608766] usbcore: registered new interface driver usb-storage
|
||||||
|
[ 7668.874016] scsi 8:0:0:0: USB 0: 0 ANSI: 6
|
||||||
|
[ 7668.874242] sd 8:0:0:0: Attached scsi generic sg4 type 0
|
||||||
|
[ 7668.874682] sd 8:0:0:0: [sde] 62980096 512-byte logical blocks: (32.2 GB/30.0 GiB)
|
||||||
|
[ 7668.875022] sd 8:0:0:0: [sde] Write Protect is off
|
||||||
|
[ 7668.875023] sd 8:0:0:0: [sde] Mode Sense: 43 00 00 00
|
||||||
|
[ 7668.877939] sde: sde1
|
||||||
|
[ 7668.879514] sd 8:0:0:0: [sde] Attached SCSI removable disk
|
||||||
|
|
||||||
|
Check the size to make sure it's the right drive:
|
||||||
|
|
||||||
|
$ sudo fdisk -l | grep /dev/sde
|
||||||
|
Disk /dev/sde: 30 GiB, 32245809152 bytes, 62980096 sectors
|
||||||
|
/dev/sde1 2048 62980095 62978048 30G 6 FAT16
|
||||||
|
|
||||||
|
Erase and create a new partition table:
|
||||||
|
|
||||||
|
$ sudo fdisk /dev/sde
|
||||||
|
|
||||||
|
Welcome to fdisk (util-linux 2.25.2).
|
||||||
|
Changes will remain in memory only, until you decide to write them.
|
||||||
|
Be careful before using the write command.
|
||||||
|
|
||||||
|
Command (m for help): o
|
||||||
|
Created a new DOS disklabel with disk identifier 0xeac7ee35.
|
||||||
|
|
||||||
|
Command (m for help): w
|
||||||
|
The partition table has been altered.
|
||||||
|
Calling ioctl() to re-read partition table.
|
||||||
|
Syncing disks.
|
||||||
|
|
||||||
|
Remove and reinsert the USB drive, then create a new partition:
|
||||||
|
|
||||||
|
$ sudo fdisk /dev/sde
|
||||||
|
|
||||||
|
Welcome to fdisk (util-linux 2.25.2).
|
||||||
|
Changes will remain in memory only, until you decide to write them.
|
||||||
|
Be careful before using the write command.
|
||||||
|
|
||||||
|
Command (m for help): n
|
||||||
|
Partition type
|
||||||
|
p primary (0 primary, 0 extended, 4 free)
|
||||||
|
e extended (container for logical partitions)
|
||||||
|
Select (default p): p
|
||||||
|
Partition number (1-4, default 1): 1
|
||||||
|
First sector (2048-62980095, default 2048):
|
||||||
|
Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095):
|
||||||
|
|
||||||
|
Created a new partition 1 of type 'Linux' and of size 30 GiB.
|
||||||
|
Command (m for help): w
|
||||||
|
The partition table has been altered.
|
||||||
|
Calling ioctl() to re-read partition table.
|
||||||
|
Syncing disks.
|
||||||
|
|
||||||
|
Use LUKS to encrypt the new partition:
|
||||||
|
|
||||||
|
$ sudo cryptsetup luksFormat /dev/sde1
|
||||||
|
|
||||||
|
WARNING!
|
||||||
|
========
|
||||||
|
This will overwrite data on /dev/sde1 irrevocably.
|
||||||
|
|
||||||
|
Are you sure? (Type uppercase yes): YES
|
||||||
|
Enter passphrase:
|
||||||
|
Verify passphrase:
|
||||||
|
|
||||||
|
Mount the partition and create a filesystem:
|
||||||
|
|
||||||
|
$ sudo cryptsetup luksOpen /dev/sde1 encrypted-usb
|
||||||
|
Enter passphrase for /dev/sde1:
|
||||||
|
|
||||||
|
$ sudo mkfs.ext4 /dev/mapper/encrypted-usb -L encrypted-usb
|
||||||
|
mke2fs 1.42.12 (29-Aug-2014)
|
||||||
|
Creating filesystem with 7871744 4k blocks and 1970416 inodes
|
||||||
|
Superblock backups stored on blocks:
|
||||||
|
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
|
||||||
|
4096000
|
||||||
|
|
||||||
|
Allocating group tables: done
|
||||||
|
Writing inode tables: done
|
||||||
|
Creating journal (32768 blocks): done
|
||||||
|
Writing superblocks and filesystem accounting information: done
|
||||||
|
|
||||||
|
Mount the filesystem:
|
||||||
|
|
||||||
|
$ sudo mkdir /mnt/usb
|
||||||
|
$ sudo mount /dev/mapper/encrypted-usb /mnt/usb
|
||||||
|
|
||||||
|
Finally, copy files to it:
|
||||||
|
|
||||||
|
$ sudo cp -avi $GNUPGHOME /mnt/usb
|
||||||
|
|
||||||
|
Make sure the files were copied, then disconnected the USB drive:
|
||||||
|
|
||||||
|
$ sudo umount /mnt/usb
|
||||||
|
$ sudo cryptsetup luksClose encrypted-usb
|
||||||
|
|
||||||
## Configure YubiKey
|
## Configure YubiKey
|
||||||
|
|
||||||
|
@ -417,7 +509,7 @@ Once keys are moved to hardware, they cannot be extracted again (otherwise, what
|
||||||
|
|
||||||
Commit? (y/n) [n]: y
|
Commit? (y/n) [n]: y
|
||||||
|
|
||||||
>The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card. Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.
|
> The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card. Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.
|
||||||
|
|
||||||
https://www.yubico.com/2012/12/yubikey-neo-openpgp/
|
https://www.yubico.com/2012/12/yubikey-neo-openpgp/
|
||||||
|
|
||||||
|
@ -448,7 +540,7 @@ https://www.yubico.com/2012/12/yubikey-neo-openpgp/
|
||||||
|
|
||||||
### Change PINs
|
### Change PINs
|
||||||
|
|
||||||
The default PIN codes are `12345678` and `123456`.
|
The default PIN codes are `12345678` and `123456`
|
||||||
|
|
||||||
gpg/card> admin
|
gpg/card> admin
|
||||||
Admin commands are allowed
|
Admin commands are allowed
|
||||||
|
@ -526,12 +618,9 @@ The default PIN codes are `12345678` and `123456`.
|
||||||
|
|
||||||
## Transfer keys
|
## Transfer keys
|
||||||
|
|
||||||
This is a one-way operation only. Make sure you've made a backup before proceeding!
|
Transfering keys to YubiKey is a one-way operation only: make sure you've made a backup before proceeding!
|
||||||
|
|
||||||
$ gpg --edit-key 0x47FE984F98EE7407
|
$ gpg --edit-key 0x47FE984F98EE7407
|
||||||
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
|
|
||||||
This is free software: you are free to change and redistribute it.
|
|
||||||
There is NO WARRANTY, to the extent permitted by law.
|
|
||||||
|
|
||||||
Secret key is available.
|
Secret key is available.
|
||||||
|
|
||||||
|
@ -588,7 +677,7 @@ This is a one-way operation only. Make sure you've made a backup before proceedi
|
||||||
|
|
||||||
### Encryption key
|
### Encryption key
|
||||||
|
|
||||||
Type `key 1` again to deselect and switch to the next key.
|
Type `key 1` again to deselect and `key 2` to switch to the next key.
|
||||||
|
|
||||||
gpg> key 1
|
gpg> key 1
|
||||||
|
|
||||||
|
@ -738,9 +827,6 @@ Type `key 1` again to deselect and switch to the next key.
|
||||||
## Trust master key
|
## Trust master key
|
||||||
|
|
||||||
$ gpg --edit-key 0x47FE984F98EE7407
|
$ gpg --edit-key 0x47FE984F98EE7407
|
||||||
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
|
|
||||||
This is free software: you are free to change and redistribute it.
|
|
||||||
There is NO WARRANTY, to the extent permitted by law.
|
|
||||||
|
|
||||||
Secret key is available.
|
Secret key is available.
|
||||||
|
|
||||||
|
@ -818,7 +904,7 @@ Type `key 1` again to deselect and switch to the next key.
|
||||||
|
|
||||||
### Encryption/decryption
|
### Encryption/decryption
|
||||||
|
|
||||||
$ echo "$(uname -a)" | gpg --encrypt --armor -r 0x47FE984F98EE7407 | gpg --debug --decrypt --armor
|
$ echo "$(uname -a)" | gpg --encrypt --armor -r 0x47FE984F98EE7407 | gpg --decrypt --armor
|
||||||
|
|
||||||
Please enter the PIN
|
Please enter the PIN
|
||||||
gpg: encrypted with 4096-bit RSA key, ID 0x39988E0390CB4B0C, created 2016-01-30
|
gpg: encrypted with 4096-bit RSA key, ID 0x39988E0390CB4B0C, created 2016-01-30
|
||||||
|
@ -889,8 +975,9 @@ Type `key 1` again to deselect and switch to the next key.
|
||||||
|
|
||||||
- Don't write to drduh@users.noreply.github.com, open an issue on GitHub instead.
|
- Don't write to drduh@users.noreply.github.com, open an issue on GitHub instead.
|
||||||
- Programming YubiKey for GPG keys still lets you use its two slots - OTP and static password modes, for example.
|
- Programming YubiKey for GPG keys still lets you use its two slots - OTP and static password modes, for example.
|
||||||
|
- If you encounter problems, simply try unplugging and re-inserting your YubiKey, and restarting the `gpg-agent` process.
|
||||||
- ECC may be preferred to RSA 4096, but the 1.4.x branch of GnuPG does not support it.
|
- ECC may be preferred to RSA 4096, but the 1.4.x branch of GnuPG does not support it.
|
||||||
- If you encounter problems, try unplugging and re-inserting your YubiKey. Also try installing and using GnuPG 2.x (`sudo apt-get install gnupg2` and `gpg2`)
|
- Try installing and using the newer, more feature-rich [GnuPG 2.x](https://superuser.com/questions/655246/are-gnupg-1-and-gnupg-2-compatible-with-each-other) with `sudo apt-get install gnupg2`
|
||||||
|
|
||||||
# References
|
# References
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue