Bump debian version and fix some grammar.

This commit is contained in:
drduh 2019-07-07 19:45:22 -07:00
parent 2414ba2120
commit 6482036e17
1 changed files with 22 additions and 21 deletions

View File

@ -8,7 +8,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
- [Purchase YubiKey](#purchase-yubikey) - [Purchase YubiKey](#purchase-yubikey)
- [Verify YubiKey](#verify-yubikey) - [Verify YubiKey](#verify-yubikey)
- [Live image](#live-image) - [Download OS image](#download-os-image)
- [Required software](#required-software) - [Required software](#required-software)
* [Entropy](#entropy) * [Entropy](#entropy)
- [Creating keys](#creating-keys) - [Creating keys](#creating-keys)
@ -58,7 +58,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/). All YubiKeys except the blue "security key" model are compatible with this guide. NEO models are limited to 2048-bit RSA keys. Compare YubiKeys [here](https://www.yubico.com/products/yubikey-hardware/compare-products-series/).
You will also need several small storage devices for booting a live image, creating backups of private and public keys. You will also need several small storage devices for booting a temporary operating system and creating backups of private/public keys.
# Verify YubiKey # Verify YubiKey
@ -66,14 +66,14 @@ To verify a YubiKey is genuine, open a [browser with U2F support](https://suppor
This website verifies the YubiKey's device attestation certificates signed by a set of Yubico CAs, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf). This website verifies the YubiKey's device attestation certificates signed by a set of Yubico CAs, and helps mitigate [supply chain attacks](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf).
# Live image # Download OS Image
It is recommended to generate cryptographic keys and configure YubiKey from a secure operating system and ephemeral environment, such as [Debian Live](https://www.debian.org/CD/live/), [Tails](https://tails.boum.org/index.en.html), or [OpenBSD](https://www.openbsd.org/). It is recommended to generate cryptographic keys and configure YubiKey from a secure operating system and using an ephemeral environment ("live image"), such as [Debian](https://www.debian.org/CD/live/), [Tails](https://tails.boum.org/index.en.html), or [OpenBSD](https://www.openbsd.org/) booted from a USB drive.
To use Debian, download the latest live image: To use Debian, download the latest image:
```console ```console
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-9.9.0-amd64-xfce.iso $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-10.0.0-amd64-xfce.iso
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
@ -84,7 +84,7 @@ Verify file integrity with GPG:
```console ```console
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Apr 27 11:46:08 2019 PDT gpg: Signature made Sat Jul 6 18:51:32 2019 PDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key gpg: Can't check signature: No public key
@ -97,23 +97,25 @@ gpg: Total number processed: 1
gpg: imported: 1 gpg: imported: 1
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Apr 27 11:46:08 2019 PDT gpg: Signature made Sat Jul 6 18:51:32 2019 PDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
$ grep $(sha512sum debian-live-9.9.0-amd64-xfce.iso) SHA512SUMS $ grep $(sha512sum debian-live-10.0.0-amd64-xfce.iso) SHA512SUMS
SHA512SUMS:ae064cc399126214e4aa165fdbf9659047dd2af2d3b0ca57dd5f2686d1d3730019cfe3c56ac48db2af56eb856dbca75e642fadf56bc04c538b44d3d3a2982283 debian-live-9.9.0-amd64-xfce.iso SHA512SUMS:c230dc15705bbae07782185af7f933ed7821ec94fa4b9d08a61856b27cdf7d3a4e9f5b6ddb419b96714464ca76c2686083fc4534dc116cc9980b52c233331e03 debian-live-10.0.0-amd64-xfce.iso
``` ```
If the key cannot be received, try changing the DNS resolver and/or specific keyserver: If the key cannot be received, try changing the DNS resolver and/or use a specific keyserver:
```console ```console
$ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
``` ```
See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information.
Mount a storage device and copy the image to it: Mount a storage device and copy the image to it:
**Linux** **Linux**
@ -131,7 +133,7 @@ sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DP
sdb: sdb1 sdb2 sdb: sdb1 sdb2
sd 2:0:0:0: [sdb] Attached SCSI removable disk sd 2:0:0:0: [sdb] Attached SCSI removable disk
$ sudo dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/sdb bs=4M $ sudo dd if=debian-live-10.0.0-amd64-xfce.iso of=/dev/sdb bs=4M
465+1 records in 465+1 records in
465+1 records out 465+1 records out
1951432704 bytes (2.0 GB, 1.8 GiB) copied, 42.8543 s, 45.5 MB/s 1951432704 bytes (2.0 GB, 1.8 GiB) copied, 42.8543 s, 45.5 MB/s
@ -144,7 +146,7 @@ $ dmesg | tail -n2
sd2 at scsibus4 targ 1 lun 0: <TS-RDF5, SD Transcend, TS3A> SCSI4 0/direct removable serial.0000000000000 sd2 at scsibus4 targ 1 lun 0: <TS-RDF5, SD Transcend, TS3A> SCSI4 0/direct removable serial.0000000000000
sd2: 15193MB, 512 bytes/sector, 31116288 sectors sd2: 15193MB, 512 bytes/sector, 31116288 sectors
$ doas dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/rsd2c bs=4m $ doas dd if=debian-live-10.0.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
465+1 records in 465+1 records in
465+1 records out 465+1 records out
1951432704 bytes transferred in 139.125 secs (14026448 bytes/sec) 1951432704 bytes transferred in 139.125 secs (14026448 bytes/sec)
@ -152,11 +154,11 @@ $ doas dd if=debian-live-9.9.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
Shut down the computer and disconnect internal hard drives and all unnecessary peripheral devices. Shut down the computer and disconnect internal hard drives and all unnecessary peripheral devices.
Consider using secure hardware like a ThinkPad X230 running [Coreboot](https://www.coreboot.org/) and cleaned of [Intel ME](https://github.com/corna/me_cleaner). Consider using secure hardware like a ThinkPad X230 running [Coreboot](https://www.coreboot.org/) and [cleaned of Intel ME](https://github.com/corna/me_cleaner).
# Required software # Required software
Boot the live image and configure networking. Boot the OS image and configure networking.
**Note** If the screen locks, unlock with `user`/`live`. **Note** If the screen locks, unlock with `user`/`live`.
@ -165,7 +167,7 @@ Open the terminal and install several required packages:
**Debian/Ubuntu** **Debian/Ubuntu**
```console ```console
$ sudo apt-get update && sudo apt-get install -y \ $ sudo apt update && sudo apt install -y \
gnupg2 gnupg-agent dirmngr \ gnupg2 gnupg-agent dirmngr \
cryptsetup scdaemon pcscd \ cryptsetup scdaemon pcscd \
secure-delete hopenpgp-tools \ secure-delete hopenpgp-tools \
@ -244,14 +246,14 @@ $ sudo atd
$ sudo service rng-tools restart $ sudo service rng-tools restart
``` ```
Test by emptying `/dev/random` - the light on the device should dim briefly: Test by emptying `/dev/random` - the light on the device will dim briefly:
```console ```console
$ cat /dev/random >/dev/null $ cat /dev/random >/dev/null
[Press Control-C] [Press Control-C]
``` ```
Verify the available entropy pool is re-seeded: After a few seconds, verify the available entropy pool is quickly re-seeded:
```console ```console
$ cat /proc/sys/kernel/random/entropy_avail $ cat /proc/sys/kernel/random/entropy_avail
@ -1222,7 +1224,7 @@ $ sudo srm -r $GNUPGHOME || sudo rm -rf $GNUPGHOME
$ gpg --delete-secret-key $KEYID $ gpg --delete-secret-key $KEYID
``` ```
**Important** Make sure you have securely erased all generated keys and revocation certificates if a Live image was not used! **Important** Make sure you have securely erased all generated keys and revocation certificates if an ephemeral enviroment was not used!
# Using keys # Using keys
@ -1855,10 +1857,9 @@ $ ykman openpgp set-touch enc on
YubiKey will blink when it is waiting for a touch. YubiKey will blink when it is waiting for a touch.
# Email # Email
GPG keys on YubiKey can be used with ease to encrypt or sign email messages and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions. GPG keys on YubiKey can be used with ease to encrypt and/or sign emails and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions.
# Reset # Reset