s83/YubiKey-Guide
1
0
Fork 0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-06-18 11:12:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 76d557b0f6 into 428d845214

Browse source
This commit is contained in:
drduh 2025-06-15 22:08:46 +01:00 committed by GitHub
commit e8e2e9b0e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 66 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

29
README.md
View file

@ -367,7 +367,7 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating keys](#
Set Subkeys to expire on a planned date: Set Subkeys to expire on a planned date:
```console ```console
export EXPIRATION=2027-05-01 export EXPIRATION=2027-07-01
``` ```
The expiration date may also be relative, for example set to two years from today: The expiration date may also be relative, for example set to two years from today:
@ -438,7 +438,7 @@ export KEYID=$(gpg -k --with-colons "$IDENTITY" | \
export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \
awk -F: '/^fpr:/ { print $10; exit }') awk -F: '/^fpr:/ { print $10; exit }')
printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" printf "\nKey ID/Fingerprint: %20s\n%s\n\n" "$KEYID" "$KEYFP"
``` ```
<details> <details>
@ -487,14 +487,27 @@ EOF
# Create Subkeys # Create Subkeys
Generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration: Generate Signature and Encryption Subkeys using the previously configured key type, passphrase and expiration:
```console ```console
for SUBKEY in sign encrypt auth ; do \ echo "$CERTIFY_PASS" | \
echo "$CERTIFY_PASS" | \
gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
--quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION" --quick-add-key "$KEYFP" "$KEY_TYPE" sign "$EXPIRATION"
done
echo "$CERTIFY_PASS" | \
gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
--quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION"
```
Followed by the Authentication Subkey:
> [!NOTE]
> Some systems no longer accept RSA for SSH authentication; set the `KEY_TYPE` variable to `ed25519` before generating Authentication Subkey.
```
echo "$CERTIFY_PASS" | \
gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
--quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION"
``` ```
# Verify keys # Verify keys
@ -1793,7 +1806,7 @@ gpg-connect-agent "scd serialno" "learn --force" /bye
Alternatively, use a script to delete the GnuPG shadowed key, where the serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)): Alternatively, use a script to delete the GnuPG shadowed key, where the serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)):
```console ```console
cat >> ~/scripts/remove-keygrips.sh <<EOF mkdir -p ~/scripts && cat >> ~/scripts/remove-keygrips.sh <<EOF
#!/usr/bin/env bash #!/usr/bin/env bash
(( $# )) || { echo "Specify a key." >&2; exit 1; } (( $# )) || { echo "Specify a key." >&2; exit 1; }
KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }') KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }')

64
scripts/generate.sh
View file

@ -11,14 +11,20 @@ umask 077
export LC_ALL="C" export LC_ALL="C"
fail() {
# Print an error string in red and exit.
tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0
exit 1
}
print_cred () { print_cred () {
# Print a credential string in red. # Print a credential string in red.
tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0
} }
print_id () { print_id () {
# Print an identity string in yellow. # Print an identity string in yellow.
tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0
} }
get_id_label () { get_id_label () {
@ -26,14 +32,28 @@ get_id_label () {
printf "YubiKey User <yubikey@example.domain>" printf "YubiKey User <yubikey@example.domain>"
} }
get_key_type () { get_key_type_sign () {
# Returns key type and size. # Returns key type for signature subkey.
#printf "default"
printf "rsa4096" printf "rsa4096"
} }
get_key_type_enc () {
# Returns key type for encryption subkey.
#printf "default"
printf "rsa4096"
}
get_key_type_auth () {
# Returns key type for authentication subkey.
#printf "default"
#printf "rsa4096"
printf "ed25519"
}
get_key_expiration () { get_key_expiration () {
# Returns key expiration date. # Returns key expiration date.
printf "2027-05-01" printf "2027-07-01"
} }
get_temp_dir () { get_temp_dir () {
@ -51,10 +71,12 @@ set_temp_dir () {
set_attrs () { set_attrs () {
# Sets identity and key attributes. # Sets identity and key attributes.
export IDENTITY="$(get_id_label)" export IDENTITY="$(get_id_label)"
export KEY_TYPE="$(get_key_type)" export KEY_TYPE_SIGN="$(get_key_type_sign)"
export KEY_TYPE_ENC="$(get_key_type_enc)"
export KEY_TYPE_AUTH="$(get_key_type_auth)"
export KEY_EXPIRATION="$(get_key_expiration)" export KEY_EXPIRATION="$(get_key_expiration)"
printf "set attributes (label='%s', type='%s', expire='%s')\n" \ printf "set attributes (label='%s', sign='%s', enc='%s', auth='%s', expire='%s')\n" \
"$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" "$IDENTITY" "$KEY_TYPE_SIGN" "$KEY_TYPE_ENC" "$KEY_TYPE_AUTH" "$KEY_EXPIRATION"
} }
get_pass () { get_pass () {
@ -78,8 +100,7 @@ gen_key_certify () {
# Generates Certify key with no expiration. # Generates Certify key with no expiration.
echo "$CERTIFY_PASS" | \ echo "$CERTIFY_PASS" | \
gpg --batch --passphrase-fd 0 \ gpg --batch --passphrase-fd 0 \
--quick-generate-key "$IDENTITY" \ --quick-generate-key "$IDENTITY" "$KEY_TYPE_SIGN" "cert" "never"
"$KEY_TYPE" "cert" "never"
} }
set_fingerprint () { set_fingerprint () {
@ -87,18 +108,23 @@ set_fingerprint () {
key_list=$(gpg --list-secret-keys --with-colons) key_list=$(gpg --list-secret-keys --with-colons)
export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print $5; exit }') export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print $5; exit }')
export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }') export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }')
if [[ -z "$KEY_FP" || -z "$KEY_ID" ]]; then
fail "could not set key fingerprint"
fi
printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID" printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID"
} }
gen_key_subs () { gen_key_subs () {
# Generates Subkeys with specified expiration. # Generates Subkeys with specified expiration.
for SUBKEY in sign encrypt auth ; do \ echo "$CERTIFY_PASS" | \
echo "$CERTIFY_PASS" | \ gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
gpg --batch --passphrase-fd 0 \ --quick-add-key "$KEY_FP" "$KEY_TYPE_SIGN" sign "$KEY_EXPIRATION"
--pinentry-mode=loopback \ echo "$CERTIFY_PASS" | \
--quick-add-key "$KEY_FP" \ gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
"$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" --quick-add-key "$KEY_FP" "$KEY_TYPE_ENC" encrypt "$KEY_EXPIRATION"
done echo "$CERTIFY_PASS" | \
gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
--quick-add-key "$KEY_FP" "$KEY_TYPE_AUTH" auth "$KEY_EXPIRATION"
} }
save_secrets () { save_secrets () {