If anyone wants to follow along on their laptops, here are the steps I'll be going through:
Combined from: https://github.com/drduh/YubiKey-Guide#notes https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4 Leaving out the parts about installing on a live USB and exporting to smartcard/Yubikey. Smartcard export can be done later for those interested. $ mkdir ~/Documents/GPG/ $ cd ~/Documents/GPG/ Create a hardened configuration in the temporary directory with the following options: $ wget https://raw.githubusercontent.com/drduh/config/master/gpg.conf $ gpg --expert --full-gen-key Select 8: RSA (set your own capabilities) Select E to toggle off the Encrypt capability, which will leave you with only Sign + Certify. Set a 4096 bit key size. Set the expiration date. Setup a UID. Setup a passphrase. The primary key is generated. Note your new key ID, as you'll be needing it henceforth. Export the key ID as a variable <https://stackoverflow.com/questions/1158091/defining-a-variable-with-or-without-export/1158231#1158231> (KEYID) for use later: $ export KEYID= Add UIDs $ gpg --expert --edit-key $KEYID Use gpg> adduid to add as many UIDs or e-mail addresses as you need. Once you're done, toggle to gpg> uid <#> and use the gpg> primary command to set the primary UID. Now we will generate subkeys for each additional capability to be transferred to the main smartcard designated for daily use. Create the Encrypt key gpg> addkey Select 6: RSA (encrypt only). Set a 4096 bit key size. Set the expiration date. The first subkey is generated. Create the Authenticate key gpg> addkey Select 8: RSA (set your own capabilities) Select S and E to toggle off the Sign and Encrypt capabilities. Select A to toggle on the Authenticate capability and press Q. Set a 4096 bit key size. Set the expiration date. The second subkey is generated. Set trust level By the way, you should probably set the public key to the ultimate trust level. gpg> trust Select 5 = I trust ultimately. gpg> save Save the key(s) you've been creating. Add signatures If you want to sign your new master key with a previous key that you're transitioning from, then the time is now. How else will people know you're not an impostor? gpg -u <your_old_keyid> --sign-key $KEYID Generate revocation certificate It's a good idea to create a revocation certificate, in case the YubiKey is lost or your private key is somehow compromised. $ gpg --output revoke.asc --gen-revoke $KEYID Backup everything $ gpg --armor --output privkey.sec --export-secret-key $KEYID $ gpg --armor --output subkeys.sec --export-secret-subkeys $KEYID $ gpg --armor --output pubkey.asc --export $KEYID You can move these private keys plus the revocation certificate someplace safe, like an encrypted partition or offline storage media. On Tuesday, June 4, 2019 at 2:04:00 PM UTC-5, Vincent Brown wrote: > > Just updated the June 11th meeting on Meetup. > Let's explore GPG encryption. Feel free to bring a laptop and we'll have a > key-signing party if there are enough people with keys to exchange. If you > don't have keys, bring a laptop and we can help you create keys. > As a reminder, *we will be in an awesome new location*. Vaco's new > building is beautiful. There is even more cool AV equipment, and even a bar. > If you are going, *please register on Meetup*. *Vaco uses those > registration numbers so they know how much food to buy.* > New address is only a block away from the old building and it's posted on > Meetup. > https://www.meetup.com/Nashville-Linux-Users-Group/events/ntbfbqyzjbpb/ > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/b31fcd68-a04d-4ce5-be64-f2680d89f859%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
