When creating each of your subkeys, make sure to choose an expiration time as well as a subkey length of 4096. To create your authentication key you’ll need to choose option 8 and then manually select the features of the key. You’ll need to run the addkey command twice so you can add each subkey separately. From what I’ve found MacGPG won’t create authentication subkeys, only signing and encryption.įrom the command line, you can execute the following:įor the first two subkeys, we can choose option 4 and option 6. UPDATER MAC OS GPG SUITE OFFLINEThe primary key should be stored offline in a safe place and probably not in your pocket.Įven though MacGPG can add new subkeys, you may consider using strictly the command line instead. Even if you made a backup, remember your primary key is like a master key. Remember, anything you move onto your YubiKey only exists on the YubiKey, unless you made a back up. You can store your primary key on the YubiKey, but I would advise against that. The YubiKey can store a signing key, an encryption key, and an authentication key. If you’re using MacGPG, view the details of your key and choose SubKeys. The primary key will allow you to create subkeys and revoke subkeys which is what we want because if our YubiKey ever became lost or stolen we could just invalidate the subkeys without an issue. Answer them the same as what I had mentioned previously.Īt this time you should have a primary key created with signing and encryption abilities, unless you specified differently. The above command should present you with a few questions similar to what is found in MacGPG. If you’re not using MacGPG, you can create your new key by executing the following: For added security, increase the key length to 4096 and give it an expiration. UPDATER MAC OS GPG SUITE PASSWORDWhile a password is optional, I strongly advise you to create a strong password. When creating a new key, make sure to provide your name as well as the email that you wish to associate your key with. If you’re using MacGPG, choose to create a new key. UPDATER MAC OS GPG SUITE INSTALLHowever, you could easily use Homebrew to install gnupg which would be more comparable to what you’d find on Linux. I’m using MacGPG, also known as GPG Suite or GPG Tools for Mac. Knowing what you know now, we need to create our keys. This is why making a backup first is a critical first step. However, once you move your keys onto the device, you’re in the same scenario as the first option. If you create your keys locally, you can create a backup of your keys before moving them onto the device. If you lose your YubiKey then having a backup likely won’t happen. Once your secret key is on the YubiKey device it cannot be exported from the device. Which route you choose is totally up to you, but hear me out on why I think the second approach is the better approach. Generate the keys locally and then import (move) them onto the YubiKey device.Generate the keys directly on the YubiKey device.There are technically two ways to do this: Generating a Primary PGP Key with Signing, Encryption, and Authentication Subkeysīefore we can start using the YubiKey for any PGP related task we need to create our primary key and related subkeys. If you think something should be changed to make it better, let me know your thoughts in the comments. I’ve followed several guides and made plenty of mistakes which I’m hoping to clear up in this tutorial. Finally, note that I am not an expert with PGP. Also note that you should be making and maintaining a backup of everything we do in case you end up wiping out your keys. If you’re using Linux, you can probably follow along with little to no problems. While a Mac is not a requirement, if you’re using Windows, the steps will likely be different. In this tutorial, we’re going to explore using the YubiKey as a smart card for storing our PGP signing, encryption, and authentication subkeys.īefore we get too invested in this tutorial, I want to point out that I’m using a Mac. For example, the YubiKey NEO and YubiKey 5 have support for U2F, FIDO2, OpenPGP, OTP, and a bunch of other crazy technologies. UPDATER MAC OS GPG SUITE HOW TOIn previous tutorials I demonstrated how to implement U2F in your web application, but most YubiKey devices do so much more than just U2F authentication. UPDATER MAC OS GPG SUITE FULLAs you know, based on a few of the tutorials that I’ve published recently, I have a YubiKey that I’ve been learning how to take full advantage of.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |