Advice on a presentation about Yubikey and GnuPG

aionfork · April 25, 2024, 5:54pm

i’m doing a presentation on using GPG, particularly with Yubikey. it’s in about two weeks and the audience is security-oriented.

The main asks here:

can people provide some general advice?
and some direction on places where GnuPG can be integrated into a developer, administrator or security-centric person’s workflow. There are some examples below.

There’s a lot of content in my general outline, but I think it would be valuable to give people some direction here, even if I’m only able to mention them.

Main Topics:

connecting people to resources to bootstrap GnuPG
the structure of sockets/services required to use GnuPG with Yubikey
covering the complexities of Yubikey configuration (PIV vs GPG, Yubikey applications)

Diagrams and a Cheatsheet

I have a lot of notes on GnuPG that I need to revisit. I would like to couple the presentation with some handouts, either exported from LaTeX or just HTML-to-SavePDF (lol)

So this would include things like:

Service dependency diagram for things like gpg-agent -> scdaemon -> pcscd
Socket forwarding diagram
Table of crypto algorithms
Diagram showing how to setup GPG Certify keys and subkeys

Most of this stuff should be fairly straightforward for me to compile … but I’m not really an expert here.

GnuPG Applications

but particularly, i would like to give people some direction about how they can integrate GnuPG into their workflows or applications.

Ranging from simple:

transparent encryption/decryption with emacs
some equivalent probably for vim
Thunderbird configuration for signing emails
public key signing
HKPS servers
signing commits
SSH Agent via GnuPG agent

To beginner/intermediate:

regpg (to quickly make X509 certificates)
a script to use it with ansible vault
using GPG with SOPS (like regpg, but with more structure and configuration options)
SSH Agent forwarding with gpg-agent

To intermediate/advanced:

Udev scripts to lock computer when removing the yubikey
LUKS encryption keys (and dumping headers, etc)

Thanks!

aionfork · April 25, 2024, 7:43pm

One more thing. If anyone has figured this out, it would help a lot.

One major source of confusion & frustration for me resulted from transitioning from ssh-agent to gpg-agent while juggling the Yubikey’s PIV and OpenPGP apps.

Since I had CCID device exclusivity enabled (and perhaps even without it) only one process could access the Yubikey OpenPGP udev at a time.
The Yubikey FIDO2 is accessed in a different manner, so CCID doesn’t cause problems
One way to handle it was to allow the gpg-agent’s SSH functionality to eat the PIV keys, but at the time it didn’t have the ability to handle Yubikey PIV SSH keys. I do see files in $GNUPGHOME/private-keys-v1.d with format below, so I did get it to import, but I never used it for some reason.
However, any way i went around resolving that was either hacky/brittle or didn’t work. To circumvent it, I needed to constantly restart the gpg-agent.

Now that I know a bit more, it looks like this s-expression specifies retrieval of a PKCS11 token from the PIV.

Token: D276000123456780000 PIV.9A - 12+345+678
Key: (shadowed-private-key (ecc (curve "1.3.132.0.34")(q #1234....4321#) (shadowed
  t1-v1 (#D276000123456780000# PIV.9A))))

I believe there’s a solution to the problem described above, via recent changes in GnuPG 2.3, scdaemon and pcsc-lite.

… but i haven’t seen many references to this yet. The last time I looked, I saw indirect indications of a resolution in the GnuPG/scdaemon docs somewhere.

dgr · April 26, 2024, 7:25am

I’ve seen a Yubikey used to get a throw away and time limited ssh-key signed and added to the ssh-agent.

bogue1979 · April 30, 2024, 6:26am

If someone is interested, there is a very good post about how to configure the different yubi key options here: An Opinionated YubiKey Set-Up Guide | Pro Custodibus

shom · April 30, 2024, 4:05pm

@aionfork this is fantastic, I’m a very basic yubikey user (FIDO in browser) but would like to do more with it. I can’t help with content but I could go through the material you’re putting together and ask questions about things that are not clear, if that would be helpful to you. Either way, good luck and please keep us posted.

dgr · May 1, 2024, 12:53pm

To add more details, it isn’t the key that’s time-limited, but the certificate signing the key has a limited validity and also states, which user@host pairs it’s valid for. The YubiKey is used to authenticate you, and a directory is used to authorize you, so the system knows which user@host pairs need to be in the certificate.

shom · May 20, 2024, 12:37am

@aionfork how did the presentation go? Is it available somewhere online for us to read/watch?

benoitj · September 15, 2024, 3:34pm

@aionfork were you able to do that presentation? Is it public?

This is the guide I follow to get my yk configured GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GnuPG and SSH

aionfork · September 15, 2024, 8:15pm

No, I had postponed it for awhile. I really wanted to work out some of the usability issues, but I couldn’t. That slowed down my development of the presentation.

I did find some good graphics that explain interaction between PIV, pscsd, CCID, GnuPG, etc. Having that laid out was going to make explaining some of the exceptions much easier for me.

The key user story that should be made simpler is “users can use multiple keys simultaneously, specifically to migrate secrets to a new subkey.” It is not hard, but it’s difficult to explain to new users. For me, it basically required two computers to avoid decrypting to plain text (because one subject key was expired).

I’m just not sure that GnuPG 2.2 is the way to go for Yubikey. GnuPG 2.4 has much better smart card tools. However, the timeline for that migration is unclear to me, which is a lot of caveats to explain to new users. Also, I think the migration is a bit sensitive, since a lot of package managers rely on the stability of GnuPG.

rynn · September 16, 2024, 1:23am

Just chiming in to say I really love the ideas behind this thread and presentation. I’ve been debating grabbing a Yubikey for a while now, so seeing real world examples is a great motivator.

aionfork · September 16, 2024, 2:15am

So my issue with yubikey is that I need multiple keys to both:

use multiple apps (OpenPGP and PIV)
with CCID (where only a single app can access the smartcard)

Ultimately, you need a backup key anyways, but it gets pricey to have two.

I use OpenPGP (with GnuPG) and FIDO2. I would like to use PIV simultaneously. Looking at some of the newer docs and blogs from GnuPG, the ability to do so may be coming, but most content on the web describing YK setup doesn’t account for GnuPG 2.4 features.

PIV is nice because you may involve it in X509 signing workflows, though figuring out how to do so is complicated

this sets up an ACME provider that uses the Yubikey as proof of identity (but not to sign the certs)
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
this sets up an X509 cert on your yubikey to use for authentication to webapps via Caddy (& mTLS)
https://smallstep.com/blog/access-your-homelab-anywhere/

I think it may be possible to get cryptographic secret keys in GnuPG to sign X509 certs (technically! … but idk how). GnuPG doesn’t validate X509 ASN.1 objects, but some of the related software does… I think? Yeh, everything is a blur at this point because basically only YouTube Videos could help me whatsoever.

aionfork · September 16, 2024, 2:20am

And I guess that’s not fair to say. I did receive some critical assistance from time to time, but everyone from my hometown area mainly uses Windows afaik. Or Mac.

So if you don’t know already, Desktop Linux is completely different than Server/VM/Container Linux. Yubikey is a “desktop Linux” problem until you get to more sophisticated signing or HSM problems.

I rarely get IRL facetime with someone who has similar tech passion AND interests, who also has free time. So learning takes 20x longer than it should.