Advice on a presentation about Yubikey and GnuPG

i’m doing a presentation on using GPG, particularly with Yubikey. it’s in about two weeks and the audience is security-oriented.

The main asks here:

  • can people provide some general advice?
  • and some direction on places where GnuPG can be integrated into a developer, administrator or security-centric person’s workflow. There are some examples below.

There’s a lot of content in my general outline, but I think it would be valuable to give people some direction here, even if I’m only able to mention them.

Main Topics:

  • connecting people to resources to bootstrap GnuPG
  • the structure of sockets/services required to use GnuPG with Yubikey
  • covering the complexities of Yubikey configuration (PIV vs GPG, Yubikey applications)

Diagrams and a Cheatsheet

I have a lot of notes on GnuPG that I need to revisit. I would like to couple the presentation with some handouts, either exported from LaTeX or just HTML-to-SavePDF (lol)

So this would include things like:

  • Service dependency diagram for things like gpg-agent -> scdaemon -> pcscd
  • Socket forwarding diagram
  • Table of crypto algorithms
  • Diagram showing how to setup GPG Certify keys and subkeys

Most of this stuff should be fairly straightforward for me to compile … but I’m not really an expert here.

GnuPG Applications

but particularly, i would like to give people some direction about how they can integrate GnuPG into their workflows or applications.

Ranging from simple:

  • transparent encryption/decryption with emacs
  • some equivalent probably for vim
  • Thunderbird configuration for signing emails
  • public key signing
  • HKPS servers
  • signing commits
  • SSH Agent via GnuPG agent

To beginner/intermediate:

  • regpg (to quickly make X509 certificates)
  • a script to use it with ansible vault
  • using GPG with SOPS (like regpg, but with more structure and configuration options)
  • SSH Agent forwarding with gpg-agent

To intermediate/advanced:

  • Udev scripts to lock computer when removing the yubikey
  • LUKS encryption keys (and dumping headers, etc)

Thanks!

2 Likes

One more thing. If anyone has figured this out, it would help a lot.

One major source of confusion & frustration for me resulted from transitioning from ssh-agent to gpg-agent while juggling the Yubikey’s PIV and OpenPGP apps.

  • Since I had CCID device exclusivity enabled (and perhaps even without it) only one process could access the Yubikey OpenPGP udev at a time.
  • The Yubikey FIDO2 is accessed in a different manner, so CCID doesn’t cause problems
  • One way to handle it was to allow the gpg-agent’s SSH functionality to eat the PIV keys, but at the time it didn’t have the ability to handle Yubikey PIV SSH keys. I do see files in $GNUPGHOME/private-keys-v1.d with format below, so I did get it to import, but I never used it for some reason.
  • However, any way i went around resolving that was either hacky/brittle or didn’t work. To circumvent it, I needed to constantly restart the gpg-agent.

Now that I know a bit more, it looks like this s-expression specifies retrieval of a PKCS11 token from the PIV.

Token: D276000123456780000 PIV.9A - 12+345+678
Key: (shadowed-private-key (ecc (curve "1.3.132.0.34")(q #1234....4321#) (shadowed
  t1-v1 (#D276000123456780000# PIV.9A))))

I believe there’s a solution to the problem described above, via recent changes in GnuPG 2.3, scdaemon and pcsc-lite.

… but i haven’t seen many references to this yet. The last time I looked, I saw indirect indications of a resolution in the GnuPG/scdaemon docs somewhere.

I’ve seen a Yubikey used to get a throw away and time limited ssh-key signed and added to the ssh-agent.

1 Like

If someone is interested, there is a very good post about how to configure the different yubi key options here: An Opinionated YubiKey Set-Up Guide | Pro Custodibus

2 Likes

@aionfork this is fantastic, I’m a very basic yubikey user (FIDO in browser) but would like to do more with it. I can’t help with content but I could go through the material you’re putting together and ask questions about things that are not clear, if that would be helpful to you. Either way, good luck and please keep us posted.

1 Like

To add more details, it isn’t the key that’s time-limited, but the certificate signing the key has a limited validity and also states, which user@host pairs it’s valid for. The YubiKey is used to authenticate you, and a directory is used to authorize you, so the system knows which user@host pairs need to be in the certificate.

@aionfork how did the presentation go? Is it available somewhere online for us to read/watch?

1 Like