gpg cards

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

gpg cards

Philipp Schmidt
Hello Everybody!

I have tried to something in the docs about this, but without success. For quite a while now, I am using a yubikey as gpg card and that is working really good. Since it is risky to have only one Key, I just purchased another one to create a clone of the first. So I went ahead and copied the very same keys from the backup to the second. But trying to actually use does not work, I get an error like: 'please insert card: […]' So.

What can I do to make gpg use the card as well (if possible) ?

Another thing I would really love to know is: Is it possible to use the gpg card as smartcard for the system login as well? Right now I am using the PIV functionality of the yubikey, but would really prefer to use one system.

Does anybody know if that is possible?

Last but not least I am still on a quest for a setup to use Full Disk Encryption and Security Token to actually decrypt the Disk on boot.

Does anybody know if that is possible with a gpg card?

Thanks ahead for any kind of help.

Best philipp

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

public.asc (2K) Download Attachment
signature.asc (486 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg cards

GnuPG - User mailing list
12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt <[hidden email]> ಬರೆದರು:

> Hello Everybody!
>
> I have tried to something in the docs about this, but without success. For
> quite a while now, I am using a yubikey as gpg card and that is working really
> good. Since it is risky to have only one Key, I just purchased another one to
> create a clone of the first. So I went ahead and copied the very same keys from
> the backup to the second. But trying to actually use does not work, I get an
> error like: 'please insert card: […]' So.
>
> What can I do to make gpg use the card as well (if possible) ?
Sorry, I don't know the answer to this one, since I've never tried it. One option is simply creating a separate key and encrypting to two distinct (sub)keys, which is what I would do. You don't want to have to get rid of _both_ keys if one is compromised in some way, and having two copies of the key makes it more likely that it will be compromised or lost or whatever.

> Another thing I would really love to know is: Is it possible to use the gpg
> card as smartcard for the system login as well? Right now I am using the PIV
> functionality of the yubikey, but would really prefer to use one system.
> Does anybody know if that is possible?

What I do is use my Yubikey for U2F so it functions as a secondary form of authorization. I do this for both login and screen unlocking using the libpam-u2f module. It looks like you can use libpam-poldi (http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key for primary authentication, but YMMV.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.
>
> Does anybody know if that is possible with a gpg card?

Possibly, but I haven't really looked into it.

> Thanks ahead for any kind of help.

Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I wouldn't use my GPG key to unlock my hard drive, log in, and decrypt _everything_ without having a foolproof way to get back in. In my case, for example, I use my Yubikey for everything as follows:

1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from memory and use the yubikey for the rest. The data hard drive has a backup passphrase I never use since it's primarily unlocked by a keyfile stored in /root. The system hard drive has a backup passphrase that I don't ever use, but I also don't care since I can easily re-install the system.
2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I can always de-activate the U2F module to be able to get back in if my Yubikey fails.
3. I use my Yubikey as the primary key for pass, my password manager. I encrypt to a backup key that never leaves my laptop so I can still access the passwords should my Yubikey fail.

At *minimum*, you should have backup options for each thing you use the Yubikey for (assuming you don't want data loss). It's like with OTP codes - *always* save the backup codes :)

Sincerely,

Chiraag
--
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

publickey - mailinglist@chiraag.me - b0c8d720.asc (902 bytes) Download Attachment
signature.asc (242 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpg cards

jman
In reply to this post by Philipp Schmidt

Hi!

Philipp Schmidt <[hidden email]> writes:

> I have tried to something in the docs about this, but without
> success. For quite a while now, I am using a yubikey as gpg card and
> that is working really good. Since it is risky to have only one Key, I
> just purchased another one to create a clone of the first. So I went
> ahead and copied the very same keys from the backup to the second. But
> trying to actually use does not work, I get an error like: 'please
> insert card: […]' So.

This is a known issue, have a look here [0]

> What can I do to make gpg use the card as well (if possible) ?

You can follow the guide in that repository and move your private key to
the Yubikey (be careful, once there the key *cannot* be moved anywhere
else) and configure gpg to retrieve the key there (I think by adding
`use-agent` in the gpg.conf file). Feel free to have a look here [1]

> Another thing I would really love to know is: Is it possible to use
> the gpg card as smartcard for the system login as well? Right now I am
> using the PIV functionality of the yubikey, but would really prefer to
> use one system.

AFAIK it is possible using the Yubikey PAM module [2] but never tested
and I don't know if it works for all use cases.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.

Off the top of my head I can think of a setup using LUKS volumes but don't have
specific advice on the matter.

cheers,


[0] https://github.com/drduh/YubiKey-Guide/issues/19#issuecomment-458663857
[1] https://git.sr.ht/~jman/dotfiles/tree/master/item/gnupg/.gnupg
[2] https://developers.yubico.com/yubico-pam/

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: gpg cards

GnuPG - User mailing list
In reply to this post by Philipp Schmidt

> ahead and copied the very same keys from the backup to the second. But
> trying to actually use does not work, I get an error like: 'please
> insert card: […]' So.
>
> What can I do to make gpg use the card as well (if possible) ?

You see the prompt because gpg knows that you aready used the first card
and asks for that card.  The alternative would be to check whether the
currently inserted card can be used, despite that its serial number does
not match.  IIRC, we have implemented this in 2.3 to be released in th
next few weeks.

What you can do with 2.2 is to delet the stub file which stores the
serial number:

  gpg --with-keygrip -K

shows you the keygrip of the respective file.  Now check whether the
file ~/.gnupg/private-keys-v1.d/<KEYGRIP>.key has the string
"shadowed-private-key".  If so, delete this file and run
"gpg --card-status".

Such a file might look like this:

--8<---------------cut here---------------start------------->8---
Token: 276000124010200FFFE372F7910000 OPENPGP.1
Label: My signing yellow signing yoken
Key: (shadowed-private-key (ecc (curve Ed25519)(flags eddsa)(q
  #40CFBE4795E91CD7A26185F23430A7445712DD93185C3023B4646E963010263697#)
 (shadowed t1-v1 (#D276000124010200FFFE372F7910000# OPENPGP.1))))
--8<---------------cut here---------------end--------------->8---

which can be edited, or it might be some binary gibberish.  In any case
you should be able to check for the "shadowed-private-key" string.  Note
that such a file exists for each key.

> Another thing I would really love to know is: Is it possible to use
> the gpg card as smartcard for the system login as well? Right now I am

You can use the poldi PAM module but it is somewhat limited.  For proper
support we would need to modify the screen locker and the display
manager.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.

I use my card for many years for an encrypted partition.  The tool is
called g13 but it is not very polished and not easy to install.  When
building gnupg add --enable-g13 to configure.  We have an open task to
write a bit of docuemntation: https://dev.gnupg.org/T3423 .  What's also
missing are features to replace or add OpenPGP keys to a partition so
that you can use several cards or an symmetric key for decryption (of
the actual dmcrypt key).


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (233 bytes) Download Attachment