/ security

GPG & YubiKey & Git

Well, that is quite the title. Let me start from the beginning.

It's been a while that I wanted to get into the GPG signing, encryption, etc. world plus all this Yubikey/U2F/OTP stuff, plus signing my work so no one can impersonate me, but I never had the time or the will to do it (I can hear you say "yeah well, who does?") until now.

I've joined a new company a couple months back, where... let's say that they just have to take their security quite seriously, and people ain't used to that, bro. So I had to work alongside my boss and another DevOps to get things more or less okayish. What we're going to do here is:

  • Generate our own GPG key and subkeys for encryption, signature and authentication
  • SSH login through GPG SMC (Yubikey) + SSH Key
  • Sign all our work with the Yubikey (GPG) on git

Let me tell you now, this guide is based off Arch Linux, the package names will surely vary if you use another distribution.

Installing the necessary packages

$ sudo pacman -S pinentry

Generating your GPG key

If you don't know how a GPG key works, let me explain it to you in layman terms (for those who know, excuse me for the rather simple way of explaining it). A GPG key is a cryptographic key that you will use for different things, and it proves your identity. It's composed of a master key (which you have to keep safe at all times, and for years), a certain number of subkeys (keys derived from your master key, but with the feature that if you lose them or they get compromised they don't compromise the master key) and a series of identities that you have (usually one per email address).

Now, we will generate the master GPG key. For compatibility reasons we will go with a 3072bit key, instead of 4096, since some programs still don't support it. That will guarantee that our key is supported everywhere.

BIG NOTE: People that take seriously GPG have a lot of security thoughts on the generation and saving process, for example, disconnecting the computer from internet, moving away the previous .gnupg directory to start clean and mounting an encrypted USB drive on the new .gnupg directory so nothing gets stored in the computer. This is not necessary for everyone, but take in consideration that people who use GPG keys everyday take it VERY seriously, it's more important than their ID or driving license, it proves who they are.

Generate the master GPG key
$ gpg --expert --full-gen-key
gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    (7) DSA (set your own capabilities)
    (8) RSA (set your own capabilities)
    (9) ECC and ECC
    (10) ECC (sign only)
    (11) ECC (set your own capabilities)
Your selection? 8

This will generate an RSA key in which you can activate all the options you want for that key. In our case we want all of them (signature, encryption, authentication and certification)

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt 

    (S) Toggle the sign capability
    (E) Toggle the encrypt capability
    (A) Toggle the authenticate capability
    (Q) Finished

Your selection? A

As you can see by default Sign, Certify and Encrypt are activated, so we just need to activate Authentication. After activating A, we finish and continue the generation

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) 

We will generate a master key that does not expire. If you take more seriously this GPG stuff, generate one that expires when you want. Now, since we start from scratch, GPG doens't know anything about us, so it will ask to generate an identity.

GnuPG needs to construct a user ID to identify your key.

Real name: I Am Myself
Email address: myself@home.net
You selected this USER-ID:
    "I Am Myself <myself@home.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry
Generate the revocation key and export the public key
Generate the subkeys (encryption, signature, authentication)
Move your subkeys to the YubiKey
Signing your work on git with GPG
Accessing to SSH through GPG/YubiKey
GPG & YubiKey & Git
Share this

Subscribe to The Vault