How to: Security Keys
Table Of Contents
Today I was again setting up OpenPGP application on a new Yubikey. After over two years I already forgot how tedious that can be… I’m writing this blog post to create a clear trace of what I needed to do today and hopefully, when the time comes to set up an another key, it’ll be as easy as opening up a blog entry.
In general
I started to learn about security keys a few years back. I read “Security Keys: Practical Cryptographic Second Factors for the Modern Web” research paper by Google, explaining how they work and how they made them “fool-proof”. The article is very detailed and yet written in a easy-to-follow way. If you’re interested in security, then give it a try!
The rest of this article is a ramp about configuring a new key. If you don’t have one/not having issues with one at the moment, you can give it amiss.
Setting up a new key
Yubico offers great software for managing your keys. If you’re planning on using yours as a 2FA method or FIDO2, then you are a happier person.
Yubikey & macOS
To start with, I could not make the key detectable by GnuPG. I was getting “Operation not supported by device” error.
1gpg --card-status
2gpg: selecting card failed: Operation not supported by device
3gpg: OpenPGP card not available: Operation not supported by device
Then I found DataDog’s Yubikey troubleshooting guide. It fixed my problem – a config file was missing in my GnuPG home.
Yubikey & OpenPGP
Working with gpg
sucks.
The tool is very advanced and offering a lot of features, so naturally its CLI is complex, to say the least. As it was before, so it was now, I was saved by this marvelous guide on how to prepare PGP keys for a Yubikey.
It encompasses everything: from generating keys, to rotating keys. It also offers different solutions depending on how much you care about security. I highly encourage you to configure your key with this guide.
It got me through most of the OpenPGP stuff pretty smoothly. Again, I was lost on making the key work with gpg-agent
.
Yubikey & SSH
Once all three keys (Signing, Encryption, Authentication) are correctly set up, it’s the moment for the agent. I always miss two parts: configuring gpg-agent and enabling SSH for gpg-agent.
The first one requires these few lines at the end of your rc
file. I use Z shell, so it’s .zshrc
for me.
Enabling SSH for gpg-agent can be done by adding gpg-agent.conf
file to your GnuPG home.
You’ll probably need to update the path pointing to pinentry-program
. Just run
1which pinentry-mac
If you don’t have pinentry-mac
installed, then
1brew install pinentry
Cool. The last and yet very important step is to relaunch the agent:
1gpgconf --kill gpg-agent
It should hopefully work.
Tips
- To get public SSH key run:
ssh-add -L
.
It was around that time, when I tried to fetch my remote repo from GitHub… and it wasn’t working. I lost a significant amount of time looking for some configuration issue, but there wasn’t any. I redid everything again to no avail.
Then I saw that some of my GitHub Actions are not being triggered. :thinking_face: I dig a bit more and it turned out GitHub was having issues.
GitHub Status is a great site to keep in your RSS feed. When issues arise, they cascade.
Interested in my work?
Consider subscribing to the RSS Feed or joining my mailing list: madebyme-notifications on Google Groups .
Disclaimer: Only group owner (i.e. me) can view e-mail addresses of group members. I will not share your e-mail with any third-parties — it will be used exclusively to notify you about new blog posts.