How to: Security Keys

3 min Kamil Rusin

Today I was again setting up OpenPGP application on a new Yubikey. After over two years I already forgot how tedious that can be… I’m writing this blog post to create a clear trace of what I needed to do today and hopefully, when the time comes to set up an another key, it’ll be as easy as opening up a blog entry.

# In general

I started to learn about security keys a few years back. I read “Security Keys: Practical Cryptographic Second Factors for the Modern Web” research paper by Google, explaining how they work and how they made them “fool-proof”. The article is very detailed and yet written in a easy-to-follow way. If you’re interested in security, then give it a try!

The rest of this article is a ramp about configuring a new key. If you don’t have one/not having issues with one at the moment, you can give it amiss.

# Setting up a new key

Yubico offers great software for managing your keys. If you’re planning on using yours as a 2FA method or FIDO2, then you are a happier person.

# Yubikey & macOS

To start with, I could not make the key detectable by GnuPG. I was getting “Operation not supported by device” error.

1gpg --card-status
2gpg: selecting card failed: Operation not supported by device
3gpg: OpenPGP card not available: Operation not supported by device

Then I found DataDog’s Yubikey troubleshooting guide. It fixed my problem – a config file was missing in my GnuPG home.

# Yubikey & OpenPGP

Working with gpg sucks.

The tool is very advanced and offering a lot of features, so naturally its CLI is complex, to say the least. As it was before, so it was now, I was saved by this marvelous guide on how to prepare PGP keys for a Yubikey.

It encompasses everything: from generating keys, to rotating keys. It also offers different solutions depending on how much you care about security. I highly encourage you to configure your key with this guide.

It got me through most of the OpenPGP stuff pretty smoothly. Again, I was lost on making the key work with gpg-agent.

# Yubikey & SSH

Once all three keys (Signing, Encryption, Authentication) are correctly set up, it’s the moment for the agent. I always miss two parts: configuring gpg-agent and enabling SSH for gpg-agent.

The first one requires these few lines at the end of your rc file. I use Z shell, so it’s .zshrc for me.

Enabling SSH for gpg-agent can be done by adding gpg-agent.conf file to your GnuPG home.

You’ll probably need to update the path pointing to pinentry-program. Just run

1which pinentry-mac

If you don’t have pinentry-mac installed, then

1brew install pinentry

Cool. The last and yet very important step is to relaunch the agent:

1gpgconf --kill gpg-agent

It should hopefully work.

# Tips

  1. To get public SSH key run: ssh-add -L.

It was around that time, when I tried to fetch my remote repo from GitHub… and it wasn’t working. I lost a significant amount of time looking for some configuration issue, but there wasn’t any. I redid everything again to no avail.

Then I saw that some of my GitHub Actions are not being triggered. :thinking_face: I dig a bit more and it turned out GitHub was having issues.

GitHub Status is a great site to keep in your RSS feed. When issues arise, they cascade.

Interested in my work?

Consider subscribing to the RSS Feed or joining my mailing list: madebyme-notifications on Google Groups .

Disclaimer: Only group owner (i.e. me) can view e-mail addresses of group members. I will not share your e-mail with any third-parties — it will be used exclusively to notify you about new blog posts.