How to: Security Keys

3 min Kamil Rusin

Today I was again setting up OpenPGP application on a new Yubikey. After over two years I already forgot how tedious that can be… I’m writing this blog post to create a clear trace of what I needed to do today and hopefully, when the time comes to set up an another key, it’ll be as easy as opening up a blog entry.

#In general

I started to learn about security keys a few years back. I read “Security Keys: Practical Cryptographic Second Factors for the Modern Web” research paper by Google, explaining how they work and how they made them “fool-proof”. The article is very detailed and yet written in a easy-to-follow way. If you’re interested in security, then give it a try!

The rest of this article is a ramp about configuring a new key. If you don’t have one/not having issues with one at the moment, you can give it amiss.

#Setting up a new key

Yubico offers great software for managing your keys. If you’re planning on using yours as a 2FA method or FIDO2, then you are a happier person.

#Yubikey & macOS

To start with, I could not make the key detectable by GnuPG. I was getting “Operation not supported by device” error.

1gpg --card-status
2gpg: selecting card failed: Operation not supported by device
3gpg: OpenPGP card not available: Operation not supported by device

Then I found DataDog’s Yubikey troubleshooting guide. It fixed my problem – a config file was missing in my GnuPG home.

#Yubikey & OpenPGP

Working with gpg sucks.

The tool is very advanced and offering a lot of features, so naturally its CLI is complex, to say the least. As it was before, so it was now, I was saved by this marvelous guide on how to prepare PGP keys for a Yubikey.

It encompasses everything: from generating keys, to rotating keys. It also offers different solutions depending on how much you care about security. I highly encourage you to configure your key with this guide.

It got me through most of the OpenPGP stuff pretty smoothly. Again, I was lost on making the key work with gpg-agent.

#Yubikey & SSH

Once all three keys (Signing, Encryption, Authentication) are correctly set up, it’s the moment for the agent. I always miss two parts: configuring gpg-agent and enabling SSH for gpg-agent.

The first one requires these few lines at the end of your rc file. I use Z shell, so it’s .zshrc for me.

Enabling SSH for gpg-agent can be done by adding gpg-agent.conf file to your GnuPG home.

You’ll probably need to update the path pointing to pinentry-program. Just run

1which pinentry-mac

If you don’t have pinentry-mac installed, then

1brew install pinentry

Cool. The last and yet very important step is to relaunch the agent:

1gpgconf --kill gpg-agent

It should hopefully work.

#Tips

  1. To get public SSH key run: ssh-add -L.

It was around that time, when I tried to fetch my remote repo from GitHub… and it wasn’t working. I lost a significant amount of time looking for some configuration issue, but there wasn’t any. I redid everything again to no avail.

Then I saw that some of my GitHub Actions are not being triggered. :thinking_face: I dig a bit more and it turned out GitHub was having issues.

GitHub Status is a great site to keep in your RSS feed. When issues arise, they cascade.

How-To Yubikey
Interested in my work?

Consider subscribing to the RSS Feed or joining my mailing list: madebyme-notifications on Google Groups .

Disclaimer: Only group owner (i.e. me) can view e-mail addresses of group members. I will not share your e-mail with any third-parties — it will be used exclusively to notify you about new blog posts.

Cookies 🍪

This website uses Google Analytics 4 to gather data about page views and Giscus to support article comments.

This website respects the Do Not Track header field. If you do not wish to be tracked by Google Analytics, then please enable Do Not Track for this domain.

If you wish to know more about data gathered on this website, read About Tracking & Data Collection.