Introduction
This "book" contains information about how I use a Yubikey (actually several Yubikeys) to store my PGP and SSH secret keys.
I've written several different pages over the past few years which document various parts of this, however this is an attempt to bring all of this information together in a single place.
🚧 UNDER CONSTRUCTION 🚧
This "book" is "in progress", but I am not finished writing it yet. If you find this site useful in its current state, uhhhh... great, I'm glad I can help?
Otherwise ... please be patient. This is one of several things I'm working on in my spare time.
Overall Process
There are two major steps in the process.
Load keys on to a YubiKey
The first part of the process is getting the secret parts of a PGP key, on to a YubiKey. This may include creating a PGP key.
This will generally only need to be done once for each YubiKey. Because the YubiKeys only contain secret keys, changes to a key's expiration date or identities will not require any updates to the YubiKeys.
⚠️ If you already have a PGP key
One of the biggest reasons for putting your secret keys on a YubiKey is to avoid having your PGP or SSH secret keys be on the disks of your workstations. Even if you delete them, remember that there are ways to "un-delete" files.
If your current secret keys are already on your workstations' disks, you may want to consider generating new keys from scratch, and doing it under Tails so that the secret keys are never written to a non-encrypted disk.
The safest way I've found to avoid having your PGP secret keys ever exist on a computer's disk, is to use Tails. This is a "Live" Linux environment which runs from a USB stick. Its persistent storage feature provides a way to store actual secret key files somewhere (so you have a backup in case a YubiKey is lost or broken), and because the persistent storage is encrypted, anybody who finds your Tails stick(s) won't be able to access the key files.
I use Tails to manage my own PGP keys. The directions on this site will explain (hopefully clearly) how I do this.
Configuring Workstations
The second part of this will be configuring each workstation where you (or others) plan to use YubiKeys for PGP and SSH.
This is something you may end up needing to do multiple times, depending on how many machines you use on a regular basis.
About this book
Operating Systems
Most of my personal computers are running macOS, with one laptop and a few servers running Linux. As such, the directions in this book will primarily focus on macOS and Linux.
I only own one machine running windows, specifically for programming a few older ham radios for which non-windows programming software is not available. This computer has never been connected to any network (at least not since the last time I re-formatted the disk to install the OS), and ... now that I think about it, I haven't even powered that machine on in over two years.
So this book isn't going to cover windows.
Created with mdbook
This "book" is being created using a program called mdbook, which allows me to write the content using Markdown and have it converted to an HTML format that I think looks nice, especially with a few minor customizations.
And rather than making the same customizations every time I start a new "book" (I have several, both at work and for non-work), I created a template containing a newly created book with my customizations already in place.
⇒ https://github.com/kg4zow/mdbook-template/
Feedback
I would appreciate any feedback you may have to offer about this book.
- Email:
jms1@jms1.net
License
This book is licensed under a Creative Commons Attribution 4.0 International License.
Short version, you're free to use or copy the information, so long as you tell people that I originally wrote it.