YubiKey Notes
These are my notes on configuring my various Yubikeys for U2F and Git commit signing.
# Disable OTP mode
ykman mode -f FIDO+CCID
# Reset any existing PIV configuration
ykman piv reset -f
# Change PIN and PUK, and protect Management key with PIN,
echo -n "Enter PIN: "; read PIN; echo "PIN=$PIN"
PUK=$(dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8)
echo "PUK=$PUK"
ykman piv change-pin --pin 123456 --new-pin $PIN
ykman piv change-puk --puk 12345678 --new-puk $PUK
# Generate random management key stored on Yubikey, protected by PIN
ykman piv change-management-key --protect --touch --pin $PIN --management-key 010203040506070801020304050607080102030405060708
# Reset any existing OpenPGP configuration
ykman openpgp reset -f
# Force touch to authorize OpenPGP signature
ykman openpgp set-touch aut on -f --admin-pin 12345678
ykman openpgp set-touch enc on -f --admin-pin 12345678
ykman openpgp set-touch sig on -f --admin-pin 12345678
################################################################
# Configure card metadata and security (4096-bit keys)
gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> key-attr
Changing card key attribute for: Signature key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Encryption key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Authentication key
Please select what kind of key you want:
(1) RSA
(2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
> passwd # change GPG PINs
>> 1 # change PIN; default PIN is 123456
>> 3 # change Admin PIN; default Admin PIN is 12345678
>> Q
> name # Set surname/givenname; confirm with new Admin PIN
> sex # "M"
> lang # "en"
> url # "https://keybase.io/breathe/pgp_keys.asc"
> quit
################################################################
gpg --edit-key 0xE7DCE706E78B96B8
gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 1
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Mon 12 Aug 14:12:34 2025 CEST
Is this correct? (y/N) y
Really create? (y/N) y
gpg> save
################################################################
# Export public key for GitHub, etc.
gpg --armor --export 0xE7DCE706E78B96B8
################################################################
# Enable Git commit signing with Yubikey cardkey
CARD_KEY=$(gpg --card-status | awk -F'[ /]' '/^General key info/ {print $7}"!"')
git config user.signingkey ${CARD_KEY}
git config commit.gpgsign true
git config gpg.program /usr/local/bin/gpg