YubiKey Notes

These are my notes on configuring my various Yubikeys for U2F and Git commit signing.

# Disable OTP mode
ykman mode -f FIDO+CCID

# Reset any existing PIV configuration
ykman piv reset -f

# Change PIN and PUK, and protect Management key with PIN,
echo -n "Enter PIN: "; read PIN; echo "PIN=$PIN"
PUK=$(dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8)
echo "PUK=$PUK"

ykman piv change-pin --pin 123456 --new-pin $PIN
ykman piv change-puk --puk 12345678 --new-puk $PUK

# Generate random management key stored on Yubikey, protected by PIN
ykman piv change-management-key --protect --touch --pin $PIN --management-key 010203040506070801020304050607080102030405060708

# Reset any existing OpenPGP configuration
ykman openpgp reset -f

# Force touch to authorize OpenPGP signature
ykman openpgp set-touch aut on -f --admin-pin 12345678
ykman openpgp set-touch enc on -f --admin-pin 12345678
ykman openpgp set-touch sig on -f --admin-pin 12345678

################################################################

# Configure card metadata and security (4096-bit keys)
gpg --card-edit
gpg/card> admin
Admin commands are allowed

gpg/card> key-attr
Changing card key attribute for: Signature key
Please select what kind of key you want:
   (1) RSA
   (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Encryption key
Please select what kind of key you want:
   (1) RSA
   (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Changing card key attribute for: Authentication key
Please select what kind of key you want:
   (1) RSA
   (2) ECC
Your selection? 1
What keysize do you want? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits

> passwd # change GPG PINs
>> 1     # change PIN; default PIN is 123456
>> 3     # change Admin PIN; default Admin PIN is 12345678
>> Q
> name   # Set surname/givenname; confirm with new Admin PIN
> sex    # "M"
> lang   # "en"
> url    # "https://keybase.io/breathe/pgp_keys.asc"
> quit

################################################################

gpg --edit-key 0xE7DCE706E78B96B8
gpg> addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
   (1) Signature key
   (2) Encryption key
   (3) Authentication key
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Mon 12 Aug 14:12:34 2025 CEST
Is this correct? (y/N) y
Really create? (y/N) y
gpg> save

################################################################

# Export public key for GitHub, etc.
gpg --armor --export 0xE7DCE706E78B96B8

################################################################

# Enable Git commit signing with Yubikey cardkey
CARD_KEY=$(gpg --card-status | awk -F'[ /]' '/^General key info/ {print $7}"!"')
git config user.signingkey ${CARD_KEY}
git config commit.gpgsign true
git config gpg.program /usr/local/bin/gpg