Skip to main content

Alpha This is a new website theme. Help me improve it and give your feedback (opens in a new tab).

YubiKey NEO as an OpenPGP token

Published:

Tags:

Security Planet Debian Planet FSFE
This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.

I was first interested in the idea of using a smartcard to store OpenPGP subkeys when I joined the Free Software Foundation Europe as a Fellow and recieved my FSFE Fellowship Card. By performing all cryptographic operations on the smartcard it would remove almost all the routes by which the secret key material could be compromised as the host operating system never has access to that secret material.

I decided that this was something I wanted to try out and I purchased two Cherry G83-6644 keyboards. One of the nice things I noticed about this product was that it was both FIPS 201 approved and GOST R approved. If both the Americans and the Russians could agree it was a good keyboard, it had a good chance of being a good keyboard.

A little udev magic to handle permissions and the card worked great, but there was a problem. This was not the most friendly form-factor and a USB keyboard was a bit big to be carrying around to use the smartcard with my laptop. I intended to get a smaller reader for my laptop but never did and the Fellowship card fell into disuse.

Later, I came across the YubiKey NEO. The YubiKey NEO is capable of emulating an OpenPGP smartcard, just like the Fellowship card, but in the form-factor of a USB stick. This improved form factor was enough to make me give it a go.

Since August 2015 I’ve been using a YubiKey NEO to store my OpenPGP subkeys and, excluding some occasional udev mishaps, it’s been working great.

When you first get the YubiKey NEO, it does not have the OpenPGP applet enabled. You’ll need to enable it yourself using the ykpersonalize tool:

sudo apt install yubikey-personalization
sudo ykpersonalize -m 82

Once you’ve enabled the OpenPGP module, the USB product ID will change, and you can now add a udev rule that will allow you to interact with the device when it’s plugged in as your normal user.

/etc/udev/rules.d/99-yubikeys.rules:
------------------------------------
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050",ATTRS{idProduct}=="0111", OWNER="irl"

This is not the correct way to do this. I’ve set it so that any YubiKey with the OpenPGP module inserted is set to be owned by my username (irl) when the correct way to do this would be to have it set to the current console user. I do not know enough udev magic to know how to do that.

UPDATE: I recieved a lot of good feedback on this, which you can find here.

Of course, for my key 0xE9846C49, this key started life as an ordinary key just stored on my laptop, so seperating subkeys onto the YubiKey has not massively increased security as an attacker that has stolen the secret key material can generate new subkeys.

I would hopefully notice these new rogue subkeys (I do monitor keyservers for changes to my key regularly), but I would prefer to make the possibility of the key being compromised as low as possible.

For this reason I am performing a key transition to a new key, F540ABCD, where the master key is stored offline. In my next post, hopefully within a day or so, I’ll explain how I used Tails to generate a key offline and load the subkeys into the YubiKey.

Contact