Yubikey Deployment Hiccups

ucav117 · July 26, 2022, 3:42am

So last week I deployed a Yubikey and everything is great. I am now in the process of setting up a backup key. Everything on it is configured except the pgp key. Everytime I try to import my key it, for the lack of a better term, seems to corrupt the pgp application on the yubikey and I then have to factory reset it.

Here is where things go sideways.

I am having a really hard time with this and have spent pretty much the whole day troubleshooting it. Any help is appreciated. I am on a fresh install of Fedora 36.

ucav117 · July 26, 2022, 3:36pm

@PhaseLockedLoop Any insight? I have 2 more keys on the way so I can test if it is a hardware failure.

PhaseLockedLoop · July 26, 2022, 6:06pm

Could you output your terminal history via history and provide all the commands you have used to troubleshoot. Might lead to something

Hopefully it’s not too much to sort through.

PhaseLockedLoop · July 26, 2022, 6:14pm

We can also try to reset the openpgp storage area on the card

ykman openpgp reset

If that doesn’t work the manual directions are as follows

Insert the YubiKey into a USB port.

Open Command Prompt (Windows Users) or Terminal (Mac / Linux).

To check the PIN/Admin PIN reset status, enter the GPG command: gpg --card-status. If you receive the response “gpg --card-status” fails, terminate gpg-agent and gpg-connect-agent processes, then try again, or you can reboot.

Run gpg-connect-agent --hex

If PIN retry counter from step 2 is greater than 0, enter the command: scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40

Repeat the above command until one of the following occurs:
YubiKey 4/5 Series device reports “D[0000] 69 83”

If Admin PIN retry counter is greater than 0, enter the GPG command: scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
Repeat the above command until one of the following occurs:

YubiKey 4/5 Series device reports “D[0000] 69 83”

To terminate card, run the GPG command: scd apdu 00 e6 00 00

You should see “D[0000] 90 00” (if already terminated, you should receive “D[0000] 69 85”).

To reactive card, run the GPG command: scd apdu 00 44 00 00

You should see “D[0000] 90 00” (if card hasn’t been terminated, you should receive “D[0000] 69 85”).

Close or exit the command prompt or terminal window, and then remove and re-inser the YubiKey device.

Terminate gpg-agent and gpg-connect-agent processes (or restart), then run the GPG command: gpg --card-status

Confirm the PIN Retry counter is as follows:
“3 0 3” on a a YubiKey 4/5 Series device

Once we are in that spot kill the gpg agents again or reboot and unplug/replug the key and you should be able to write to this again

oO.o · July 27, 2022, 12:33pm

Idk if any of this is helpful, but it’s the process I use:

gist.github.com

https://gist.github.com/o0-o/61e11c9928fd7698f1aaae55473e6456

gpg_add_key.sh

#!/usr/bin/env sh
# Run this on an air-gapped computer with an encrypted hard drive to set up GPG keys on your yubikey.
# Derived from https://github.com/drduh/YubiKey-Guide
# Assumes OS has already been prepared (packages, services, etc) -- see dr duh guide.
# Does not configure PINs on the yubikey. If no admin pin is provided, the default 12345678 is used.
#
# Usage: gpg_add_yubi.sh gpg-backup.tar.gz gpg_passhrase [yubikey_admin_pin]
########################################################################

# Safety and portability

This file has been truncated. show original

gpg_gen_yubi.sh

#!/usr/bin/env sh
# Run this on an air-gapped computer with an encrypted hard drive to set up GPG keys on your yubikey.
# Derived from https://github.com/drduh/YubiKey-Guide
# Assumes OS has already been prepared (packages, services, etc) -- see dr duh guide.
# Does not configure PINs on the yubikey. If no admin pin is provided, the default 12345678 is used.
# Some older Yubikeys do not support rsa4096. Change key_type to rsa2048.
# The GPG key passphrase is randomly generated and printed to stderr at the end of the script.
# Copy the backup tar.gz file to an encrypted drive.
#
# Usage: gpg_gen_yubi.sh name email [yubikey_admin_pin]

This file has been truncated. show original

gpg_renew_yubi.sh

#!/usr/bin/env sh
# Run this on an air-gapped computer with an encrypted hard drive to set up GPG keys on your yubikey.
# Derived from https://github.com/drduh/YubiKey-Guide
# Assumes OS has already been prepared (packages, services, etc) -- see dr duh guide.
# Does not configure PINs on the yubikey. If no admin pin is provided, the default 12345678 is used.
#
# Usage: gpg_renew_yubi.sh gpg-backup.tar.gz gpg_passhrase
########################################################################

# Safety and portability

This file has been truncated. show original

Unfortunately, the caching behavior for the admin PUK seems to be somewhat random and my scripts rely on it getting cached (--pinentry-mode 'loopback' doesn’t support multiple PINs). But it’s still a decent reference for what commands to use.

I have 3 yubis that share gpg keys.

Looking at your output, ssb says cv25519 instead of ed25519. Is that a typo?

Mine is RSA, otherwise I’d check.

PhaseLockedLoop · July 27, 2022, 7:28pm

yeah going to be frank as much as I love the keys they really have a lot of problems with this and ease of setup. Sorry @ucav117 I know its a bitch but we will get there.

When I made my GPG keys I made them all ed25519 FYI so I can use them on my SSH servers

oO.o · July 27, 2022, 8:00pm

You can do the same with RSA. I went with RSA4096 for better compatibility. Older yubis would only support up to 2048 but that hasn’t been the case for a long time.

This might not be an issue if you temporarily change the admin puk to be the same as the pin (does it let you do that?).

PhaseLockedLoop · July 27, 2022, 8:02pm

I believe it requires them to be different? Dont quote me

yeah I know that was a rough time. Im trying to stay bleeding edge. Quantum is really really starting to heat up. Trying to stay up to date as crypto changes at a much more rapid pace. Its brain melting

oO.o · July 27, 2022, 8:11pm

Afaik, breaking something like RSA4096 is still really theoretical, and I’m not sure how much stronger ed is? I thought a lot of the selling point of ed was performance but I could be remembering that wrong.

Anyway, do you know why GPG would show the encryption subkey as cv25519?

Also, I’m not sure if it’s best practice to combine SC? It’s separate on mine at least (I have 3 subkeys).

ucav117 · July 28, 2022, 4:07am

Sorry I haven’t responded. Work picked up unexpectedly and I haven’t had time to get back to it.2 more yubikeys showed up today for my cold spares. Going to try and get back to this early next week when I get done with this job.

system · April 27, 2023, 10:07pm

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.