Yubikey 1 - Securely Generating PGP Keys

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi there in this series i'll show you how to store your gpg private keys in a yubikey there's three main reasons why you would want to do this first your secret keys will never leave the ub key so all the cryptographic operations that we perform will happen on the ub key itself and not in your os memory second once in a ub key your private keys are non-exportable so unlike with a pc no one with physical access to your device can steal your keys and third you don't have to remember strong passphrases nor deal with multiple files or data directories to use your keys on any computer that you like ub keys will brick themselves by default after just three failed password attempts in other words a ubi key is basically a hardware wallet for pgp keys so today i'm going to show you how to create a pgp master key this key is supposed to be used for certification purposes only and should never touch the internet once created it will issue sub keys for signing encryption and authentication these are the keys that will eventually burn into a ubiki you'll need the following items to complete this guide first three or four brand new usb drives that have never been used before second a computer with an internet connection to download some software and create a bootable usb drive and third a computer with no wi-fi card no bluetooth card and no hard drive a computer that will never ever be connected to the internet again a cheap old laptop will do nicely such a machine is an invaluable tool for dealing with private keys offline but beware dealing with air gap devices requires constant vigilance and a paranoid stance at literally every step so today we're not dealing with ubi keys yet but when we do everything will depend on how thoroughly you follow today's instructions we're generating the master private key the most important key of all and if you want to sleep well at night after you encrypt some of your secrets into a file or access a remote personal server through ssh you need to know that you did everything right so take this first video very seriously i'll be doing everything myself and guiding you throughout the whole process you just have to follow along i won't skip any step but i won't stop one more thing i'll be using linux of course let's go first we will download the linux tails operating system follow these links to get the image file its digital signature and the signing key [Music] i will verify the digital signature of the image file by importing the signing key and then verifying the signature file if i get a good signature i will delete both files and move the tails image file to my home we now have a linux tails image you should do some basic research about what tails is and what tails does basically it is a security and privacy focused linux distribution it's designed to be booted from a usb drive and to reside temporarily in the host machine's memory to create a bootable tails usb drive we'll use bellina etcher you can go ahead and download the software by clicking the button below or alternatively you can go to their github and add their package repository to your sources that way you will stay up to date by just updating your system [Music] [Music] [Music] now i will run valena there's just two steps first select the tails image we downloaded a while ago second insert a brand new usb drive into your computer and select it as the target [Music] congratulations you have completed the first part of this guide now we move on to generate rpgp keys this will happen on an air gap computer running linux tails booted from a usb drive to do this you might have to tweak your bios boot settings do your own research you might not have an air gap machine yet and that's okay you don't have to commit right away to create a definitive set of pgp keys and you can play in practice all you want running a regular os on a regular computer but remember when generating your long-term personal keys you will want to do this right we are offline in a computer with no wi-fi no bluetooth and no hard drive this machine will never go online again linux tails will live in our pc's memory for as long as we keep this session going on shutdown everything will be forgotten let me start by opening a terminal window and making it pretty i will also delete those items from the desktop as well as the default gpg data directory which is situated at home [Music] now i will create a directory in the desktop called my keys where i will store important files regarding my pgp keys the first of these files is the password for the master key which i have to generate i will make it a long strong passphrase note that i would never dream of doing this in a setting different than that which i've discussed air-gapped computer minimal hardware perpetually offline linux tales remember to copy the password into your clipboard now the following command will allow me to create a pgp master key with certifying capabilities only notice that i will go for an rsa key and that i will get rid of signing and encrypting capabilities so i will be left with certify as my only allowed action next go for maximum key size and make sure that this key never expires since it is your master certifying key [Music] regarding its identification whether or not to add a real name and email i would recommend that you learn about the pgp web of trust before going further and then decide it is a subtle issue which will be clarified somewhat when you learn about sub keys for the purpose of this tutorial i will name my master key after my mentor the penguin adding an email real or fake will be useful to id your key so i would recommend you do so paste your password great i have a master certifying key that long string of hexadecimal characters is its fingerprint it has one identity associated with it or uid when referring to a key we can use either its fingerprint the email attached to any of its uids the last eight hexadecimal characters of its fingerprint also known as short id or the last 16 hexadecimal characters of its fingerprint also known as long id this is the key that we will always keep safely away from any computer connected to the internet every time we interact with our master key it should be in this way offline with a permanently air-gapped computer in linux tails now we will use our master key to derive three keys that we can later use to burn into a ub key and do cool stuff with these are called sub keys i will go through the same process three times editing our master key for issuing a key for signing a key for encryption and a key for authentication these keys will have a shelf date of say three years this is considered good practice because it minimizes the risk of keys getting compromised at some point in the future and forces you to reissue new ones periodically the keys would still work but would be flagged as expired in our case they are going to be pretty safe always inside a ub key but we will stick to best practices back to the terminal remember that the master key password is still in our clipboard and note how i use the email to identify the master key and the following command to generate a signing sub-key [Music] notice how the list of our keys has updated we now hold two keys the first one is a master key with its usage marked as see or certify the second one a sub key with usage s or sign i will now generate a sub key with encryption capabilities [Music] we own a new sub-key with usage for encryption let's issue one last sub-key with authenticating capabilities later in the series we will use this key for ssh authentication you'll notice that when i try to add an authenticating sub-key there is no option for it we will have to do the toggle trick that we did when we created the master key by selecting an option that allow us to set our own capabilities just get rid of sign and encrypt and make the sub key a only we are finished to save and exit type save please make sure that you understand all the information above type of keys fingerprints dates usages uids and trust which for our keys is ultimate do some research about it our gpg key ring holds all the keys that we set out to generate now we are going to export everything that we have done and more into a few convenient files i will save all these files next to my password in the directory that i created at the beginning of this guide my keys first i will export the master private key for which i will have to provide the password [Music] [Music] next i will create a revocation certificate for the master key imagine that you lose control of your keys or they get compromised in any way if you have a revocation certificate you can at least advertise the fact that those keys should not be trusted and create a new pgp identity but beware anyone in possession of a revocation certificate for your keys can render them useless it is a double-edged sword now we get our public key no need for passwords obviously [Music] next we export the secret key for the sub keys password is needed and finally it is useful to know the fingerprints of all your keys with the following command you can print them all to screen so let's put them into a file we are done exporting files let's put them into the gpg data directory situated at home let's take a final look at what we've got before backing everything up a master certifying key and three sub keys for signing encryption and authentication good for three years everything is correct so i will save the gpg data directory into a tar file and leave it on the desktop [Music] finally you will want to copy this back up into multiple reliable storage devices such as industrial grade micro sds and high quality usb drives i will do this once but you should have multiple backups i will use lux to encrypt a partition in a brand new usb drive and i will use a strong passphrase this passphrase i will not memorize rather i will write it down in a piece of paper and store it safely away from the backups themselves [Music] [Music] if you created an encrypted partition try it before shutting down tails i will do this myself eject the usb drive and mount it right back in i will also provide a wrong password to unlock the volume before trying the correct one do all good i can now shut down tails [Music] well you did it now you have in your possession securely generated personal unbreakable pgp keys there's few things that i can think of that are sexier than that next time we will make a ub key work in linux learn how to set it up and flash our sub keys into it see you then [Music]
Info
Channel: 402 Payment Required
Views: 15,080
Rating: undefined out of 5
Keywords: yubikey, pgp, gpg, linux, ubuntu, bitcoin
Id: rGZtlgNhAVU
Channel Id: undefined
Length: 21min 1sec (1261 seconds)
Published: Fri Feb 25 2022
Related Videos
Yubikey 2 - Setup in Linux
402 Payment Required
10K
How Security Keys work (2FA explained!)
Naomi Brockwell TV
141K
Yubikey Bio vs Yubikey 5 | Is Fingerprint 2FA Worth an Extra $40?
All Things Secured
127K
The Complete PGP Encryption Tutorial | Gpg4win & GnuPG
HackerSploit
276K
Using YubiKey to Secure Remote Servers in 10 minutes or less | Nextcloud 2FA
Akamai Developer
37K
Using GPG
Computer and Network Security
88K
Introduction to PGP
The New Oil
16K
How FIDO2 Works And Would It Stop MFA Fatigue Attacks?
Lawrence Systems
89K
Faster Logins with Passkeys | Bitwarden Passkey Tutorial
Jason Rebholz - TeachMeCyber
21K
I bought a YubiKey now What: Basic SSH with your yubikey
CodeWrecks
3.9K
6 Must-Have Security Gadgets That Fit in Your Pocket
All Things Secured
1.8M
DON'T USE GMAIL unless you make these 5 Critical Security Changes
All Things Secured
865K
I bought a Yubikey now what: Use second slot for a static password
CodeWrecks
4.3K
Basic File Encryption with GPG key pairs!
Luke Smith
133K
How to verify PGP digital signatures using GnuPG on macOS
Sun Knudsen
15K
I DON'T like my web browsing options in 2024...
InfinitelyGalactic
70K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.