- Configure another computer to use a configured YubiKey
- Signing for different git repositories with different keys
- Keybase
- VMware Fusion
- Docker Content Trust
You don't need to do anything extra if you have not set up GPG and SSH to your use YubiKey.
Otherwise, you need to:
On your previous computer:
- Get the Yubikey GPG key ID by running
gpg --list-keys
, in the following example the key ID is4E09860E71D948019BD426D5D099A306DBECDF1B
- Get a copy of your Yubikey GPG public key (this might have been backed up in your password manager) by running
gpg --export --armor key_id > /path/to/pubkey.asc
, so in our example it will begpg --export --armor 4E09860E71D948019BD426D5D099A306DBECDF1B > pubkey.asc
. - (Optional) Write your copy of your GPG public key stored in your password manager to disk if not already there (e.g., to
/path/to/pubkey.asc
).
On the new computer:
- Get the pubkey.asc file on the disk by downloading it
- Run
./import.sh -p /path/to/pubkey.asc -i key_id
. In our example,./import.sh -p ~/pubkey.asc -i 4E09860E71D948019BD426D5D099A306DBECDF1B
- You will be prompted several times:
- To install dependencies (required), type yes, and press enter
- To configure the Yubikey GPG key for commit signing (or not), type yes or no, and press enter
- To use the Yubikey GPG key for SSH connections (or not), type yes or no, and press enter
The script can setup your Git installation so that all your commits and tags will be signed by default with the key contained in the YubiKey. We strongly recommend that you turn on this option. If you have done so, please stop reading here.
Otherwise, one reason for declining this option may be that you wish to sign
for different repositories with different keys. There are a few ways to handle
this. Perhaps the simplest is to let the script assign the YubiKey to all git
repositories, and then use git config --local
to override user.signingkey
for different repositories.
Alternatively, let us say you use your personal key for open source projects, and the one in the YubiKey for Datadog proprietary code. One possible solution is to setup git aliases. First, make sure signing is turned on globally:
git config --global commit.gpgsign true
git config --global tag.forceSignAnnotated true
Then you can tell git to use a specific key by default, depending on which one is the one you use the most:
git config --global user.signingkey <id_of_the_key_you_want_to_use_by_default>
You can alias the commit
command to override the default key and use another
one to sign that specific commit:
git config --global alias.dd-commit '-c user.signingkey=<id_of_the_yubikey_key> commit'
git config --global alias.dd-tag '-c user.signingkey=<id_of_the_yubikey_key> tag'
With this setup, every time you do git commit
or git tag
, the default key
will be used while git dd-commit
and git dd-tag
will use the one in the
YubiKey.
Optional: verify public key on Keybase. You can now do this using the
command-line option, with only curl
and gpg
, and without installing any
Keybase app, or uploading an encrypted copy of your private key. For example,
see this profile.
If you have the Keybase application installed, you can import your YubiKey public key like this:
$ keybase pgp select
# If you already have a primary Keybase public key, use the --multi flag to import another
$ keybase pgp select --multi
See keybase pgp help select
for more detail.
Optional: using YubiKey inside GNU/Linux running on VMware Fusion.
-
Shut down your VM, find its .vmx file, edit the file to the add the following line, and then reboot it:
usb.generic.allowHID = "TRUE"
-
Connect your YubiKey to the VM once you have booted and logged in.
-
Install libraries for smart card:
-
Ubuntu 17.10:
apt install scdaemon
-
Fedora 27:
dnf install pcsc-lite pcsc-lite-ccid
-
-
Import your public key (see Step 13).
-
Set ultimate trust for your key (see Step 20).
-
Configure GPG (see Step 22).
-
Test the keys (see Step 23). On Fedora, make sure to replace
gpg
withgpg2
. -
Use the absolutely terrible kludge in Table 1 to make SSH work.
-
Spawn a new shell, and test GitHub SSH (see Step 26).
-
Test Git signing (see Step 28). On Fedora, make sure to replace
gpg
withgpg2
:git config --global gpg.program gpg2
# gpg-ssh hack
gpg-connect-agent killagent /bye
eval $(gpg-agent --daemon --enable-ssh-support --sh)
ssh-add -l
Table 1: Add these lines to ~/.bashrc
.
Optional: using YubiKey to store the root role key for Docker Notary.
-
Assumption: you are running all of the following under Fedora 27.
-
Install prerequisites:
dnf install golang yubico-piv-tool
-
Set GOPATH (make sure to update PATH too), and spawn a new
bash
shell. -
Check out the Notary source code:
go get github.com/theupdateframework/notary
-
Patch source code to point to correct location of shared library on Fedora.
-
cd ~/go/src/go get github.com/theupdateframework/notary
-
git pull https://github.com/trishankatdatadog/notary.git trishank_kuppusamy/fedora-pkcs11
-
-
Build and install the Notary client:
go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
-
Add the lines in Table 2 to your
bash
profile, and spawn a new shell. -
Try listing keys (there should be no signing keys as yet):
-
dockernotary key list -D
-
If you see the line
"DEBU[0000] Initialized PKCS11 library /usr/lib64/libykcs11.so.1 and started HSM session"
, then we are in business. -
Otherwise, if you see the line
"DEBU[0000] No yubikey found, using alternative key storage: found library /usr/lib64/libykcs11.so.1, but initialize error pkcs11: 0x6: CKR_FUNCTION_FAILED"
, then you probably need togpgconf --kill scdaemon
(see this issue), and try again.
-
-
Generate the root role key (can be reused across multiple Docker repositories), and export it to both YubiKey, and keep a copy on disk:
-
Choose a strong passphrase.
-
dockernotary key generate -D
-
Commit passphrase to memory and / or offline storage.
-
Try listing keys again, you should now see a copy of the same private key in two places (disk, and YubiKey).
-
Backup private key in
~/.docker/trust/private/KEYID.key
unto offline, encrypted, long-term storage. -
Securely delete this private key on disk.
-
Now if you list the keys again, you should see the private key only on YubiKey.
-
-
Link the yubikey library so that the prebuilt docker client can find it:
sudo ln -s /usr/lib64/libykcs11.so.1 /usr/local/lib/libykcs11.so
-
Later, when you want Docker to use the root role key on your YubiKey:
-
When you push an image, you may have to kill
scdaemon
(in a separate shell) right after Docker pushes, but right before Docker uses the root role key on your YubiKey, and generates a new targets key for the repository. -
Use
docker -D
to find out exactly when to do this. -
This is annoying, but it works.
-
# docker notary stuff
alias dockernotary="notary -s https://notary.docker.io -d ~/.docker/trust"
# always be using content trust
export DOCKER_CONTENT_TRUST=1
Table 2: Add these lines to ~/.bashrc
.