Gpg-agent: DBG: handle_pincache_put: flushing cache '0/openpgp/1' Really do a factory reset? (enter "yes") yes Changing Default PINs in Yubikeyīefore we forget: let’s change the default PIN numbers for the Yubikey.įactory ones are: 123456 is the user PIN, and 12345678 is the admin PIN.įirst it’s option 3 (change admin PIN), then option 1 (change user PIN): gpg/card> passwd Gpg: Note: This command destroys all keys stored on the card! Let’s enter the admin mode: gpg/card> adminĪnd now reset the key to factory defaults, just in case: gpg/card> factory-reset : Yubico YubiKey FIDO CCIDĪpplication ID. We should be able to set card defaults now: $ gpg -card-edit
Gpg email for mac install#
Let’s install GnuPG with SmartCard support for interfacing with the Yubikey: brew install gnupg pinentry-mac Setting card defaults YubiKey 5 Nano - You Need Firmware 5.2.3+ to support ed25519 Install relevant tools in macOS The firmware you need is 5.2.3 or later - my key has 5.2.7:
Gpg email for mac upgrade#
IMPORTANT: be sure to order Yubikey 5 Nano from Yubikey’s official webstore, otherwise you might end up buying a device with older firmware that you can’t upgrade yourself - meaning it will support RSA keys, but not ECC ( ed25519) ones. Instead, I simply revoke access myself - by making sure I remove old keys from authorized_keys on all my servers. Keys in GnuPG assume expiration dates and even revocation - this means if you lost a key (or just lost access to the key), there’s a way to revoke it from use - meaning it’s not going to be trusted anymore.īecause I’m using Yubikey just for SSH access AND because I’m managing authorized_keys via Ansible for all my infrastructure, I tend not to use any certificates or revocation functionality. Here are a few important bits, they’re not necessarily representing best practices so please DO YOUR OWN RESEARCH if you’re not sure you want to configure keys the same way I do. Actually, the key model (device itself) is exactly the same, but firmware version is newer and now supports ed25519 keys. I have recently upgraded my Yubikey 5 Nano key to a newer version. I have switched from a generic brand to Yubikey about two years ago, mostly as part of gaining additional flexibility - both with types of keys (first USB keys only supported 1024, later 2048 byte sized RSA keys, I wanted 4096 and eventually decided I really like ed25519 ones) and available technologies. I’ve been using USB security keys for SSH keys since 2015.
0 kommentar(er)
