Need to Extend My GnuPG Keys Again

Published on 2024-08-11
Edited on 2024-08-12

Categories: tech
Tags: security

This post describes my usage of GnuPG, YubiKey, and renewal process I do every 2 years.

I did not know what to post next.

What to do in this case?

Delegate and I ask a friend to pick up the next post ;-).

Thanks @shom for this pick!

The Context

My GNUPG Usage

I use GnuPG for many things:

• encryption: I use passwordstore to encrypt some of my “system” passwords, for example my imap or smtp passwords.
• signature: I sign all my commits, got that habit a while ago.
• authenticate: I use gpg ssh-agent to authenticate everywhere, from regular ssh connection, to git write access.
• decentralized proof of identity: After keybase’s purchase, I switched to keyoxide decentralized identity proof.

hardwark keys / yubikey ATTACH

Before I get into how I created my keys, I need to describe an important part of my GnuPG setup.

Since I dont fully trust my systems, I use Yubikeys as HSMs instead of storing my keys on my systems.

For people not familiar with HSM or yubikey, they are small computers packed in a usb stick or even smaller.

I’ve got two Yubikeys:

1. Yubikey 5 nano: The nano is always plugged in my laptop. It’s so small, it’s only protruding a small 1-2mm (or 1/8").

   

2. Yubikey 5 NFC: The intent for the YK 5 NFC is to use with my phone. It’s still a work in progress.

   

The idea is even if my systems are compromized, they can never read the keys. And worst case, I can change them with the locked down certify key.

There are cheaper alternatives to the YK5 NFC, but I haven’t found any for the nano form factor.

Couple of particularities with Yubikeys and similar HSM:

• they require a user pin to be unlocked
• if the wrong pin is entered n times (default 3), the keys stored are no longer usable unless unlocked by the admin pin.
• If you enter the wrong admin pin n times (default 3), the keys stored are no longer usable at all. You must reset the yubikey and start again, or restore a backup.
• You can enable touch confirmation when using the key. For example, to use the key, you enter the pin, and must touch the device for it to allow the operation.
• They support more than just GPG keys, but I dont use any other features myself (like FIDO).

How I created my keys

My key workflow is quite similar to the one described in this debian post:

• one never expiring certify key, locked down, never used except for managing keys.
• sub keys created from the certify key, with a limited time validity.
• extend or create new sub keys when they expire.

Here is the high level process:

1. I boot into a live distro
2. I created a main certify key in a locked down box (live usb distro), without internet. that key is assumed to be valid until I dont trust it anymore.
3. I then created a encrypt, authenticate, and signing sub2 keys from that certify key The sub keys are only valid for 2 years.
4. I backup all my keys to encrypted flash drives, which I store both in my house, and my parent’s house.
5. I copy the public keys on a readable flash drive.
6. I only transfer the subkeys to the yubikeys. The certify key only resides on encrypted flash which I never mount in my regular systems. And I extend them when they exif I still trust them.

The Problem

With all that said, my sub keys expired on August 8th… I discovered the issue when I tried to push my dotfiles changes to git.sr.ht over ssh.

I have reminders, but somehow I did not notice :).

The solution?

The process is not super simple, as there are so many ways to do this.

When I started using my Yubikeys, I discovered this amazing guide: DrDuh YubiKey Guide

Yes, there is a lot of reading, but the process is quite well described there.

In the case of a renewal, it’s much simpler though:

1. Boot a live distro: I used the live image using DrDuh nixos live flake this time
2. Mount the encrypted backup of my keys (including the certify key)
3. Load the keys in GPG
4. Edit each sub keys and set a new expiration date
5. Create a new encrypted backup of the keys
6. Backup the updated public keys
7. Update the keys on the Yubikey (not necessary for extending)
8. Boot on my regular system
9. Import my updated public key
10. Send my updated public key on my Web Dir, and on the default key server.

You can discuss this post on mastodon: https://fosstodon.org/@benoitj/112947067988523554

For comments, use email or Mastodon

Don't forget to subscribe to my RSS feed!