![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/IMG_9441-791x1024.jpg?v=1715094848\"){kind=spacer}
<\/figure>\n\n\n\nBefore I proceed with the text, I need to mention a pitfall I encountered. Although the YubiKey 5 supports DSA public keys, it does not support DSA private keys. Initially, I chose a DSA signing key to keep the signature size smaller, but I couldn't import it into the YubiKey, which forced me to generate a new RSA subkey for signing and subsequently update the private keys on GitHub and key.jdzhao.com. For those starting fresh, you might want to avoid this issue.<\/p>\n\n\n\n
The complete process is well-documented online; here, my purpose is twofold: to keep a record and to share key points with the audience.<\/p>\n\n\n\n
1.YubiKey\u2019s PIN and PUK<\/p>\n\n\n\n
It's important to note that the PIN used for GPG and the PIN\/PUK used in the YubiKey Manager software for PIV are different concepts; they are independent of each other and should not be confused.<\/p>\n\n\n\n
When preparing to use the YubiKey for GPG, we need to modify the USERPIN (used for daily signing and encryption), ADMINPIN (used for importing private keys), and PUK (used for resetting the PIN after it's locked) through command-line tools.<\/p>\n\n\n\n
In command-line mode, we enter the YubiKey operation interface by using gpg \u2013edit-key, and here is a screenshot of the help section.<\/p>\n\n\n\n By entering \"admin\", you can access the admin interface, where you'll see the following operational commands.<\/p>\n\n\n\n \u5efa\u8bae\u8f93\u5165passwd\uff0c\u4fee\u6539PIN\u3001ADMIN PIN\uff0c\u4ee5\u4fbf\u79c1\u94a5\u7684\u4fee\u6539\u548c\u7b7e\u540d\u7684\u5b89\u5168\u3002<\/p>\n\n\n\n 2.. About Generating GPG\/PGP Keys<\/p>\n\n\n\n To allow for backups, we opt to generate private keys using third-party software and then import them. On macOS, you can use GPG Suite, and on Windows, it's recommended to use GPG4Win. Start by generating a primary key, and then it's advisable to create three subkeys for signing (S), encryption (E), and authentication (A). Managing subkeys later\u2014such as adding, revoking, or deleting\u2014can affect our public key, leading to the hassle of redistributing it multiple times.<\/p>\n\n\n\n 3. Backing Up Private Keys<\/p>\n\n\n\n After generating them, first back up your public keys, subkeys, and revocation certificates. For GUI, you can directly use the software for backup. If using the command line, you can back up like this:<\/p>\n\n\n\n gpg –armor –export-secret-keys your-key-id > privkey.asc<\/p>\n\n\n\n After exporting, it's recommended to package or compress and encrypt the data for storage in a secure location.<\/p>\n\n\n\n 4. Importing to YubiKey<\/p>\n\n\n\n Operations for importing to YubiKey must use the command line tool, and typically, only the subkeys are imported, not the primary key.<\/p>\n\n\n\n enter the following to see the overall situation of the key:\ngpg \u2013expert \u2013edit-key USERID (usually an email or fingerprint)\nThis procedure helps manage the keys effectively and ensure their security when using with YubiKey.<\/p>\n\n\n\n In the GPG key management interface, sec denotes your primary key, and ssb refers to your subkeys. Generally, you cannot select multiple keys at once; you need to import them one by one.<\/p>\n\n\n\n y default, the first key is labeled as Key 0. You should skip the primary key and enter key 1 to select the first subkey by default. Once selected, an asterisk (*) will appear next to it, indicating that it has been selected.<\/p>\n\n\n\n Next, type keytocard, which will prompt you to choose a slot. Typically, these slots correspond to the different functions of the subkeys:Signing (S slot)\nAuthentication (A slot)\nEncryption (E slot)\nEach slot on the YubiKey is designed to hold a specific type of subkey, ensuring that each function\u2014signing, authentication, and encryption\u2014is properly isolated and managed. This setup enhances the security and functionality of the keys stored on the device.<\/p>\n\n\n\n 5. YUBIKEY Status<\/p>\n\n\n\n You can check the status of your YubiKey by using the following command:gpg --edit-card.This command will provide you with an interface that displays various information about your YubiKey, such as the card version, serial number, and the user data stored on the card. It also allows you to perform other card management functions directly from the command line.<\/p>\n\n\n\n You can view the overall condition of your YubiKey, such as the settings for PIV (typically used for system logins), and the various subkeys that have been imported. The subkey used for AUTH is primarily for logging into and accessing remote servers, which is a topic I plan to discuss in detail in a separate article when time permits.<\/p>\n\n\n\n \u516d\u3001\u65e5\u5e38\u4f7f\u7528<\/p>\n\n\n\n \u8bf7\u6ce8\u610f\uff0c\u5bfc\u5165\u79c1\u94a5\u7684\u65f6\u5019\uff0c\u4f1a\u8f93\u5165\u4f60\u7684\u79c1\u94a5\u5bc6\u7801\u3001ADMIN PIN\uff08\u8bf7\u6ce8\u610f\u662fADMIN PIN\uff09<\/p>\n\n\n\n \u65e5\u5e38\u4f7f\u7528\uff0c\u662f\u8f93\u5165USER PIN\uff08\u666e\u901a\u7684PIN\uff09\uff0c\u4e0b\u56fe\u662f\u65e5\u5e38\u52a0\u5bc6\u3001\u7b7e\u540d\u7684PIN\u7a97\u53e3\uff08\u5982\u679c\u4f60\u8bbe\u7f6e\u4e86\u5fc5\u987b\u63a5\u89e6YUBIKEY ,\u90a3\u4e48\u8f93\u5165PIN\u540e\uff0c\u8fd8\u9700\u8981\u63a5\u89e6YUBIKEY\u624d\u80fd\u5b8c\u6210\uff0cYUBIKEY\u5904\u4e8e\u7b49\u5f85\u6a21\u5f0f\u65f6\uff0cKEY\u4e0a\u7684\u6307\u793a\u706f\u4f1a\u5e38\u95ea\uff09<\/p>\n\n\n\n These are the key points concerning the use of YubiKey for GPG\/PGP applications. If I think of anything else, I'll add it later. I welcome further discussion and exchange of ideas on this topic.<\/p>\n\n\n\n \u6700\u5f00\u59cb\uff0c\u5176\u5b9e\u4e0d\u60f3\u5c1d\u8bd5yubikey\u7684\uff0c\u56e0\u4e3ayubikey\u5bf9GPG\/PGP\u79c1\u94a5\u5c5e\u4e8e\u53ea\u80fd\u5199\u5165\u4e0d\u80fd\u5bfc\u51fa\u7684\u8bbe\u7f6e\uff0c\u51b5\u4e14\u81ea […]<\/p>","protected":false},"author":1,"featured_media":440,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5],"tags":[20],"class_list":["post-431","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-5","tag-20"],"yoast_head":"\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-22.53.35.png?v=1715093620\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-22.54.20.png?v=1715093670\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-22.55.21.png?v=1715093728\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-23.02.28.png?v=1715094154\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-23.04.50.png?v=1715094297\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-23.05.26.png?v=1715094332\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-23.07.03.png?v=1715094431\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jdzhao.com\/wp-content\/uploads\/2024\/05\/\u622a\u5c4f2024-05-07-23.38.42-1024x234.png?v=1715096330\")
<\/figure>\n\n\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n\u672c\u5904\u7b7e\u540d\uff0c\u901a\u8fc7YUBIKEY\u7684RSA\u5b50\u94a5\u7b7e\u53d1\n\u4f60\u53ef\u4ee5\u901a\u8fc7key.jdzhao.com\u4e0b\u8f7d\u6211\u7684\u516c\u94a5\n\u5e76\u9a8c\u8bc1\u672c\u7b7e\u540d\u7684\u6709\u6548\u6027\u3002\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEE6pG3rRqQ57EQTPmw6kx\/\/Ye6jBYFAmY6RIgACgkQ6kx\/\/Ye6\njBZdFQ\/\/ckGWmCOk82r3dQa8GN3Bg8BLiuzX1i7rHs1fdqreBZwRJ5JcXtPOQ2aK\nJY1VTpK6P7rJA0j3E5fa3fJ\/fQ9+NSLIxD4UHJukIMQMqhN6FbAwf3EUXFS5QRg0\nurJ1z4ZkfqpSpMCVABj6cs5P6XaXWa6IU7U3qzv278pN46JuvbWPynFYO+MmbZHK\nMM2c4z+hi88MMWa6tSp31gclB7DwmEN2ekP8TggQKck5moO+C2F1KDy+L\/31Y+LO\nSxOq5EuWk9MObLWzzd8lz5MbBTJswfPc\/+wIwNwtHVmi0Qxi80UabXb1dIpGqliZ\nbo5e5RQgiULYNv8Kf582suXV8nnTZkRwknB9N\/jOp4HecbMInkMGoNj418b1JXS+\nUt+\/PT\/DXQMrUrrt1OEACe5+ocbHFs9Y6pjXF7QhaANX8Cfrpf+XjnCA28PmXJT3\n4mtegbTzyVybcB+6kBKpjd8f56dFoiEZ4qGsSM1k7y25KbL944TijXUDwBLrc3Cx\nB3BcfDWvJVYg78nw57zzrmZtRk4lNQsg+Mr+OrhOjhRWWPzxnLVq7yioKOwN4Z\/1\nMVi0MlxfnDCJ2FXxmaU3aD4dMLQhYRoqkNt7i4ajLeAJ7LIraELkEajpOE\/VooWv\nSo9xR+UbLqCa4w7lMaTUmKlRzegjyZsSbE3CI2uTeilfvZYa9pI=\n=FmbH\n-----END PGP SIGNATURE-----<\/code><\/pre>","protected":false},"excerpt":{"rendered":"