Setup OpenPGP Card on the Yubikey Neo
10 | 08 Jun 2015
Setting Up The Yubico Yubikey Neo
First off you'll want to ensure your system can detect your neo key, use either lsusb or dmesg to verify your system is correctly picking up your neo key.
sample dmesg output:
[14822.497558] usb 1-1.1: new full-speed USB device number 5 using ehci-pci
[14822.592727] usb 1-1.1: New USB device found, idVendor=1050, idProduct=0116
[14822.592735] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[14822.592740] usb 1-1.1: Product: Yubikey NEO OTP+U2F+CCID
[14822.592744] usb 1-1.1: Manufacturer: Yubico
[14822.592749] usb 1-1.1: SerialNumber: 0003021096
[14822.594601] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.1/1-1.1:1.0/0003:1050:0116.0005/input/input16
[14822.594940] hid-generic 0003:1050:0116.0005: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:1a.0-1.1/input0
[14822.596658] hid-generic 0003:1050:0116.0006: hiddev0,hidraw1: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:1a.0-1.1/input1
sample lsusb output:
Bus 002 Device 003: ID 04f2:b249 Chicony Electronics Co., Ltd
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 005: ID 1050:0116 Yubico.com
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
If your machine has not picked up your yubikey, you can add a udev rule for it.
ACTION!="add|change", GOTO="yubico_end"
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410",
ENV{ID_SECURITY_TOKEN}="1"
LABEL="yubico_end"
Once your key is detected correctly you'll need to enable the CCID mode, to do this you can use one of; neoman, ykpersonalise or ykneoman.
ykpersonalize -m82
for a full list of availible modes see the man page for ykneomgr.
Once your key has CCID, insert it and run;
gpg --card-edit
admin
generate
Example gpg output:
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID (0000000000) 00 00'
Application ID ...: D00000000000000000000000000000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 00000001
Name of cardholder: Michael Jones
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://pgp.mj2.uk/pks/lookup?op=get&search=0x1EDEABF83D5702E2
Login data .......: LOGIN
Signature PIN ....: forced
Key attributes ...: AAAAA AAAAA AAAAA
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 33
Signature key ....: AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
created ....: 2015-04-17 00:15:41
Encryption key....: AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
created ....: 2015-04-17 00:15:41
Authentication key: AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA AAAA
created ....: 2015-04-17 00:15:41
General key info..:
pub AAAAA/AAAAAAAA 2015-04-17 Michael Jones (mikejonesey)
sec> AAAAA/AAAAAAAA created: 2015-04-17 expires: never
card-no: 0006 03021096
ssb> AAAAA/AAAAAAAA created: 2015-04-17 expires: never
card-no: 0006 03021096
ssb> AAAAA/AAAAAAAA created: 2015-04-17 expires: never
card-no: 0006 03021096
Example signing files:
gpg -o example.tar.gz.sig -abs example.tar.gz
