The Wonderful World of Yubikey: GPG

To recap this series so far, we've covered:

In this installment we'll be covering combining your Yubikey with GPG. This post will be mostly a summary of this amazing guide:

GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GPG and SSH
Guide to using YubiKey for GPG and SSH. Contribute to drduh/YubiKey-Guide development by creating an account on GitHub.

I primarily use GPG to sign commits in Git. Some advantages to migrating your private sub-keys over to Yubikey:

  • Security - Similar to our SSH use case, your private keys are now no longer just a file stored on your computer. Instead, there is a stub on your machine saying "Go ask Yubikey!".
  • Portability - Unlike the SSH example, moving your gpg keys to Yubikey actaully does make them more portable. For example, all you need to derive the private key "stub files" is your public key (likely stored in on a keyserver(s) somewhere) and your physical Yubikey. So theoretically, you could sit down at a machine you've never used before, import your public key from a keyserver and run a simple gpg --card-status to generate you private ¬†key stubs in the keychain and you're all set to use your Yubikey with GPG on that new machine without your actual private keys ever touching the new computer.
  • Duplicatable - Unlike U2F and SSH, the GPG example actually does allow you to add the exact same private GPG keys to multiple Yubikeys.
  • Physical interaction required - In the linked guide above, you will find instructions on requiring a Yubikey touch everytime you need to interact with your private keys.

Some other highlights from the linked guide above:

  • Subkeys are your friend. Keep your main key tucked away somewhere safe and let your subkeys handle signing, decryption and authentication.
  • You can't spell Yubikey without "redundancy"! If you have multiple Yubikeys, go ahead and load them up with your GPG keys.
  • Initial interaction with GPG on your Yubikey is still password protected. If someone stole your physical Yubikey, they would need your alpha-numeric pin to actually use the keys stored on it.