In the field of computer security, the adoption of 4096-bit SSH keys is essential due to their increased resistance to brute force attacks, ensuring a more robust authentication. These keys, aligned with security best practices, are crucial for protecting digital identities. Additionally, it is vital to take care of the associated private key, as its compromise grants total access to the digital identity and raises the risk of identity theft. A recommended way to secure the private key is by using physical security devices like YubiKey, providing an additional layer of protection by securely storing critical information and preventing unauthorized access.
Step 0: Initial setup
We will start by configuring the security key with a length of 4096 for RSA type certificates, for this we must first enter the card editing mode:
gpg --card-edit
Now we enter the card administrator mode
admin
And we use the following command to enter the configuration of the key attributes
key-attr
The next step must be repeated 3 times, once for each attribute:
Option (1) RSA must be selected, and then where it asks for the length, we must enter 4096, leaving the configuration as follows:
Key attributes ...: rsa2048 rsa2048 rsa2048 (Before)
...
Key attributes ...: rsa4096 rsa4096 rsa4096 (After)
(Optional) You could configure the key to require one touch to work with the SSH key, to do this download YubiKey Manager CLI and run the following:
$ ykman openpgp keys set-touch aut on
$ ykman openpgp keys set-touch enc on
$ ykman openpgp keys set-touch sig on
Step 1: Generate the key directly on the card
Once again we enter the card editing mode:
gpg --card-edit
And again we enter the card admin mode:
admin
Now to generate the certificate directly on the card, we simply use:
generate
Here a series of questions will begin to be generated that we must answer according to our needs:
- Please specify how long the key should be valid:
- Real name:
- Email address:
- Comment:
Step 2: Export the public key
Once the key was generated on the card, the private key will live there forever, we can only export the public key to use it in the following way:
gpg --export-ssh-key [KEY_ID] > YubiKey.pub