lajg.dev

YubiKey SSH Configuration

YubiKeys

In the field of computer security, the adoption of 4096-bit SSH keys is essential due to their increased resistance to brute force attacks, ensuring a more robust authentication. These keys, aligned with security best practices, are crucial for protecting digital identities. Additionally, it is vital to take care of the associated private key, as its compromise grants total access to the digital identity and raises the risk of identity theft. A recommended way to secure the private key is by using physical security devices like YubiKey, providing an additional layer of protection by securely storing critical information and preventing unauthorized access.

Step 0: Initial setup

We will start by configuring the security key with a length of 4096 for RSA type certificates, for this we must first enter the card editing mode:

gpg --card-edit

Now we enter the card administrator mode

admin

And we use the following command to enter the configuration of the key attributes

key-attr

The next step must be repeated 3 times, once for each attribute:

Option (1) RSA must be selected, and then where it asks for the length, we must enter 4096, leaving the configuration as follows:

Key attributes ...: rsa2048 rsa2048 rsa2048 (Before)
...
Key attributes ...: rsa4096 rsa4096 rsa4096 (After)

(Optional) You could configure the key to require one touch to work with the SSH key, to do this download YubiKey Manager CLI and run the following:

$ ykman openpgp keys set-touch aut on
$ ykman openpgp keys set-touch enc on
$ ykman openpgp keys set-touch sig on

Step 1: Generate the key directly on the card

Once again we enter the card editing mode:

gpg --card-edit

And again we enter the card admin mode:

admin

Now to generate the certificate directly on the card, we simply use:

generate

Here a series of questions will begin to be generated that we must answer according to our needs:

- Please specify how long the key should be valid:
- Real name:
- Email address:
- Comment:

Step 2: Export the public key

Once the key was generated on the card, the private key will live there forever, we can only export the public key to use it in the following way:

gpg --export-ssh-key [KEY_ID] > YubiKey.pub