YubiKey NEO and OpenPGP

Yubico Team

December 18, 2012  |  Yubico Team  |  15 Comments

YubiKey NEO production launch

In this post, we will take you through the steps to enable the YubiKey NEO’s OpenPGP applet on a production YubiKey NEO. YubiKey NEOs are currently shipped with an OpenPGP applet already installed but disabled. You will need to enable the Applet functionality of the YubiKey NEO before you can use the OpenPGP applet.

To do this, you will need to use the command line interface (CLI) version of the YubiKey Personalization Tool. If you are not familiar with using command line tools, this applet is probably not for you. To download ykpersonalize please click here.

Once you have installed the ykpersonalize software, insert your YubiKey NEO and you can check the version with the ykinfo -v command – which shows version: 3.0.1 for our YubiKey NEO. To enable your YubiKey NEO’s Smartcard interface (CCID), enter the command ykpersonalize -m82 as:

The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.

Now our NEO App: OpenPGP is visible we can use the gpg program to set-up a new smart card: gpg –card-edit and then enter the admin command to enable admin commands. The command to create a new set of public/private key pairs is generate.  You should see something like:

Note the default PINs as you will need to enter them into the pop ups – e.g.:

Once you enter the Admin and User PINs, gpg will ask you for various settings. Once you select Okay the YubiKey NEO will work for between 1 minute and 3 minutes to generate 3 key pairs. It took our YubiKey NEO 1 minute 40 seconds.

WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.

It is recommended to backup the Public key – we often use the Export Certificates to Server function in Kleopatra to do this. This is our screen:

The public keys and private key stubs are automatically loaded into the gpg database; we are running Kleopatra – so before completing, Kleopatra showed my soft keys:

And afterwards Kleopatra shows the YubiKey NEO with the SmartCard icon:

With details:

We can now select my YubiKey NEO to sign and encrypt files e.g.:

The source code for the YubiKey NEO OpenPGP app is available here.

15 Responses to “YubiKey NEO and OpenPGP”

  1. bob says:

    ‘Lose’ is spelled with one ‘o’, not ‘loose’.

  2. Matt says:

    This looks great!

    Two questions:
    1) Is this compatible with a PKCS#11 library?

    2) How many certificates/key pairs can be stored on the device?

    Really looking forward to see what Yubico can do with the smartcard side of authentication!

    • Matt says:

      In regards to the PKCS#11 library…

      Would something like Scute do the trick?

      http://www.scute.org

    • Yubico Team says:

      Hi Matt,
      The first release of the OpenPGP app supports one instance of a GPG identity consisting of 3 subkeys. This version does not support the PKCS11 Library. Scute is a pkcs11 module for NSS, it might work with the YubiKey NEO but it has not been tested by Yubico.

      • Matt says:

        Ok, thanks for the info.

        I understand Yubikey firmware is not user upgradable.

        Does that also mean that the “Apps” portion of the device is also not upgradable?

        When a new version of the OpenPGP app is released (or other NEO apps become available) – will the user be able to install/update? Or are you stuck with whatever version/type of app that came with the device?

        • David Maples says:

          Hello Matt!

          The YubiKey NEO will not have specific apps tied to specific hardware/firmware versions. Everyone who already purchased a YubiKey NEO production version will not be locked our of future apps. More details will be released with the next apps.

          -David Maples
          Yubico Technical Support

  3. Erik says:

    Hi,
    This really looks interesting!
    I would also like to know if there is a PKCS11 interface available?
    Also is it possible to import keys that have been generated outside the NEO (I know this is not as secure as having the keys generated by the onboard chip but it would be useful for older keys that I still need).

    Thanks,

    /E

    • Yubico Team says:

      Hi Erik,
      This version does not support the PKCS11 Library, and it’s not possible to import keys, only generate on chip.

      • Sebastian says:

        Hello Yubicu Guys,

        in regards to that “it is not possible” to import keys comment: Is that going to change in future versions, because off-card master keys with subkeys on card is basically a standard today. I would never use on-card generated keys personally.

        Is there a even a possibility for you guys to change that in future versions ? Meaning, is it TECHNICALLY possible and just not supported at the moment, or is the missing ability to import a technical limitation.

  4. GW Habraken says:

    OpenSC provides a multi platform PKCS11 library, and does support an openPGP Applet, (the older jopenpgpcard project applet). More information here: https://www.opensc-project.org/opensc/wiki/OpenPGP

  5. Joe says:

    I was determined to get my yubikey neo gpg smartcard working for ssh authentication on my Ubuntu 12.04 machine. I struggled a little bit because of Unity and the gnome-keyring but I managed to get a working solution and I thought I’d share. This guide assumes that you have a functioning yubikey neo gpg smartcard with an authentication key on it and that you know how to configure an ssh server for public key authentication.

    1 – Disable the gnome-keyring gpg and ssh agents (thanks – https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/884856). Actually, we need to disable all of the keyring components. I found that just disabling the ssh and gpg components was not enough and the gnome keyring was still not playing nice with the full gpg-agent.

    Allow the relevant components to be viewable in “Startup Applications” so you can easily turn them on/off:

    /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
    /etc/xdg/autostart/gnome-keyring-secrets.desktop
    /etc/xdg/autostart/gnome-keyring-gpg.desktop
    /etc/xdg/autostart/gnome-keyring-ssh.desktop

    and change “NoDisplay” to false in all of them. Running the following one-liner will take care of the edits:

    sudo sed -i “s/NoDisplay=true/NoDisplay=false/g” /etc/xdg/autostart/gnome-keyring-*

    Run Startup Applications and disable them all. Note that this may break your gnome-keyring for other applications.

    2 – Create a udev rule to change the owner of the yubikey so we don’t have to sudo to use it:

    Place the following two lines:

    SUBSYSTEM==”usb”, ATTR{idVendor}==”1050″, ATTR{idProduct}==”0111″, OWNER=”YOUR_ID_HERE”
    ACTION==”remove”, ENV{ID_VENDOR_ID}=”1050″, ENV{SUBSYSTEM}==”usb”, RUN+=”/usr/bin/pkill scdaemon”

    …in something like /etc/udev/rules.d/yubikey.rules

    Note that we change the owner when the yubikey is plugged in and we kill the scdaemon process upon removal as this gets around the bug where we can’t talk to the card again ( https://bugs.g10code.com/gnupg/issue1238 )

    3 – Ensure the proper gpg-agent is installed.

    sudo apt-get install gnupg-agent

    4 – Modify the gpg-agent start up command run by X:

    sudo nano /etc/X11/Xsession.d/90gpg-agent

    …to include –enable-ssh-support and make a note of (or modify) where the environment variable values are saved to with the –write-env-file option.

    5 – Disable the proper ssh-agent in /etc/X11/Xsession.options by commenting out the ssh line. In our case, gpg-agent will now act as ssh-agent from our modifications in step 4.

    6 – Add the following to your .profile:
    if [ -f "${HOME}/.gpg-agent-info" ]; then
    . “${HOME}/.gpg-agent-info”
    export GPG_AGENT_INFO
    export SSH_AUTH_SOCK
    export SSH_AGENT_PID
    fi

    …and the following to .bashrc:

    GPG_TTY=$(tty)
    export GPG_TTY

    …Make sure the file you source in .profile has the same name as the file in the –write-env-file parameter in step 4.

    7 – Generate your public ssh key from your smartcard authentication key and place the key in the authorized_keys file of the server you wish to connect to:

    gpgkey2ssh YOURKEYID > ~/ssh_rsa.pub

    That’s it. You should now be prompted by the pinentry program (make sure your yubikey is inserted) after ssh’ing to the server. The pinentry program is installed by default when you install the gpg-agent.

  6. William Ahern says:

    I’ve put together a complete HOWTO for OS X, using only GnuPG and the Yubico command-line utilities, including simple OpenSSH integration:

    http://25thandclement.com/~william/YubiKey_NEO.html

    The instructions should carry over to Linux and other *BSDs, except that pin entry might be different. It also details how to import/export the public key for multi-machine usage, which is a caveat with GnuPG that is not often discussed.

Leave a Reply

You must be logged in to post a comment.