Klagarge/PIS
1
0
Fork 0
Code Actions Releases 2 Activity

chores(gpg): fix typo

Browse Source
This commit is contained in:
Rémi Heredero
2026-02-14 00:13:46 +01:00
parent a4a6b9ab3c
commit 28a2a47c89
1 changed files with 35 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
README.md
View File

@@ -1,12 +1,18 @@
# Policy for Internal Security # Policy for Internal Security
This repo describe my P.I.S. (Policiy for Internal Security). This repo describes my P.I.S. (**P**oliciy for **I**nternal **S**ecurity).
You'll find my personnal guideline for SSH / GPG on Yubikey and how to configure and create key / certificate. You'll find my personal guidelines for SSH / GPG on YubiKey and how to configure and create a key / certificate.
I have a several Yubikey, each with different purpose. I have several YubiKey, each with different purpose.
- **Master Yubikey:** A Yubikey 5C that keep Master GPG, SSH CA and root CA for my server. This Yubikey stay in secure place and will be use only to sign sub-key, new SSH Key or new IC. - **Master YubiKey:** A YubiKey 5C that keeps Master GPG, SSH CA and root CA for my server. These YubiKey stay in a
- **Keyring Yubikey:** A Yubikey 5C NFC on my keyring. This Yubikey is used to keep some passkeys and TOTP for some app. This also contain GPG subkey and ssh key signed by SSH CA on Master Yubikey. secure place and will be used only to sign subkey, new SSH Key or new IC.
- **Laptop Yubikey:** A small Yubikey 5 Nano in my laptop that contain GPG sub-key and a ssh key like Keyring Yubikey. This Yubikey Nano stay mostly on my laptop. It slightly increse the security compare to have gpg and ssh directly on my laptop. - **Keyring YubiKey:** A YubiKey 5C NFC on my keyring. This YubiKey is used to keep some passkeys and TOTP for some
- **Backup Yubikey:** A Yubikey 5C, keep in secure place that contains the same passkey and TOTP that the Keyring Yubikey. As security depend of the weekest security measure, some of my apps have passkey enforced or TOTP on Yubikey only. This backup key prevents from loosing acces in case of lose the Keyring Yubikey. app. This also contains a GPG subkey and ssh key signed by SSH CA on Master YubiKey.
- **Laptop YubiKey:** A small YubiKey 5 Nano in my laptop that contains a GPG subkey and an ssh key like Keyring
YubiKey. This YubiKey Nano stays mostly on my laptop. It slightly increases the security compared to having gpg
and ssh directly on my laptop.
- **Backup YubiKey:** A YubiKey 5C, keep in secure place that contains the same passkey and TOTP that the Keyring
YubiKey. As security depends on the weakest security measure, some of my apps have passkey enforced or TOTP on
YubiKey only. This backup key prevents from losing access in case of losing the Keyring YubiKey.
## Install dependencies ## Install dependencies
@@ -18,13 +24,13 @@ sudo systemctl enable pcscd
# GPG # GPG
Different type of GPG key exist: Different types of a GPG key exist:
- [C]ertification key (1): Used to sign other keys, this is the Master Key that we want to keep in secure place. - [C]ertification key (1): Used to sign other keys, this is the Master Key that we want to keep in a secure place.
- [S]igning key (10): Used to sign documents, emails, etc. - [S]igning key (10): Used to sign documents, emails, etc.
- [E]ncryption key (12): Used to encrypt documents, emails, etc. - [E]ncryption key (12): Used to encrypt documents, emails, etc.
- [A]uthentication key (11): Used for authentication, for example for SSH. - [A]uthentication key (11): Used for authentication, for example, for SSH.
I have the strategy bellow: I have the strategy below:
| **Type of key** | **Validity** | **Master YK** | **Keyring YK** | **Laptop YK** | | **Type of key** | **Validity** | **Master YK** | **Keyring YK** | **Laptop YK** |
|-----------------|--------------|-----------------|----------------|---------------| |-----------------|--------------|-----------------|----------------|---------------|
@@ -33,9 +39,9 @@ I have the strategy bellow:
| Encrypt [E] | 10 Years | Generate | clone | clone | | Encrypt [E] | 10 Years | Generate | clone | clone |
| Auth [A] | 1Y (renew) | - | unique | unique | | Auth [A] | 1Y (renew) | - | unique | unique |
## Master Yubikey ## Master YubiKey
### Run GPG on Yubikey, change PIN/Admin/Reset and change default key ### Run GPG on YubiKey, change PIN/Admin/Reset and change a default key
```bash ```bash
gpg --card-edit gpg --card-edit
admin admin
@@ -49,24 +55,24 @@ generate
``` ```
Keep aside the revocation file created on your computer Keep aside the revocation file created on your computer
## Keyring Yubikey ## Keyring YubiKey
### Create sub-keys ### Create sub-keys
We have to create the sub-keys on RAM and move it on the right Yubikey after. We have to create the subkeys on RAM and move it on the right YubiKey after.
First, connect Master Yubikey on laptop and edit key First, connect Master YubiKey on a laptop and edit the key
```bash ```bash
gpg --expert --edit-key [master_key_id] gpg --expert --edit-key [master_key_id]
``` ```
Create a 1 year sub key for [S]igning (10) and [A]uthentication (11). Create a 1-year subkey for [S]igning (10) and [A]uthentication (11).
```bash ```bash
addkey addkey
``` ```
Save and disconnect Yubikey Master. Save and disconnect YubiKey Master.
### Move sub-keys ### Move sub-keys
Connect Yubikey Keyring or Yubikey Laptop. Connect YubiKey Keyring or YubiKey Laptop.
```bash ```bash
gpg --edit-key [master_key_id] gpg --edit-key [master_key_id]
``` ```
@@ -78,25 +84,26 @@ Repeat the operation for Signature and Authentication key
`save` when everything done `save` when everything done
### Encryption key ### Encryption key
As the encryption key is cloned on several Yubikey, this key need to be created locally, backuped and then copy in all Yubikey. As the encryption key is cloned on several YubiKey, this key needs to be created locally, backup and then copied in
all YubiKey.
Create a 10 year sub key for [E]ncrpytion (12) Create a 10-year subkey for [E]ncryption (12)
```bash ```bash
addkey addkey
save save
``` ```
Don't forget to save Remember to save
Now, export the encryption key Now, export the encryption key
```bash ```bash
gpg --armor --export-secret-subkeys [master_key_id]> /tmp/backup_keys.asc gpg --armor --export-secret-subkeys [master_key_id]> /tmp/backup_keys.asc
``` ```
Now move the encryption key to the Master Yubikey with `keytocard`. Now move the encryption key to the Master YubiKey with `keytocard`.
Once done and `save` the key is deleted of the local environnement. Once done and `save` the key is deleted of the local environnement.
Now for each other Yubikey, import the backuped key and move it to the Yubikey Now for each other YubiKey, import the backup key and move it to the YubiKey
```bash ```bash
gpg --import /tmp/backup_keys.asc gpg --import /tmp/backup_keys.asc
gpg --edit-key [master_key_id] gpg --edit-key [master_key_id]
@@ -105,17 +112,18 @@ keytocard
save save
``` ```
Don't forget to securely delete the backup file after. Remember to securely delete the backup file after.
```bash ```bash
shred -u /tmp/backup_keys.asc shred -u /tmp/backup_keys.asc
``` ```
## Export public key ## Export public key
When all sub-keys are on the right Yubikey, we can export the public key to share it. When all subkeys are on the right YubiKey, we can export the public key to share it.
```bash ```bash
gpg --armor --export [master_key_id] > master-public.asc gpg --armor --export [master_key_id] > master-public.asc
``` ```
This operation have to be done on each renewal of the signing and authentication key, as they are unique on each Yubikey. This operation has to be done on each renewal of the signing and authentication key, as they are unique on each
YubiKey.
--- ---