# Policy for Internal Security This repo describe my P.I.S. (Policiy for Internal Security). You'll find my personnal guideline for SSH / GPG on Yubikey and how to configure and create key / certificate. I have a several Yubikey, each with different purpose. - **Master Yubikey:** A Yubikey 5C that keep Master GPG, SSH CA and root CA for my server. This Yubikey stay in secure place and will be use only to sign sub-key, new SSH Key or new IC. - **Keyring Yubikey:** A Yubikey 5C NFC on my keyring. This Yubikey is used to keep some passkeys and TOTP for some app. This also contain GPG subkey and ssh key signed by SSH CA on Master Yubikey. - **Laptop Yubikey:** A small Yubikey 5 Nano in my laptop that contain GPG sub-key and a ssh key like Keyring Yubikey. This Yubikey Nano stay mostly on my laptop. It slightly increse the security compare to have gpg and ssh directly on my laptop. - **Backup Yubikey:** A Yubikey 5C, keep in secure place that contains the same passkey and TOTP that the Keyring Yubikey. As security depend of the weekest security measure, some of my apps have passkey enforced or TOTP on Yubikey only. This backup key prevents from loosing acces in case of lose the Keyring Yubikey. ## Install dependencies ```bash sudo dnf install yubikey-manager gnupg pcsc-lite pcsc-tools sudo systemctl start pcscd sudo systemctl enable pcscd ``` # GPG Different type of GPG key exist: - [C]ertification key (1): Used to sign other keys, this is the Master Key that we want to keep in secure place. - [S]igning key (10): Used to sign documents, emails, etc. - [E]ncryption key (12): Used to encrypt documents, emails, etc. - [A]uthentication key (11): Used for authentication, for example for SSH. I have the strategy bellow: | **Type of key** | **Validity** | **Master YK** | **Keyring YK** | **Laptop YK** | |-----------------|--------------|-----------------|----------------|---------------| | Master [C] | 10 Years | Generate in key | - | - | | Sign [S] | 1Y (renew) | - | unique | unique | | Encrypt [E] | 10 Years | Generate | clone | clone | | Auth [A] | 1Y (renew) | - | unique | unique | ## Master Yubikey ### Run GPG on Yubikey, change PIN/Admin/Reset and change default key ```bash gpg --card-edit admin passwd # To change PIN (default: 123456) / Admin code (default: 12345678) / Reset code key-attr # Change type of key (select ECC 25519 for all keys) ``` ### Generate key ```bash generate ``` Keep aside the revocation file created on your computer ## Keyring Yubikey ### Create sub-keys We have to create the sub-keys on RAM and move it on the right Yubikey after. First, connect Master Yubikey on laptop and edit key ```bash gpg --expert --edit-key [master_key_id] ``` Create a 1 year sub key for [S]igning (10) and [A]uthentication (11). ```bash addkey ``` Save and disconnect Yubikey Master. ### Move sub-keys Connect Yubikey Keyring or Yubikey Laptop. ```bash gpg --edit-key [master_key_id] ``` 1. Use `key N` to select the key number _N_ 2. `keytocard` 3. Use `key N` to deselect the key number _N_ Repeat the operation for Signature and Authentication key `save` when everything done ### Encryption key As the encryption key is cloned on several Yubikey, this key need to be created locally, backuped and then copy in all Yubikey. Create a 10 year sub key for [E]ncrpytion (12) ```bash addkey save ``` Don't forget to save Now, export the encryption key ```bash gpg --armor --export-secret-subkeys [master_key_id]> /tmp/backup_keys.asc ``` Now move the encryption key to the Master Yubikey with `keytocard`. Once done and `save` the key is deleted of the local environnement. Now for each other Yubikey, import the backuped key and move it to the Yubikey ```bash gpg --import /tmp/backup_keys.asc gpg --edit-key [master_key_id] key N # Select the encryption key keytocard save ``` Don't forget to securely delete the backup file after. ```bash shred -u /tmp/backup_keys.asc ``` ## Export public key When all sub-keys are on the right Yubikey, we can export the public key to share it. ```bash gpg --armor --export [master_key_id] > master-public.asc ``` This operation have to be done on each renewal of the signing and authentication key, as they are unique on each Yubikey. --- # SSH ## Master Yubikey I use Yubico authentificator 7.3.0 to change PIN / PUK and Management Key. I also create certificate in slot 9c of the PIV function with ECCP384 for 10 years (like GPG). --- # x509 ## Master Yubikey I create a certificate in PIV slot 9a with Yubico authentificator. This CA would be use as a Root CA for my server. TODO fix with XCA