Tag Archives: openpgp

YubiKey NEO and Ubuntu

My Christmas gift to myself this year turned out to be a YubiKey NEO.

The new feature I myself find most interesting is that the NEO can act as an OpenPGP smartcard. While there is a pretty good introduction in the Yubico blog post YubiKey NEO and OpenPGP I ran into some obstacles getting things running under Ubuntu.

First of all it doesn’t seem like the version of the yubikey-personalization  (1.7.0) included in Ubuntu 12.10 recognizes the YubiKey NEO. Without spending to much time on debugging that issue was solved by upgrading to the current yubikey-personalization version, using the Yubico PPA.

Then there was the matter of getting the device permissions right, allowing my non-root user to use/modify the NEO more actively than just having it act as a keyboard (HID), spitting out one time passwords. Turns out that the /lib/udev/rules.d/70-yubikey.rules provided by the current yubikey-personalization (1.11.1) only matches the ATTRS{idProduct} “0010”, which doesn’t apply to the NEO. I solved that by copying the 70-yubikey.rules to /etc/udev/rules.d/, modifying it to instead match ATTRS{idProduct} against “0010|0111”. According to the add udev rules for YubiKey NEO bug report it probably doesn’t hurt to also through the 0110 id into the mix.

Finally I had the fun experience of running into a limitation in the gnome-keyring’s capacity to act as gnupg-agent (Launchpad bug #884856). Any attempt to have GnuPG interact with the NEO smartcard, while using the gnome-keyring gnupg-agent, resulted in a “selecting openpgp failed: unknown command” error. Not finding any cleaner configuration option I resorted to simply removing /etc/xdg/autostart/gnome-keyring-gpg.desktop, resulting in gnome-keyring no longer hijacking the GPG_AGENT_INFO environment variable, instead letting the real gnupg-agent do its thing.

Now I only need to decide to what extent to actually use the OpenPGP smartcard feature. Yet, that’s a whole different blog post.

OpenPGP key transition

I’ve recently set up a stronger (4096R) OpenPGP key, and will be transitioning away from my old (1024D) one. To a large extent this is about being able to use the SHA-2 family for signatures.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. Please see this statement signed with both keys, certifying the transition.

The old key was:

pub   1024D/FAF2463A 2006-11-20
      Key fingerprint = 4947 BB72 9192 8645 CC8B  F142 8AF2 8D1C FAF2 463A

The new key is:

pub   4096R/13CD4F59 2010-07-11
      Key fingerprint = AFEB 2D24 4715 3F0D 9250  8A8B 5882 A0DC 13CD 4F59
uid                  Andreas Olsson
uid                  Andreas Olsson
uid                  Andreas Olsson
uid                  Andreas Olsson
sub   4096R/9A943D4A 2010-07-11

To fetch my new key from a public key server, you can simply do:

  $ gpg --keyserver pool.sks-keyservers.net --recv-key 0x13CD4F59

If you already know my old key, you can now verify that the new key is signed by the old one:

  $ gpg --check-sigs 0x13CD4F59

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

  $ gpg --sign-key 0x13CD4F59

Lastly, if you could upload these signatures, I would appreciate it:

  $ gpg --keyserver pool.sks-keyservers.net --send-key 0x13CD4F59

Please let me know if there is any trouble, and sorry for the inconvenience.