To get GnuPG gpg-agent to work on the Yubikey 4, we need to put the keys on the device. We can either generate them off of the device, and then copy them up, or we can generate them directly on the device. We will do both versions of this before we are through, but today is “generate directly on the device.”
As I was getting set up to work on this again this weekend, I gave this a try on the new Beaglebone Black Wireless, on a whim. The last time I had tried this on the BBBW, it didn’t go so well. There were library issues that prevented GnuPG from accessing the card correctly, and the whole thing was an exercise in frustration. Then I “did the dumb” and managed to brick the device while working on a project. I already wrote up the procedure I used to unbrick it, which worked fine. Apparently something in the unbrick firmware is different from what I had before, because when I tried this “on a whim” I had no issues.
Here are the steps I used, and I’ll link the articles I followed myself at the bottom.
In order to use the Yubikey with GnuPG, we first need to generate the keys on the device, (or import them.) Unfortunately, when I was following this, the largest key I could actually generate for all three sections was 3072 bits, not 4096, even though GnuPG supports 4096, and the specs for the Yubikey 4 state it can handle 4096 bit keys. Still, 3072 is larger than the 2048 limit imposed by the PIV SmartCard standard. I believe this may be because the GnuPG that is being used might be GPG not GPG2. I’ll research version more in a later update.
The top section of this article is what I followed for this.
Of course, when I was finished, I found that the Debian Jessie image didn’t include gpg-agent. I had to configure the wireless with connmanctl, turn off “wifi tether” because it was on by default in the unbrick firmware, and was preventing wifi scan from working, and then do an apt-get update to make things happy so I could apt-get install gnupg-agent.
Then I ran into the issue of actually loading gpg-agent. I got assertion errors when trying to load gpgkey2ssh. I double checked the card, and it was missing the “Encrypt” key, but had the “Sign” and “Authenticate” keys listed. I tried re-generating and got an assert error during the generation. Things went downhill from there.
After reading several posts, including seemingly ignored bug reports, regarding these assertions, I am beyond frustrated with this side of the SmartCard options. I will of course continue to attempt to make this work, but at this time the only recommendation I can make is to use the PIV SmartCard solution when possible. It was beyond painless.
While every document I can find from Yubico says that this can “generate the keys on the device,” everything I am reading about actually getting the public key off of it for SSH use seems to want to “fetch” (which pulls from one of the public servers such as used for the Web Of Trust.) This makes me think that there is some pre-setup that needs to happen with GnuPG, first, so I will work on that (I have the book) before I make another attempt at this. Also, I can’t seem to ssh back into the BBBW since my last attempt. It may be unrelated, but I think another unbrick event is due, which will give me a clean slate to work from, anyway.
I just wanted to share what has been done thus far, what speed bumps have been encountered, and what questions those have garnered. I’ve been banging on this all weekend, so I’ll leave it until another week.