Now that we have all our cards set up with keys, we need to change some settings for better security:
- PIN
- Admin PIN (PUK in Yubikey terms)
- Force PIN for signatures
And a few other settings just for convenience:
- Name
- Language
- URL
- Sex
- Login name
$ gpg2 --edit-card
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 00 00
Application ID ...: D2760001240102010006070201320000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 07020132
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: C9BB 2749 B901 6A9F 55BD A603 9353 64AE 6E80 71BD
created ....: 2017-12-04 02:30:03
Encryption key....: 749F AF05 0AAA 6199 CF87 198E 1F9F 9EEF A71F F33A
created ....: 2017-12-04 02:28:44
Authentication key: 94DD 7989 D549 778B B78C B235 8167 6743 C733 D672
created ....: 2018-10-30 03:37:17
General key info..: sub rsa2048/935364AE6E8071BD 2017-12-04 Benjamin Gordon <ben@bxg.org>
sec# rsa3072/24770C40DF746792 created: 2017-12-04 expires: 2027-12-02
ssb> rsa2048/1F9F9EEFA71FF33A created: 2017-12-04 expires: 2019-12-04
card-no: 0006 04882587
ssb> rsa2048/935364AE6E8071BD created: 2017-12-04 expires: 2019-12-04
card-no: 0006 04882587
ssb> rsa2048/9F7CA19A0F5E9800 created: 2017-12-04 expires: 2019-12-04
card-no: 0006 04882587
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102010006070201320000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
gpg/card> name
Cardholder's surname: Gordon
Cardholder's given name: Benjamin
gpg/card> lang
Language preferences: en
gpg/card> url
URL to retrieve public key: https://www.bxg.org/pgpkey.txt
gpg/card> sex
Sex ((M)ale, (F)emale or space): m
gpg/card> login
Login data (account name): ben
gpg/card> forcesig
gpg/card> quit
$ gpg2 --card-status
Reader ...........: Yubico Yubikey 4 OTP U2F CCID 00 00
Application ID ...: D2760001240102010006070201320000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 07020132
Name of cardholder: Benjamin Gordon
Language prefs ...: en
Sex ..............: male
URL of public key : https://www.bxg.org/pgpkey.txt
Login data .......: ben
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: C9BB 2749 B901 6A9F 55BD A603 9353 64AE 6E80 71BD
created ....: 2017-12-04 02:30:03
Encryption key....: 749F AF05 0AAA 6199 CF87 198E 1F9F 9EEF A71F F33A
created ....: 2017-12-04 02:28:44
Authentication key: 94DD 7989 D549 778B B78C B235 8167 6743 C733 D672
created ....: 2018-10-30 03:37:17
General key info..: [none]
Make sure you don’t lose those PINs (especially the admin PIN). If you lose them, you’ll have to reset the card and start over with fresh keys. If you saved the master key like I did, this isn’t as bad as it could be, but you’ll still have to re-copy your new authentication key all over the place.
Optionally, if you have the Yubikey 4 or later, you can make it require a physical touch in addition to the PIN for operations involving a stored private key. This is convenient because then your PIN can be cached but you still have some protection against somebody tricking your key into signing something. To set this up, get yubitouch.sh and run one or more of these commands:
bash ./yubitouch.sh sig on
bash ./yubitouch.sh dec on
bash ./yubitouch.sh aut on
Next time, we’ll start talking about how to actually hook your new keys up so that you can use them for something besides viewing the status of your card.