~yoctocell/yoctocell.xyz

ref: a1956e161482bc3b29e5a6bfb144073592202fd5 yoctocell.xyz/src/posts/securing-nixos-with-yubikey.org -rw-r--r-- 4.2 KiB
a1956e16Xinglu Chen Log.hs: Add function to handle parser errors 8 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#+TITLE: Securing NixOS with Yubikey
#+AUTHOR: yoctocell
#+DATE: 2020-12-14

In this blog post I will go over some things I have configured with NixOS and a yubikey to improve the security of my system. I will not go into detail on how to setup a GPG keypair, there are already plenty of great tutorials. [fn:1]

[fn:1] See [[https://wiki.debian.org/Subkeys][here]], [[https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/][here]] and [[https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/][here]].

** GnuPG
To use GPG with a yubikey, we first need to install some packages, put the following in your =configuration.nix=

#+begin_src nix
{
  services.pcscd.enable = true;
  
  environment.systemPackages = with pkgs; [
    yubikey-personalization
  ];

  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];
}

#+end_src

We will export the subkeys to our yubikey so we can use it when signing and decrypting mail, but first plug in the yubikey and run

#+begin_src sh
$ gpg --card-status
#+end_src

Then run =gpg --card-edit= and you should see a prompt like this.

#+begin_src sh
gpg/card> 
#+end_src

Type =admin= and then =passwd= to change the user and the admin pin. The user pin will be used for day-to-day things like signing and decrypting files, the admin pin will only be used for operations concerning the configuration of the yubikey, eg. adding subkeys. The default user pin is =123456= and the default admin pin is =12345678=.

Now it's time to export the keys, beware that this process will remove the keys from your computer, so make sure your keys are backed up on an external drive.

#+begin_src sh
gpg --edit-key <keyid>

Secret subkeys are available.

pub  rsa4096/33947BA1AA8847FF
     created: 2020-12-13  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/D1B318ACDABCAEE6
     created: 2020-12-13  expires: 2021-12-13  usage: S   
     card-no: 0006 14257444
ssb  rsa4096/38E09A208656B970
     created: 2020-12-13  expires: 2021-12-13  usage: E   
     card-no: 0006 14257444
ssb  rsa4096/18ED52D1A730A8CA
     created: 2020-12-13  expires: 2021-12-13  usage: A   
     card-no: 0006 14257444
[ultimate] (1). yoctocell <public@yoctocell.xyz>

gpg>
#+end_src

Mark the signing subkey with =key 1= and run =keytocard= to export it to your yubikey. When it has been exported you have to unmark the signing key by running =key 1= again, you will see that the =*= next to the key disappears. Repeat the same process for =key 2= and =key 3=, then type =quit= to exit.

Run =gpg -K= and you should see something like this

#+begin_src sh
sec#  rsa4096/33947BA1AA8847FF 2020-12-13 [C]
      Key fingerprint = 4217 475C B91A 4C94 3FCE  C870 3394 7BA1 AA88 47FF
uid                 [ultimate] yoctocell <public@yoctocell.xyz>
ssb>  rsa4096/D1B318ACDABCAEE6 2020-12-13 [S] [expires: 2021-12-13]
ssb>  rsa4096/38E09A208656B970 2020-12-13 [E] [expires: 2021-12-13]
ssb>  rsa4096/18ED52D1A730A8CA 2020-12-13 [A] [expires: 2021-12-13]
#+end_src

The =>= next to =ssb= means that it is a pointer to the subkey on your yubikey.

If you are currently running a live OS like Tails, you have to export your subkeys to an external drive.

#+begin_src sh
gpg --armor --output=/path/to/external/drive --export-secret-subkeys <keyid>
#+end_src

You can import the subkeys on your main computer by running

#+begin_src sh
gpg --import /path/to/external/drive
#+end_src

To test if everything is working, encrypt a file and then decrypt it with your private key

#+begin_src sh
echo 'test' > test.txt
gpg -o test.gpg -e -r <keyid>
gpg --decrypt test.gpg
#+end_src

This should prompt you for the user pin you created for your yubikey.

** PAM
There is a PAM modules that allows us to use the yubikey to authenticate when logging in.

#+begin_src nix
security.pam.yubico = { 
  enable = true;
  debug = true;
  mode = "challenge-response"; 
  control = "required";
}
#+end_src

You then need to run the following commands.

#+begin_src sh
nix-shell -p yubico-pam -p yubikey-personalization
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
ykpamcfg -2 -v
#+end_src

You now need your yubikey and your password to login to your machine, if don't want to enter the password just remove the =control = "required";= line.