~yoctocell/yoctocell.xyz

yoctocell.xyz/src/posts/securing-nixos-with-yubikey.org -rw-r--r-- 4.2 KiB
46c74072Xinglu Chen templates: footer: Fix typo 2 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#+TITLE: Securing NixOS with Yubikey
#+AUTHOR: yoctocell
#+DATE: 2020-12-14

In this blog post I will go over some things I have configured with
NixOS and a yubikey to improve the security of my system. I will not
go into detail on how to setup a GPG keypair, there are already plenty
of great tutorials. [fn:1]

[fn:1] See [[https://wiki.debian.org/Subkeys][here]], [[https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/][here]] and [[https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/][here]].

** GnuPG
To use GPG with a yubikey, we first need to install some packages, put
the following in your =configuration.nix=

#+begin_src nix
{
  services.pcscd.enable = true;
  
  environment.systemPackages = with pkgs; [
    yubikey-personalization
  ];

  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];
}

#+end_src

We will export the subkeys to our yubikey so we can use it when
signing and decrypting mail, but first plug in the yubikey and run

#+begin_src sh
$ gpg --card-status
#+end_src

Then run =gpg --card-edit= and you should see a prompt like this.

#+begin_src sh
gpg/card> 
#+end_src

Type =admin= and then =passwd= to change the user and the admin pin. The
user pin will be used for day-to-day things like signing and
decrypting files, the admin pin will only be used for operations
concerning the configuration of the yubikey, eg. adding subkeys. The
default user pin is =123456= and the default admin pin is =12345678=.

Now it's time to export the keys, beware that this process will remove
the keys from your computer, so make sure your keys are backed up on
an external drive.

#+begin_src sh
gpg --edit-key <keyid>

Secret subkeys are available.

pub  rsa4096/33947BA1AA8847FF
     created: 2020-12-13  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/D1B318ACDABCAEE6
     created: 2020-12-13  expires: 2021-12-13  usage: S   
     card-no: 0006 14257444
ssb  rsa4096/38E09A208656B970
     created: 2020-12-13  expires: 2021-12-13  usage: E   
     card-no: 0006 14257444
ssb  rsa4096/18ED52D1A730A8CA
     created: 2020-12-13  expires: 2021-12-13  usage: A   
     card-no: 0006 14257444
[ultimate] (1). yoctocell <public@yoctocell.xyz>

gpg>
#+end_src

Mark the signing subkey with =key 1= and run =keytocard= to export it to your yubikey. When it has been exported you have to unmark the signing key by running =key 1= again, you will see that the =*= next to the key disappears. Repeat the same process for =key 2= and =key 3=, then type =quit= to exit.

Run =gpg -K= and you should see something like this

#+begin_src sh
sec#  rsa4096/33947BA1AA8847FF 2020-12-13 [C]
      Key fingerprint = 4217 475C B91A 4C94 3FCE  C870 3394 7BA1 AA88 47FF
uid                 [ultimate] yoctocell <public@yoctocell.xyz>
ssb>  rsa4096/D1B318ACDABCAEE6 2020-12-13 [S] [expires: 2021-12-13]
ssb>  rsa4096/38E09A208656B970 2020-12-13 [E] [expires: 2021-12-13]
ssb>  rsa4096/18ED52D1A730A8CA 2020-12-13 [A] [expires: 2021-12-13]
#+end_src

The =>= next to =ssb= means that it is a pointer to the subkey on your
yubikey.

If you are currently running a live OS like Tails, you have to export
your subkeys to an external drive.

#+begin_src sh
gpg --armor --output=/path/to/external/drive --export-secret-subkeys <keyid>
#+end_src

You can import the subkeys on your main computer by running

#+begin_src sh
gpg --import /path/to/external/drive
#+end_src

To test if everything is working, encrypt a file and then decrypt it
with your private key

#+begin_src sh
echo 'test' > test.txt
gpg -o test.gpg -e -r <keyid>
gpg --decrypt test.gpg
#+end_src

This should prompt you for the user pin you created for your yubikey.

** PAM
There is a PAM modules that allows us to use the yubikey to
authenticate when logging in.

#+begin_src nix
security.pam.yubico = { 
  enable = true;
  debug = true;
  mode = "challenge-response"; 
  control = "required";
}
#+end_src

You then need to run the following commands.

#+begin_src sh
nix-shell -p yubico-pam -p yubikey-personalization
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
ykpamcfg -2 -v
#+end_src

You now need your yubikey and your password to login to your machine,
if don't want to enter the password just remove the =control =
"required";= line.