Post on 05-Aug-2020
transcript
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 1 of 21
yubico
cococo
GnuPG Installation, Key Generation, &
Decryption
Creating a Public/Private Key Pair for YubiKey Secrets
Ver 1.1
March 27, 2014
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 2 of 21
yubico
cococo
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 3 of 21
yubico
cococo Introduction
Yubico is the leading provider of simple, open online identity protection. The company’s flagship
product, the YubiKey®, uniquely combines driverless USB hardware with open source software.
More than a million users in 100 countries rely on YubiKey strong two-factor authentication for
securing access to computers, mobile devices, networks and online services. Customers range
from individual Internet users to e-governments and Fortune 500 companies. Founded in 2007,
Yubico is privately held with offices in California, Sweden and UK.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing.
Trademarks
Yubico and YubiKey are trademarks of Yubico Inc.
Contact Information
Yubico Inc
228 Hamilton Avenue, 3rd Floor
Palo Alto, CA 94301
USA
info@yubico.com
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 4 of 21
yubico
cococo
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 5 of 21
yubico
cococo Contents
Introduction.......................................................................................................................................... 3
Disclaimer............................................................................................................................................ 3
Trademarks ......................................................................................................................................... 3
Contact Information ............................................................................................................................. 3
1 Windows Installation ....................................................................................................................... 6
2 Creating a Public/Private Key Pair .................................................................................................. 8
3 Importing Yubico Keys for Validation ............................................................................................ 15
4 Decrypting Files Encrypted with a Public Key ............................................................................... 18
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 6 of 21
yubico
cococo 1 Windows Installation
For the secure transfer of YubiKey secrets, Yubico employs a PGP Public/Private Key Pair schema, using
Public Encryption keys provided by customers to encrypt secret data before sending it. This document will
outline the process of installing the necessary software to generate the PGP Public and Private key pairs,
the creation of the Key Pairs themselves, and the Decryption of files received from Yubico encrypted with
the provided public Key.
1) First, download the open source windows application Gpg4win from:
http://gpg4win.org/download.html .
It is highly recommend that this application is loaded on a secure computer which is regularly
backed up to ensure the created PGP Public/Private Key Pairs are not lost.
2) Install Gpg4win selecting the default options, making sure the following components are installed:
GnuPG
Kleopatra
GpgOL
GpgEX
Gpg4win Compendium
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 7 of 21
yubico
cococo 3) At the “Define Trustable root Certificates, select the option “Root certificate defined or skip
configuration.
4) Finish the default installation of the gpg4win application.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 8 of 21
yubico
cococo 2 Creating a Public/Private Key Pair
To ensure YubiKey secrets can only be accessed by the customer who purchased the corresponding
YubiKeys, Yubico requests that customers provide a Public Key which can be used to encrypt files
containing secret information. The provided public key will ensure that only the customer who created the
Public/Private key pair will be the only entity who can decrypt the files encrypted in such a manner.
To generate a Public/Private Key pair and provide the Public Key to Yubico, follow the steps below:
1) Launch Kleopatra (Start > All Programs > Gpg4win > Kleopatra)
2) In Kleopatra, start the process to generate a new Public/Private key pair by selecting “File > New
Certificate”. Public/Private Key Pairs are also referred to as “Certificates”.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 9 of 21
yubico
cococo
3) In the opening page of the Certificate Creation Wizard, select the option “Create a personal
OpenPGP key pair”
4) In the provided fields, enter your name and email address. In the field labeled comment, enter the
name of the business or entity you represent. Once the requested information has been entered,
click “Next”. A full first and last name as well as a complete email address is required.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 10 of 21
yubico
cococo
5) On the next page, confirm the provide Certificate Parameters and click the “Create Key” button
6) Enter and confirm a passphrase of at least 8 characters, containing at least 1 letter, number and
symbol. Record this passphrase in a safe location –files encrypted with this Public/Private Key
Pair will not be able to be decrypted without this passphrase.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 11 of 21
yubico
cococo
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 12 of 21
yubico
cococo 7) After successfully creating the Key Pair, click the button labelled “Finish”
Once the Public/Private Key Pair has been created, you will need to export the Public Key and
send it to Yubico.
8) In the main menu, right click the newly created Certificate and select “Export Certificate”. This will
create a public Key which can be used to encrypt a file, but not decrypt it. The files encrypted with
this Public Key can be decrypted with the Private Key stored on the originating computer.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 13 of 21
yubico
cococo
9) When Exporting the Public Key, name it with the Business or Company Name followed by the
Contact Name and Date.
10) Send the generated file to the email address provided by Yubico.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 14 of 21
yubico
cococo
DO NOT remove or delete the certificate in Kleopatra without first backing up the certificate in a safe
location. This can be done by right clicking the certificate and selecting the “Export Secret Keys”
option. The file exported is your private key, do NOT compromise it by sending it over an insecure
line of communication, such as email or an unsecured network. Note that the Passphrase will also
need to be recorded, as the private key will not work without it.
If the certificate or secret key become lost or deleted, encrypted files sent from Yubico will not be able
to be decrypted.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 15 of 21
yubico
cococo 3 Importing Yubico Keys for Validation
Encrypted files sent from Yubico will be “signed” with the Public Key for the programming station
which the YubiKeys were configured on. By verifying the signature of the Yubico Programming
station using the Yubico Public Key, the validity of the file being sent can be confirmed.
A new instance of OpenPGP may require the user to configure it to communicate with the Public
Key storage server. This can be done following the steps below:
1) In Kleopatra, select the Configure Kleopatra screen (Main Menu > Settings > Configure Kleopatra)
2) The Configure Kleopatra window will open to the Directory Services tab. Verify there is an entry in
the Directory services for “keys.gnupgp.net”. If this entry is present, close the window and skip the
next step.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 16 of 21
yubico
cococo
3) If there is not an entry for “keys.gnupgp.net”, one will need to be added. Click the “New” button to
create a new entry. Verify the settings in the entry are:
Scheme: hkp
Server Name: keys.gnupg.net
Server Port: 11371
Base DN should be blank/empty
X.509 should NOT be checked
OpenPGP should be checked.
Click “Ok” at the bottom to save the new Directory service settings.
4) In Kleopatra, click open the Certificate Server Certificate Lookup screen (Main Menu > File > Look up
Certificates on Server).
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 17 of 21
yubico
cococo
5) In the Certificate Server Certificate Lookup screen, locate the "Find" field at the top and type in "Yubico",
then click the Search button. This will display a list of all Yubico Certificates.
6) Please select the options "Yubico Inc, Programming station #1" and Yubico Limited (Programming Station
#2) and click the button labelled "Import". This will import the public key for the Yubico Programming
stations, allowing you to verify the Yubico signatures.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 18 of 21
yubico
cococo 4 Decrypting Files Encrypted with a Public Key
When receiving files from Yubico which have been encrypted with the provided Public Key, they will need
to be decrypted with the same certificate as the public Key was generated from.
1) Launch Kleopatra (Start > All Programs > Gpg4win > Kleopatra) and select “Decrypt/Verify Files”
2) In the file browser that opens, select the Encrypted file provided by Yubico.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 19 of 21
yubico
cococo
3) In the Decrypt/Verify Files window, click the button labeled “Decrypt/Verify”
4) A prompt will ask for the passphrase associated with the private key. Enter the passphrase set
when creating the original certificate.
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 20 of 21
yubico
cococo
GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 21 of 21
yubico
cococo 5) The encrypted file will be successfully decrypted, and can be opened as normal.
Notes To Remember:
Always store your generated certificates and passphrases in a safe location to ensure that files
received from Yubico can be decrypted.
Make sure only to send out the Public Key (Export Certificate) and NEVER the private key (Export
Secret Keys).
Make sure to send only out a public Key that corresponds to a private key you have on record.