Tanny and FC17 posted a guide on using GPG with a YubiKey over a year ago, and uh, while it was sometimes updated, it hasn't been recently, and we thought making a new post to note our changes might be a better idea than editing it yet again. Notably, we moved from Tutanota to Thunderbird (with our own Mailcow instance, besides that, we also have a Croc relay and a Jitsi instance running, as for what changed from last time), so we had to figure a way to make things work in the GUI too, while our original guide used a TUI pinentry app.
We tried using standalone pinentries for this, but couldn't get that working with Thunderbird on macOS, so in the end, we chose GPG Suite. So, replace the brew command from the guide with this:
# If you want to use Apple Mail rather than Thunderbird, try gpg-suite or gpg-suite-nightly instead, note you need to pay to activate the Mail extension, iirc brew install gpgme ykman gpg-suite-no-mail
Now, Tanny said
also don't make this a literal PIN, use an actual passphrase from your password manager or something
We would like to retract that statement
T.: Blasphemy!!111 :P
, because, uh yeah, of course Tanny, anyway, because the YubiKey limits the amount of tries you have anyway, so low entropy is fine here, and uh, GPG Suite's pinentry doesn't seem to accept autotype from KeePassXC (and using the clipboard is insecure).
With GPG suite, you can also use a much simpler shell rc (e.g.
gpg --card-status > /dev/null export "SSH_AUTH_SOCK=/Users/artemis/.gnupg/S.gpg-agent.ssh"
And, as for the GPG agent config, the correct file is actually
~/.gnupg/gnupg-agent.conf (which I guess was
cargoculted from somewhere).
No, it's alright. Thing is, as it turns out, none of the config in the original guide was even needed in the first place ‒ things like SSH support are already there by default anyway, apparently.
Some more helpful things:
- While you're adding annotations, you might want to add more
UIDs (i.e. more name/email address tuples) with
gpg --edit-keyinterface. Useful for, oh, plural systems maybe? Hehe.
- In that same interface, if you want to express an explicit
preference for more secure ciphers/hashes as well as no compression
(note, unfortunately, having a preference for 3DES and SHA1 is
mandatory and will be added to the end of your preference list if
you don't specify, which is why), you might run something like
setpref AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 SHA512 SHA384 SHA256 SHA224 Uncompressed ZLIB BZIP2 ZIP. Select individual UIDs with
uid(yes, apparently this is per-UID and can't be set globally). Note this step actually probably doesn't matter that much because GPG itself supposedly doesn't select ciphers or hashes based on this, but uh, maybe other implementations (like the one in Thunderbird, or Sequoia PGP) might. Don't know, really.
- As for GPG's own cipher preferences, among other things, you
can use a config file like this in
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf no-emit-version #keyserver # Commented out because uh, something, we forgot, but it's uh, not so important, I guess personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 cert-digest-algo SHA512 # https://tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html cipher-algo AES256 force-mdc default-key CE6696CE96B00747B91326724EDC4EF429A9FFF9 # This is our key's fingerprint, change this to your own
We procrastinated quite a while on this post, so I hope we didn't forget something, now. Hope it helps, anyway. Also, as for the original post, I added another note there linking to this post.