Link to this headingYubiKey

Use age for file encryption

smart card

Link to this headingGPG with a YubiKey

Install for Mac:

brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry wget pinentry-mac #Setup GPG mkdir ~/.gnupg gpg --export --export-options backup > allkeys.gpg gpgsm --export --armor > allcerts.gpg #Remove use-keyboxd from ~/.gnupg/common.conf gpg --import --import-options restore < allkeys.gpg gpgsm --import < allcerts.gpg #Setup GPG config cat << EOF > $HOME/.gnupg/gpg-agent.conf # https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html enable-ssh-support ttyname $GPG_TTY default-cache-ttl 60 max-cache-ttl 120 pinentry-program /usr/bin/pinentry-curses EOF #Setup SSH cat << EOF > $HOME/.ssh/config Match host github.com exec "gpg-connect-agent UPDATESTARTUPTTY /bye" EOF #Check that the Yubikey is detected by gpg >>> gpg --card-edit Reader ...........: Yubico YubiKey OTP FIDO CCID [...]

Setup Ybikey:

#Check that the Yubikey is detected by gpg >>> gpg --card-edit Reader ...........: Yubico YubiKey OTP FIDO CCID [...] #Setup the admin PIN from the default 12345678 gpg/card> admin gpg/card> kdf-setup gpg/card> admin gpg/card> passwd gpg/card> 3 #Setup the user PIN from the default 123456 gpg/card> passwd gpg/card> 1 #Setup Keys Algorithms gpg/card> key-attr #Select # (2) ECC # (1) Curve 25519 default # Enter your admin password # (2) ECC # (1) Curve 25519 default # Enter your admin password # (2) ECC # (1) Curve 25519 default # Enter your admin password #Setup Key gpg/card> generate # Select No off-card backup # Set Key to expire in X Years # Same email as for git commits # Use the Admin Pin

Setup Git:

#Setup Policy on the Keys ykman openpgp keys set-touch enc Fixed ykman openpgp keys set-touch aut Fixed ykman openpgp keys set-touch sig Fixed #Setup Git >>> gpg --list-keys pub ed25519 2025-03-05 [SC] [expires: 2026-03-05] B234A36199ED837092E998A6D435C5C048427353 gpg --armor --export B234A36199ED837092E998A6D435C5C048427353 > gpg.pub #Add gpg.pub to github git config --global user.signingkey 01BECFA3C1AE191D15 git config --global commit.gpgsign true

Setup Zsh:

cat << EOF >> ~/.zshrc #Yubikey export GPG_TTY="$(tty)" export PATH=$(brew --prefix openssh)/bin:$PATH export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpg-connect-agent updatestartuptty /bye > /dev/null EOF #Add SSH Key to github ssh-add -L

Link to this headingAttestation of the Yuibikey

Make Attestation Certs:

#Get the Secret Key ID >>> gpg --list-secret-keys FINGERPRINT=B234A36199EAAAAAAAAAAAAAAAAAC5C048427353 # Generate the attestation statements ykman openpgp keys attest SIG gpg-stmt-sig-${USER}.crt ykman openpgp keys attest AUT gpg-stmt-aut-${USER}.crt # Export the attestation certificate ykman openpgp certificates export ATT gpg-att-${USER}.crt #Download Yubikey Certs wget https://developers.yubico.com/PKI/yubico-ca-1.pem wget https://developers.yubico.com/PKI/yubico-intermediate.pem wget https://developers.yubico.com/PKI/yubico-opgp-ca-1.pem # Verify everything (Post-2025) openssl verify \ -trusted ../yubico-ca-1.pem \ -untrusted ../yubico-intermediate.pem \ -untrusted gpg-att-${USER}.crt gpg-stmt-aut-${USER}.crt openssl verify \ -trusted ../yubico-ca-1.pem \ -untrusted ../yubico-intermediate.pem \ -untrusted gpg-att-${USER}.crt gpg-stmt-sig-${USER}.crt # Verify everything worked properly.(Pre-2025) openssl verify -CAfile ../yubico-opgp-ca-1.pem \ -untrusted gpg-att-${USER}.crt gpg-stmt-sig-${USER}.crt openssl verify -CAfile ../yubico-opgp-ca-1.pem \ -untrusted gpg-att-${USER}.crt gpg-stmt-aut-${USER}.crt