Base Linux Protection

Using YubiKey NEO | 10 February 2019

Using YubiKey NEO

Although we can secure the private key and with a password, it is still not very secure as anybody who get access to our PC can steal them. We can extend the security by encrypting the filesystem (eg. ecryptfs, dm-crypt) and allow to decrypt it only when we login.

Yubikey NEO provide a platform-independent API to cryptographic tokens via PKCS#11 standard. That makes the Yubikey to work like a smart card. Access to the PIV interface is secured by a PIN - only person who knows the password can use the Yubikey to authenticate.

Load the user's certificate on the Yubikey:

import the user's certificate (user_cert.pfx) into the Authenticate slot (9a).

First we block the PIN and PUK to be able to reset the PIV application (both must be blocked before we can reset the application). Bear in mind that this action will destroy all keys stored in PIV application:

$ for N in $(seq 3); do yubico-piv-tool -a verify-pin -P wrongpin; yubico-piv-tool -a change-puk -P wrongpuk -N wrongpuk; done
$ yubico-piv-tool -a reset

generate new Management KEY:

$ dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"' | gpg -c -a -o MgmtKey.gpg
$ KEY=$(gpg -d MgmtKey.gpg 2>/dev/null)
$ yubico-piv-tool -a set-mgm-key -n $KEY

Keep the MgmtKey.gpg file secure for later use. Then we set PIN (4-8 chars) and PUK (4-8 chars):

$ read -s -p "Type your new PIN: " PIN
$ read -s -p "Type your new PUK: " PUK
$ yubico-piv-tool -a change-pin -P 123456 -N $PIN
$ yubico-piv-tool -a change-puk -P 12345678 -N $PUK

Upload the user's certificate onto the Yubikey:

$ read -s -p "Type the user's certificate password: " PASS
$ yubico-piv-tool -s 9a -a import-key -a import-cert -a set-chuid -i user_cert.pfx -K PKCS12 -p $PASS -k $KEY

Verify that the user's certificate is installed:

$ yubico-piv-tool -a status

Clean the KEY, PIN, PUK and PASS from the environment (or simply exit the shell):


The following commands are showing other potentially useful tasks. If we by accident block the PIN (3 unsuccessful attempts), we can unblock it with the PUK:

$ yubico-piv-tool -a unblock-pin -N $PIN --pin $PUK

If the PUK is blocked (3 unsuccessful attempts), the PIV applet will be blocked and we need to reset it (see above).

We can change the number of attempts for PIN/PUK:

$ yubico-piv-tool -a pin-retries --pin-retries=10 --puk-retries=5 -k $KEY

We can change the PIN/PUK:

$ yubico-piv-tool -a change-pin -P $PIN -N $NEW_PIN
$ yubico-piv-tool -a change-puk -P $PUK -N $NEW_PUK

We can extract the public certificate (not the private key) from the Yubikey:

$ yubico-piv-tool -a read-certificate -s 9a > ClientCert.pem

Kategorie: Free Thinking, Linux