GnuPG

source article: https://zeos.ca/post/2018/gpg-yubikey5/#configuring-your-workstation

Start by installing GPG Suite and smart card drivers.

$ yay -S gnupg ccid opensc

Next, I use the following for my ~/.gnupg/gpg.conf file. Make sure to update the default-key parameter to your Key ID.

~/.gnupg/gpg.conf
no-greeting
require-cross-certification

keyserver hkps://keys.openpgp.org
keyserver-options no-honor-keyserver-url

auto-key-locate https://keys.openpgp.org
auto-key-retrieve

cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
no-emit-version

no-comments
keyid-format 0xlong
with-fingerprint
use-agent

default-key 0x????? # CHANGE
~/.gnupg/gpg-agent.conf
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
write-env-file
~/.gnupg/scdaemon.conf

pcsc-shared is specially important to not block the reader and being able to use it in both gpg and firefox.

pcsc-driver /usr/lib/libpcsclite.so
pcsc-shared
card-timeout 5
disable-ccid
verbose
reader-port Yubico YubiKey OTP+FIDO+CCID
~/.gnupg/dirmngr.conf.
Tip

My system by default used the SKS PGP Servers. It’s encouraged to switch to the Hagrid server at keys.openpgp.org. Read more.

keyserver hkps://keys.openpgp.org

At this point you should be able import your public key (the non-secret one from a USB flash drive that doesn’t contain your private key).

$ gpg2 --import 0xD60BAB29C43A7D86.pub.asc

And, if we plug in our YubiKey at this moment we can have GnuPG associate our private keys (on the YubiKey) with our public key in the keychain with:

$ gpg2 --card-status
// which should show the detail of your smart card

Because this is your key, you should edit it and mark it as trusted.

$ gpg2 --edit-key 0xD60BAB29C43A7D86
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/0xD60BAB29C43A7D86
     created: 2018-10-06  expires: 2020-10-05  usage: SC
     trust: unknown       validity: unknown
ssb  rsa4096/0xC7BE201051104674
     created: 2018-10-06  expires: 2019-10-06  usage: S
ssb  rsa4096/0xD091C8246D6E716F
     created: 2018-10-06  expires: 2019-10-06  usage: E
ssb  rsa4096/0xD4CB0F888A5233F9
     created: 2018-10-06  expires: 2019-10-06  usage: A
[ unknown] (1). Test User <test@testcorp.com>
[ unknown] (2)  Test User <test@keybase.io>

gpg> trust
sec  rsa4096/0xD60BAB29C43A7D86
     created: 2018-10-06  expires: 2020-10-05  usage: SC
     trust: unknown       validity: unknown
ssb  rsa4096/0xC7BE201051104674
     created: 2018-10-06  expires: 2019-10-06  usage: S
ssb  rsa4096/0xD091C8246D6E716F
     created: 2018-10-06  expires: 2019-10-06  usage: E
ssb  rsa4096/0xD4CB0F888A5233F9
     created: 2018-10-06  expires: 2019-10-06  usage: A
[ unknown] (1). Test User <test@testcorp.com>
[ unknown] (2)  Test User <test@keybase.io>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

sec  rsa4096/0xD60BAB29C43A7D86
     created: 2018-10-06  expires: 2020-10-05  usage: SC
     trust: ultimate      validity: unknown
ssb  rsa4096/0xC7BE201051104674
     created: 2018-10-06  expires: 2019-10-06  usage: S
ssb  rsa4096/0xD091C8246D6E716F
     created: 2018-10-06  expires: 2019-10-06  usage: E
ssb  rsa4096/0xD4CB0F888A5233F9
     created: 2018-10-06  expires: 2019-10-06  usage: A
[ unknown] (1). Test User <test@testcorp.com>
[ unknown] (2)  Test User <test@keybase.io>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

You can quickly test your card by encrypting a message to yourself.

Note

It will prompt for your PIN. Once you correctly type your PIN notice the YubiKey light is blinking. This is Touch-to-Sign requesting you press the button to confirm the signature. Do that.

$ echo hello | gpg -esr test@testcorp.com --output message.gpg
gpg: using "0xD60BAB29C43A7D86" as default secret key for signing

And we can decrypt it and verify the signature with:

$ gpg2 -d message.gpg
gpg: encrypted with 4096-bit RSA key, ID 0xC7BE201051104674, created 2018-10-06
      "Test User <test@testcorp.com>"
hello
gpg: Signature made Sun Oct  7 09:40:05 2018 MDT
gpg:                using RSA key ??????
gpg: Good signature from "Test User <test@testcorp.com>" [ultimate]
....

Bash Functions

Remember to replace your keyID.

secret () {
        output=~/"${1}".$(date +%s).enc
        gpg --encrypt --armor --output ${output} -r 0x36D24DC2D85A0454 "${1}" && echo "${1} -> ${output}"
}

reveal () {
        output=$(echo "${1}" | rev | cut -c16- | rev)
        gpg --decrypt --output ${output} "${1}" && echo "${1} -> ${output}"
}

Configure Git to Sign Commits

git config --global user.signingkey <your-key-id>
git config --global gpg.program gpg2
# Optional - to sign all your commits
git config --global commit.gpgsign true