Contents

Overview

  • Create a new PGP key on a Yubikey (or similar token)
  • Sign it with the existing primary key
  • Publish new key and signing details
    • Keybase
    • Main website / blog
    • Include validity period (start/end dates)
  • Tease out minimum number of secrets needed and setup dedicated password database
    • [qt]pass + Yubikey PGP for encryption
    • [qt]pass is great because you need a PIN for access and you can always ‘forget’ the pin
  • Tease out minimum number of TOTP entries and setup dedicated passsword database
    • KeePass XC in conjunction with ‘challenge response’ of the master database
    • Password can be ‘forgotten’ for access and w/o the Yubikey nobody has access
  • Travel / OpSec 4 Life!
  • Revoke/reset any compromised secrets
  • Reset Yubikey back to defaults for next trip/round

Setup

Note : I chose to go with a SEPARATE key here to simplify theft/similar. I’d rather have a key be only good for a week, a month or some other small period of time and be self-contained than deal with having to futz with my primary encryption key(s). Signing keys wouldn’t be as bit of a problem but if you’re going to create a dedicated encryption key you may as well go all-in and do a dedicated signing key too. Even if it’s treated as transient.

  • If using Yubikey NEO run Yubikey NEO manager and verify OpenPGP is enabled
    • Maybe rename it to Temp or Travel as well
    • https://www.yubico.com/products/services-software/download/yubikey-neo-manager/
  • Run Yubikey Personalization and RESET the key to factory defaults
    • Delete the configuration in the slots
    • https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/
  • Setup gpg4win (or equivalent)
  • Setup NEW PGP key (max RSA size) on the yubikey
    • https://support.yubico.com/support/solutions/articles/15000006420-using-your-yubikey-with-openpgp
    • Use an e-mail address that’s different from your main key(s) (you want to ensure you have access to the email listed)
    • CHANGE user and admin pins
    • BACKUP PINs for later
  • Sign the new, temporary key with your existing, primary PGP key
    • https://carouth.com/blog/2014/05/25/signing-pgp-keys/
  • Publish your temporary key to your ‘usual’ spots
    • See above

Prep

MINIMUM is important here. Lock yourself out of things, prevent access. Etc. You’re doing something where you want to minimize exposure. The world will turn if you don’t have access to ‘something’. If nothing else ignore the problem until you’re back in front of your primary environments.

  • Setup [qt]pass with MININMUM set of secrets necessary based on threat model / need
  • Setup KeePass XC with MINIMUM set of TOTP 2FA secrets necessary based on threat model / need
    • https://keepassxc.org/
  • Catalog secrets that may be exposed/compromised

Enjoy the security

Travel / OpSec 4 Life FUN IN THE [insert your preference here]

Aftermath and Cleanup

Cleanup the transient ‘stuff’

  • Revoke/reset any compromised secrets
  • Delete Yubikey slot 1 config
  • Delete Yubikey slot 2 config
  • REVOKE existing PGP keys
    • If necessary or you ‘got back from your travels early’
    • Publish revocation (see above for where to publish)
  • RESET PGP Applet
    • Option 1 (Simple)
      • Generate NEW JUNK keys for GPG applet (factory-reset isn’t implemented on the Yubikeys)
      • RESET PINs to defaults
      • Do NOT publish the junk keys
    • Option 2 (Factory reset using Yubico method)
      • Official NEO Doc: https://developers.yubico.com/ykneo-openpgp/ResetApplet.html
      • Note : This WIPES the applet (good for a full reset need/desire)
      • See below for ‘code’
  • Delete [qt]pass database
  • Delete KeePass XC database

Reset Yubikey NEO PGP Applet

gpg-connect-agent
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.
/bye