Securing My Digital Life: GPG, Yubikey, & SSH on macOS

  • Securely generated and stored PGP key
  • Private keys stored on my YubiKey
  • SSH access via gpg when my YubiKey plugged in
  • git commit signing via YubiKey
  • Have all this working on the latest macOS

Step 1: Install Software

brew tap homebrew/versions
brew install gnupg21 pinentry-mac
brew install ykneomgr # If you want the ykpersonalize CLI
brew cask install yubikey-neo-manager # If you want the GUI

Step 2: Configure Your YubiKey

Set the YubiKey mode to OTP/U2F/CCID.

ykneomgr --set-mode=6
YubiKey NEO Manager GUI

Change the YubiKey Pins

  1. The guide is written for linux. Replace gpg with gpg2 in the example.
  2. PIN must be at least 6 characters long. You can change it a shorter value but it will break things later on.
  3. You may need to “Unblock PIN” before changing it. Use default PIN 123456 if you don’t know it.

Check your YubiKey’s Features

$ gpg2 --card-status | grep -Fi 'key attributes'Key attributes ...: rsa2048 rsa2048 rsa2048

Step 3: Generate PGP Keys & Add to YubiKey

  1. The guide is written for linux. Replace gpg with gpg2 in the example.
  2. Remember your Yubikey’s supported key sizes. I generated a 4096bit master key with 2048 bit subkeys. Fill in the correct values when prompted.
  3. The bits about the gpg conf file are not entirely relevant for this example. Make sure you generate the master key, sub keys, and move the subkeys to the device.
  4. The guide covers exporting, backing up keys, and not keeping the master private key on your machine. This is important! The guide assumes you’re using Linux, so it recommends LUKS. This does not work for OSX. I used an alternate strategy. I formatted an existing USB pen drive as FAT32. I used VeraCrypt (an updated, bug fixed, and maintained version of [defunkt] TrueCrypt) to create a new 128MB encrypted volume on the pen drive. I mounted this at ~/crypt and did all exports to that directory. This approach keeps my backups encrypted and accessible on all platforms (given all platforms support FAT32 & VeraCrypt supports all platforms).

Step 4: Configure GPG Agent

Update the GPG Agent Configuration File

pinentry-program /usr/local/bin/pinentry-mac

Update your Shell Environment

set -x GPG_TTY (tty)
set -x SSH_AUTH_SOCK ~/.gnupg/S.gpg-agent.ssh
export "GPG_TTY=$(tty)"
export "SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh"
gpg-connect-agent killagent /bye
gig-connect-agent /bye

Step 5: Take it for a Spin

ssh-add -L | grep -iF 'cardno' | pbcopy
ssh -T
Hi ahawkins! You've successfully authenticated, but GitHub does not provide shell access.

Next Steps

  • Configuring gpg TTLs; this essentially sets how long the agent should wait before prompting for PIN/Passphrase.
  • Set your default PGP signing key in your gpg.conf file
  • Git Commit Signing
  • Adding your GPG keys to HINT: keybase pgp select
  • Get my PGP key from Keybase and send me an encrypted message
  • Upload your PGP key to a key server




Code DJ! Tech: Podcast:

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Accident Lawyer Sandy Utah

accident lawyer sandy utah

Chaos Engineering using Amazon EC2 Systems Manager

5 Gaffe to Avoid in Your QA Testing Process

This Week in TurtleCoin (April 15, 2019)

I built Docker like executable .exe for RShiny!

Prometheus Monitoring at Scale: War Stories from the GumGum Trenches

How Engineering Teams Use RudderStack to Support Marketing

Future DeFi arrived: FarmX Pools!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Hawkins

Adam Hawkins

Code DJ! Tech: Podcast:

More from Medium

08 Best Operating Systems For Laptops & Computers

Add your choice of notification channels to Monika

How-To: Open Terminal Tabs & Execute Commands via your CLI

Reviving a 2009 MacBook Pro with Lubuntu