Heads-up: guide inspired by https://github.com/drduh/YubiKey-Guide.
5.2.3
or higher)$
, strip out $
as this character is not part of the commandcat << "EOF"
, select all lines at once (from cat << "EOF"
to EOF
inclusively) as they are part of the same (single) commandHeads-up: if keyboard layout of computer isn’t “English (US)”, set “Keyboard Layout”.
Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and, finally, click “Start Tails”.
Connected to Tor successfully
👍
Heads-up: release may be signed by another Yubico developer.
imported: 1
👍
Good signature
👍
ykman
Bash aliasecho 'alias ykman="$HOME/Downloads/yubikey-manager-qt.AppImage ykman"' >> ~/.bashrc source ~/.bashrc
Heads-up: once copied, one can persistently run
~/Downloads/yubikey-manager-qt.AppImage ykman
to manage YubiKeys.
When asked for passphrase, create and memorize strong passphrase or use output from gpg --gen-random --armor 0 24
(and store password in air-gapped password manager).
Heads-up: replace
0xC2709D13BAB4763C
with master key ID.
Heads-up: replace
/path/to/signing/pub.asc
with signing public key path.
Heads-up: replace
/path/to/signing/master.asc
with signing master key path.
Heads-up: replace
0xDFCECB410CE8A745
with signing master key ID.
Click “Places”, then “Home”, then backup volume (“Samsung BAR” in example below), enter admin password and, finally, click “Authenticate”.
The VeraCrypt volume has been successfully created.
👍
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”.
Heads-up: replace
tcrypt-1793
with directory found usingls /dev/mapper
and ignore dirty bit is set error.
Heads-up: replace
8ff4dedf-6aa1-4b97-909d-63075b3eb70a
with directory found usingls /media/amnesia
.
Heads-up: replace
johndoe
with name associated to master key.
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes” and, finally, click “x”.
tails
fileHeads-up: files stored in
tails
include private keys which, if lost, results in loosing one’s cryptographic identity (safeguard backup mindfully).
Heads-up: one should never unlock
tails
on macOS (or any other computer that isn’t air-gapped and hardened).
Heads-up: default user PIN is
123456
and default admin PIN is12345678
.
Heads-up: one should set different PIN for user vs admin and never use admin PIN on macOS (or any other computer that isn’t air-gapped and hardened).
On
👍
Heads-up: increase
sleep
delay if “Error: No YubiKey detected!” error is thrown.
Heads-up: configuration lock prevents configuring YubiKey without entering lock code (store lock code in air-gapped password manager).
👍
Heads-up: if keyboard layout of computer isn’t “English (US)”, set “Keyboard Layout”.
Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and, finally, click “Start Tails”.
Click “Places”, then “Home”, then backup volume (“Samsung BAR” in example below), enter admin password and, finally, click “Authenticate”.
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”.
Heads-up: replace
Samsung BAR
with backup volume name andjohndoe
with name associated to master key.
Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes” and, finally, click “x”.
👍
Heads-up: replace
Samsung BAR
with backup volume name andjohndoe
with name associated to master key.
👍
Heads-up: replace
0xC2709D13BAB4763C
with master key ID.
dirmngr.conf
Heads-up: back up current config using cp ~/.gnupg/dirmngr.conf ~/.gnupg/dirmngr.conf.backup
(if necessary).
gpg.conf
Heads-up: back up current config using cp ~/.gnupg/gpg.conf ~/.gnupg/gpg.conf.backup
(if necessary).
gpg-agent.conf
Heads-up: back up current config using cp ~/.gnupg/gpg-agent.conf ~/.gnupg/gpg-agent.conf.backup
(if necessary).
Heads-up: replace
john@example.net
with email andjohndoe
with name associated to master key.
ssh-ed25519 AAAAC3Nz… john@example.net
👍
gpg-agent
(required to enable pinentry-mac
)OK
👍
gpg: sending key 0xC2709D13BAB4763C to hkps://keys.openpgp.org
👍