Yubikey Neo / PGP keys / import to Keybase

[ThierryIT]

Hi, I have received my second Yubikey (Neo) and generate from this Yubico key a pgp keys of 2048 bits (S.E.A.) I would like to use this new Yubikey to add my own pgp key to my Keybase account instead of using the one generated by Keybase. When doing a "gpg --list-keys" I can see my new pgp keys.
When doing a "gpg -K" I can see my master key + subkeys. When using Kleopatra from my Windows 7, I can see my newly created keys. But when doing a "keybase pgp select" I do not see the right key. Thx

[Morthawt]

Is SEA elliptic curve? If so, I am not sure keybase supports it.

[ThierryIT]

Nope ... RSA :)

[holvonix-eng]

gpg --armor --export YOURMASTERKEYID > output.asc

then copy output.asc into the keybase webapp is what works for us with offline master key + in-use yubikey subkey. Or do you want to move the private key from the yubikey into Keybase? It should be impossible to get the private key out of a yubikey :)

[Morthawt]

In my opinion keybase should never get your private key, encrypted or not. It should never leave your possession. But that is just my opinion. I used the shell to verify. Verifying your key is one thing, but adding the private key to keybase it's self to make use of the in-browser/in-app capabilities is a whole other thing. I am not sure what you are trying to do.

[ThierryIT]

And I fully agree :) That's my policy too :) I am only using sub keys.

[holvonix-eng]

Sorry if I was unclear, I definitely don't want Keybase to have any private keys, encrypted or not. I was just pointing out that the standard export worked for me with a master-offline/subkey-on-yubikey setup.

[ThierryIT]

I did another try under Windows: 1) gpg --armor .... > output.asc (master off) 2) type output.asc | keybase gpg import

ERROR No secret key available

Still ....

[junderw]

I just imported my yubikey subkeys with keybase pgp select --no-import --multi

You need to have the secretkey stubs in your gpg keyring (it shows up as sec> ) and have the card plugged in and enter the PIN.

[junderw]

you don't need multi if it's your only PGP key and you don't have any non-revoked PGP keys currently.

[ThierryIT]

Mine shows up as sec# (because master offline) The option "--no-import" will not work for me because my master key is offline ...

When typing the "keybase pgp select" I can see a list of 5 available keys .... From this list, I can see old keys who do not exist anymore ....

• When creating new pair of keys (under Windows) , it does not show under Keybase
• When creating a new pair of keys using "keybase pgp gen" it show under Windows and under (of course) Keybase ... .... Is there any problem of cache ??

[junderw]

sec#  rsa2048/3590FEA3 2017-09-26 [C]
uid         [  究極  ] Jonathan Underwood <[delete to prevent bots]>
uid         [  究極  ] Jonathan Underwood <[delete to prevent bots]>
uid         [  究極  ] [jpeg image of size 4543]
ssb>  rsa2048/A6BA8B14 2017-09-26 [E] [有効期限: 2019-09-26]
ssb>  rsa2048/A8CD7ACD 2017-09-26 [S] [有効期限: 2019-09-26]
ssb>  rsa2048/69237DE0 2017-09-26 [A] [有効期限: 2019-09-26]

This is exactly how my key looked when I used keybase pgp select --no-import --multi to add the key.

[ThierryIT]

What I do have on my Yubico:

General key info..: sub rsa4096/11E38D8B0C7F6234 2017-09-22 Thierry Stephan len@xxxxx.org sec# rsa4096/2FA49B909E26E4B6 créé : 2017-09-22 expire : 2018-03-21 ssb> rsa4096/11E38D8B0C7F6234 créé : 2017-09-22 expire : 2018-03-21 nº de carte : 0006 05407736 ssb> rsa4096/7A0D19BD74E22AE4 créé : 2017-09-22 expire : 2018-03-21 nº de carte : 0006 05407736

And what I have when I do an "Keybase pgp select --multi" is:

Algo Key Id Created UserId

= ==== ====== ======= ====== 1 3072R 9B48FFFD68317733 Mailbox.org lexxx@mailbox.org 2 3072R 0A044C2BCD88D60E Thierry vme1@gmail.com 3 3072R CE0A983F42388184 Jobs email js@xxxxx.org 4 4096R A199F14E234F509D keybase_teste_key jojo@jojo.com 5 4096R CB43AC4E37E799A2 ddddd lena@xxxxxorg

6 4096R B37294D1B7E3B9CD Thierry len@maelenn.org

The key I need (in Yubico) doesn't show .... The keys 5 (revoked) and 6 (revoked) have been removed but still showed ...

Thx for your help.

[ThierryIT]

more or less the same issue: https://github.com/keybase/keybase-issues/issues/2909

And what I do have on the same pc where Keybase is instralled:

E:\Program Files (x86)\GNU\GnuPGP3.0.0\GnuPG\bin>gpg --list-secret-keys 0x9E26E4B6 sec# rsa4096 2017-09-22 [CA] [expire : 2018-03-21] 4B084B7DxxxxxxxxxxxxxxxxxxxxxxxxxxB909E26E4B6 uid [ ultime ] Thierry Stephan lenxxxx@xxxxx.org ssb> rsa4096 2017-09-22 [S] [expire : 2018-03-21] ssb> rsa4096 2017-09-22 [E] [expire : 2018-03-21]

[johntdyer]

I think I am having the same issue

gpg2 list-secret-keys

sec#  rsa4096/0x6759E93B570163EA 2017-10-15 [SC] [expires: 2020-10-14]
      Key fingerprint = 885C 81A7 6E15 5B0C 146F  FF0E 6759 E93B 5701 63EA
uid                   [ultimate] John Dyer (Personal) <johntdyer@xxxxx.com>
uid                   [ultimate] John Dyer (Cisco) <johndye@xxxx.com>
uid                   [ultimate] John Dyer (Tropo) <jdyer@xxxx.com>
uid                   [ultimate] John Dyer (Keybase) <johntdyer@xxxx.io>
uid                   [ultimate] [jpeg image of size 7333]
ssb>  rsa4096/0x4BF22384539F5ECB 2017-10-15 [S] [expires: 2020-10-14]
ssb>  rsa4096/0x445999631383153B 2017-10-15 [E] [expires: 2020-10-14]
ssb>  rsa4096/0xBF9B71128F3C6746 2017-10-15 [A] [expires: 2020-10-14]

And when I try to encrpyt and decypt I get an error

Test

$keybase pgp encrypt -m "test" johntdyer > test
$ keybase pgp decrypt < test
▶ WARNING error unlocking key: Bad key found: no private key material or GPGKey
▶ WARNING error unlocking key: Bad key found: no private key material or GPGKey
▶ WARNING error unlocking key: Bad key found: no private key material or GPGKey
▶ ERROR decrypt error: unable to find a PGP decryption key for this message

Not really sure how to proceed at this point but I'd certainly appreciate any feedback anyone can give...

[yottatsa]

Same for me 9199875678a690931218691c

[johntdyer]

Any update ???

[ThierryIT]

good question :(

[maxtaco]

This is a challenging feature for us to support, and very few ask for it. I'd recommend that if you're using a device to store your private key, you can use keybase pgp select to associate the public key with your keybase profile, but you should revert to using gpg for secret key operations.

[ThierryIT]

by "keybase pgp select" you mean that I will import my private key to your server ?

[maxtaco]

No. Read the online docs.

On Fri, Jan 19, 2018 at 8:16 AM Thierry notifications@github.com wrote:

by "keybase pgp select" you mean that I will import my private key to your server ?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/3066#issuecomment-358963222, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05__FpUE_lj3UM9-dJ-iSnHDfCPgMyks5tMJWQgaJpZM4PrtrP .

[maxtaco]

Furthermore such a thing is not even possible with a yubikey.

On Fri, Jan 19, 2018 at 8:17 AM Maxwell Krohn themax@gmail.com wrote:

No. Read the online docs.

On Fri, Jan 19, 2018 at 8:16 AM Thierry notifications@github.com wrote:

by "keybase pgp select" you mean that I will import my private key to your server ?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/3066#issuecomment-358963222, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05__FpUE_lj3UM9-dJ-iSnHDfCPgMyks5tMJWQgaJpZM4PrtrP .

[ThierryIT]

I am using Yubikey to store my sub-keys, and this is working very well. My private key is not accessible from internet. Only working with sub-keys.

[maxtaco]

$ keybase pgp select --help
NAME:
   keybase pgp select - Select a key as your own and register the public half with the server

USAGE:
   keybase pgp select [command options] [key query]

DESCRIPTION:
   "keybase pgp select" looks at the local GnuPG keychain for all
   available secret keys. It then makes those keys available for use with keybase.
   The steps involved are: (1) sign a signature chain link with the selected PGP
   key and the existing device key; (2) push this signature and the public PGP
   key to the server; (3) copy the PGP secret half into your local Keybase keyring;
   and (4) encrypt this secret key with Keybase's local key security
   mechanism.

   By default, Keybase suggests only one PGP public key, but if you want to,
   you can supply the "--multi" flag to override this restriction. If you don't
   want your secret key imported into the local Keybase keyring, then use
   the "--no-import" flag.

   This operation will never push your secret key, encrypted or otherwise,
   to the Keybase server.

OPTIONS:
   --multi      Allow multiple PGP keys.
   --no-import      Don't import private key to the local Keybase keyring.
   --only-import    only import the secret key into the local Keybase keyring.

[ThierryIT]

keybase pgp select" looks at the local GnuPG keychain for all available secret keys"

And when the secret key is by default, not in the local GnuPG keychain ? If I do remember well, because it was long time ago, I have already done this, without any success.

Thx anyway for your help.

[maxtaco]

Should work if you have a signing subkey available. You can read the logs keybase status to see what GPG commands keybase is issuing, and can debug them if they're not working properly.

[ThierryIT]

As you can see on my previous post, I do have one. I will have a look this week and let you know.

Thx

[smiller171]

No luck for me on the same thing...

[razorsedge]

This is a challenging feature for us to support, and very few ask for it. I'd recommend that if you're using a device to store your private key, you can use keybase pgp select to associate the public key with your keybase profile, but you should revert to using gpg for secret key operations.

Challenge or not, I can't imagine a proper PKI security app that doesn't integrate with hardware security keys like YubiKey.

[razorsedge]

And since I am being critical, I have to add that I managed to get this to work yesterday with my YubiKey 4 on OSX.

[smiller171]

@razorsedge would you like to share with the class? I've been unable to get my public keys into Keybase

[Morthawt]

PGP is already too complicated and prone to problems like people replying to emails and forgetting to encrypt and having the entire RE:RE:RE email conversation quoted in a single blunder without having simple operational issues. I find it mystifying how something can be so complex for users without giving up all autonomy over their private keys or being some kind of expert. it was over a year before I was aware I could use the weird built in commands to get my key verified without having to sacrifice uploading an "ENCRYPTED" copy of my private key to the keybase servers (which I would never do even if paid). It's time to rethink adding an additional very simple as hell verification where you provide some text and demand we sign it by what ever means we use to sign and then you, simply... verify it. I fail to see how this has not already been implemented. I brought this up long long ago. The more complex you make things, the more things can go wrong. I should not need to use built in, non-standard commands in order to prove I have my own private key..............................

---

For secure PGP/GnuPG users, if it is seriously needed/personal etc (I rarely use crypto due to more work involved, no ability to search past emails etc) The download link for my public key https://keyserver2.pgp.com/vkd/DownloadKey.event?keyid=0xDF945F5C614D98E6 Key Fingerprint: 4C23 C140 E8BE E33B 7858 D986 DF94 5F5C 614D 98E6

On 23 February 2018 at 21:22, Scott Miller notifications@github.com wrote:

@razorsedge https://github.com/razorsedge would you like to share with the class? I've been unable to get my public keys into Keybase

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/3066#issuecomment-368142141, or mute the thread https://github.com/notifications/unsubscribe-auth/AIhGlgzPXuHogk1s5brcqpoEamn1rY8Gks5tXywFgaJpZM4PrtrP .

[razorsedge]

@smiller171 I wrote it up here: Keybase and GNUPG and Yubikey (oh my!)

I have not attempted to duplicate the steps to see what I might have missed, but hopefully this helps someone.

[smiller171]

@razorsedge It looks like keybase only knows about your master key. I'm trying to upload my subkeys

[ThierryIT]

Hi, Do you think that a GPG key build with ECC can be a problem for Keybase ? When on my keybase shell, I am doing an: keybase pgp select --no-import --multi As result I do have: 2 3072R 0A0xxxxxxD60E my_name <toto@gmail.com> 3 3072R CE0xxxxxxxx184 Jobs email <jobs@gmail.com> 4 0? 0000000000000000 my_name <log@domain.org> 5 0? 0000000000000000 my_name <log@domain.org> 6 0? 0000000000000000 my_name <log@domain.org> 7 0? 0000000000000000 my_name <log@domain.org> 8 0? 0000000000000000 my_name <log@domain.org>

Ideas ?

[ThierryIT]

I have succeed. What I did:

1) revoked the pgp key created via Keybase 2) Generated a new pair of key 3072 bits/RSA 3) importing my own pgp subkeys with:

• keybase pgp import -i path_to_the_key Working :)

[nethershaw]

That defeats the purpose of a YubiKey.