How to use existing keys on a YubiKey with a fresh install

linuxboot / heads-wiki

Documentation for the Heads firmware project

85 stars 44 forks source link

How to use existing keys on a YubiKey with a fresh install #117

Open rbreslow opened 1 year ago

rbreslow commented 1 year ago

From https://github.com/osresearch/heads/pull/1282:

It's not obvious how to store your private keys on a YubiKey. OEM Factory Reset / Re-Ownership --> is NOT your friend. Instead, you want to go under GPG Options --> → Add GPG key to running BIOS and reflash, which will prompt you to insert a USB drive containing your GPG public key. Then, the next time you select Update checksums and sign all files in /boot, Heads will prompt you to insert your GPG smartcard.

OEM Factory Reset / Re-Ownership --> will generate keys on the device, OR, will prompt you to generate keys on a hardware token which led me to accidentally wipe my YubiKey.

I'm imagining some sort of guided menu that asks "Would you like to use an existing GPG key pair?" And then walks the user through flashing their public key to the BIOS, etc.

tlaurion commented 1 year ago

@rbreslow : On fresh flash, without keeping persistence, Heads detects that no gpg key material exists inside of the firmware:

https://github.com/osresearch/heads/blob/e45980d33f46c9d3aa2855e1876e915a8fc53cdd/initrd/bin/gui-init#L281-L315

Resulting in what is showed in doc at https://osresearch.net/Configuring-Keys/#adding-your-pgp-key as this screenshot: IMG_20720216_040452

Which proposes two alternatives: OEM Factory reset/Re-Ownership or Add gpg key to running bios.

@rbreslow My question to you would be: What would you want to see there instead? Or what would you replace into the OEM Factory reset/Re-Ownership wizard to make it clearer that current secrets will be wiped?

rbreslow commented 1 year ago

Honestly, I'm not sure. Looking at things now, the UI seems clear to me. But I know I was confused when I was first trying this.

I think that OEM Factory Reset / Re-Ownership jumped out because my brain thought, "yes! new computer, I want to reset everything."

If that option is meant only for an OEM like Insurgo, I might make it more explicit that, as an end-user, this isn't what you want.

Also, the docs themselves felt dense, and I skimmed through rather than reading closely. Asking myself, "why," I think the Configuring-Keys page looks like an FAQ rather than a linear tutorial. So this made it difficult to find information about the exact type of setup I wanted.

I will have to sit and reflect on this. But I wanted to create an issue so my feeling was tracked.