YubiKey-Guide
YubiKey-Guide copied to clipboard
drduh
Yubikey FIPS series not supported
In the guide under Purchase you write
All YubiKeys except the blue security key model are compatible with this guide.
However, it looks the FIPS models are not supported as well.
Adding some more information here as I recently just hit this as well. From the Yubico support docs:
Note: The YubiKey 5 FIPS Series does not support OpenPGP. Should you need this functionality, you will need either the YubiKey FIPS (4 Series) or the YubiKey 5 Series (non-FIPS).
Based on the testing, it looks like this extends to all flavours of PGP as GnuPGP is also not working. Simple things like updating the cardholder name won't work.
$ gpg --version
gpg (GnuPG) 2.3.2
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/jacob/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ ykman list
YubiKey 5 NFC FIPS (5.4.2) [OTP+FIDO+CCID] Serial: xxx
$ ykman info
Device type: YubiKey 5 NFC FIPS
Serial number: xxx
Firmware version: 5.4.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Not available Not available
OpenPGP Not available Not available
PIV Enabled Enabled
$ ykman config usb --enable OPENPGP
Error: OPENPGP not supported over USB on this YubiKey.
$ gpg --edit-card
gpg-agent[1070]: card has S/N: xxx
Reader ...........: Yubico YubiKey OTP FIDO CCID
Application ID ...: xxx
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: ?
Serial number ....: xxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 3 -2 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> name
Cardholder's surname: Last
Cardholder's given name: First
gpg: error setting Name: Invalid name
gpg/card> q
I don't think there is anything for this repository to do except maybe add a note that FIPS keys won't work with the guide.
Yeah the FIPS key is designed to primarily use the PIV spec for encryption/authentication rather than GPG for encryption.
In a government FIPS environment the traditional CAC card (effectively a PIV card). PIV supports encryption and authentication as well as automated logout on card removal
As US gov & military require PIV as the sole authorised standard for their personnel they wouldn’t be happy if individuals occasionally used their own GPG key … hence this feature is missing.
On 6 Oct 2021, at 23:24, Jacob Bednarz @.***> wrote:
Adding some more information here as I recently just hit this as well. From the Yubico support docs:
Note: The YubiKey 5 FIPS Series does not support OpenPGP. Should you need this functionality, you will need either the YubiKey FIPS (4 Series) or the YubiKey 5 Series (non-FIPS).
Based on the testing, it looks like this extends to all flavours of PGP as GnuPGP is also not working. Simple things like updating the cardholder name won't work.
$ gpg --version gpg (GnuPG) 2.3.2 libgcrypt 1.9.4 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Home: /Users/jacob/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 AEAD: EAX, OCB Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ ykman list YubiKey 5 NFC FIPS (5.4.2) [OTP+FIDO+CCID] Serial: xxx $ ykman info Device type: YubiKey 5 NFC FIPS Serial number: xxx Firmware version: 5.4.2 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled.
Applications USB NFC FIDO2 Enabled Enabled OTP Enabled Enabled FIDO U2F Enabled Enabled OATH Enabled Enabled YubiHSM Auth Not available Not available OpenPGP Not available Not available PIV Enabled Enabled $ ykman config usb --enable OPENPGP Error: OPENPGP not supported over USB on this YubiKey. $ gpg --edit-card
gpg-agent[1070]: card has S/N: xxx Reader ...........: Yubico YubiKey OTP FIDO CCID Application ID ...: xxx Application type .: OpenPGP Version ..........: 0.0 Manufacturer .....: ? Serial number ....: xxx Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 3 -2 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
gpg/card> admin Admin commands are allowed
gpg/card> name Cardholder's surname: Last Cardholder's given name: First gpg: error setting Name: Invalid name
gpg/card> q I don't think there is anything for this repository to do except maybe add a note that FIPS keys won't work with the guide.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
For setting up PIV there are a few good tutorials on yubico’s website
But I came across another toolset than provides a more enhanced functionality
https://youtu.be/ojyxDpiPAv0
https://github.com/joyent/pivy
This works well and easily compiles on Linux. (Haven’t yet to get this to work on BSD … nor have I had time to look into why not)
On 6 Oct 2021, at 23:41, Ian Stanley @.***> wrote:
Yeah the FIPS key is designed to primarily use the PIV spec for encryption/authentication rather than GPG for encryption.
In a government FIPS environment the traditional CAC card (effectively a PIV card). PIV supports encryption and authentication as well as automated logout on card removal
As US gov & military require PIV as the sole authorised standard for their personnel they wouldn’t be happy if individuals occasionally used their own GPG key … hence this feature is missing.
On 6 Oct 2021, at 23:24, Jacob Bednarz @.***> wrote:
Adding some more information here as I recently just hit this as well. From the Yubico support docs:
Note: The YubiKey 5 FIPS Series does not support OpenPGP. Should you need this functionality, you will need either the YubiKey FIPS (4 Series) or the YubiKey 5 Series (non-FIPS).
Based on the testing, it looks like this extends to all flavours of PGP as GnuPGP is also not working. Simple things like updating the cardholder name won't work.
$ gpg --version gpg (GnuPG) 2.3.2 libgcrypt 1.9.4 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Home: /Users/jacob/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 AEAD: EAX, OCB Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ ykman list YubiKey 5 NFC FIPS (5.4.2) [OTP+FIDO+CCID] Serial: xxx $ ykman info Device type: YubiKey 5 NFC FIPS Serial number: xxx Firmware version: 5.4.2 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled.
Applications USB NFC FIDO2 Enabled Enabled OTP Enabled Enabled FIDO U2F Enabled Enabled OATH Enabled Enabled YubiHSM Auth Not available Not available OpenPGP Not available Not available PIV Enabled Enabled $ ykman config usb --enable OPENPGP Error: OPENPGP not supported over USB on this YubiKey. $ gpg --edit-card
gpg-agent[1070]: card has S/N: xxx Reader ...........: Yubico YubiKey OTP FIDO CCID Application ID ...: xxx Application type .: OpenPGP Version ..........: 0.0 Manufacturer .....: ? Serial number ....: xxx Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 3 -2 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
gpg/card> admin Admin commands are allowed
gpg/card> name Cardholder's surname: Last Cardholder's given name: First gpg: error setting Name: Invalid name
gpg/card> q I don't think there is anything for this repository to do except maybe add a note that FIPS keys won't work with the guide.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
If it is not supported as you mention: I would be happy to write a section on how to use the PIV applet for encryption and ssh
I've also got a pair of Yubikey 5 NFC FIPS keys and they work just fine with gpg/gnupg and ssh using rsa. Have you tested your keys?
Adding some more information here as I recently just hit this as well. From the Yubico support docs:
Note: The YubiKey 5 FIPS Series does not support OpenPGP. Should you need this functionality, you will need either the YubiKey FIPS (4 Series) or the YubiKey 5 Series (non-FIPS).
Based on the testing, it looks like this extends to all flavours of PGP as GnuPGP is also not working. Simple things like updating the cardholder name won't work.
$ gpg --version gpg (GnuPG) 2.3.2 libgcrypt 1.9.4 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /Users/jacob/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 AEAD: EAX, OCB Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2$ ykman list YubiKey 5 NFC FIPS (5.4.2) [OTP+FIDO+CCID] Serial: xxx$ ykman info Device type: YubiKey 5 NFC FIPS Serial number: xxx Firmware version: 5.4.2 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP, FIDO, CCID NFC transport is enabled. Applications USB NFC FIDO2 Enabled Enabled OTP Enabled Enabled FIDO U2F Enabled Enabled OATH Enabled Enabled YubiHSM Auth Not available Not available OpenPGP Not available Not available PIV Enabled Enabled$ ykman config usb --enable OPENPGP Error: OPENPGP not supported over USB on this YubiKey.$ gpg --edit-card gpg-agent[1070]: card has S/N: xxx Reader ...........: Yubico YubiKey OTP FIDO CCID Application ID ...: xxx Application type .: OpenPGP Version ..........: 0.0 Manufacturer .....: ? Serial number ....: xxx Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 3 -2 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> admin Admin commands are allowed gpg/card> name Cardholder's surname: Last Cardholder's given name: First gpg: error setting Name: Invalid name gpg/card> qI don't think there is anything for this repository to do except maybe add a note that FIPS keys won't work with the guide.
They must have updated the FIPS keys to be gpg/gnupg compatible, because I've got a pair of Yubikey 5 NFC FIPS keys and they work just fine with gpg/gnupg and ssh using rsa.
Digging back into the docs suggests that 5.4.3 should have OpenPGP support
Note: The YubiKey 5 FIPS Series with initial firmware release version 5.4.2 does not support OpenPGP. Support for OpenPGP was added in firmware version 5.4.3.