Best way to set up YuPass - StratusFearMe21/yupass GitHub Wiki

Best way to set up YuPass

This is the best way to set up YuPass, but it may be a little out there for a lot of people. If you use this method, you will be able to use multiple outs to keep your passwords safe. So that if you lose one of your YubiKeys, you can create and format a new YubiKey easily. (This method requires two YubiKeys)

Generate a GPG key

  1. First we want to generate a GPG key
gpg --expert --full-generate-key
  1. Now we want to choose which type of key we want. I recommend choosing number 11 on the list
(11) ECC (set your own capabilities)
  1. Make sure that the allowed actions are Sign Certify then type q
  2. When prompted for which curve to choose, I recommend choosing Curve 25519
  3. I recommend that you choose for the key to never expire when prompted
  4. Fill in the information that GPG asks of you
  5. Now we have GPG key, take notice of the fingerprint that GPG has given us
public and secret key created and signed.

pub   ed25519 2021-06-30 [SC]
      4C96764DF7144DC98E9361F3BE4F05434888A05C
uid                      Isaac Mills (Test Key) <[email protected]>

In this case 4C96764DF7144DC98E9361F3BE4F05434888A05C is our fingerprint.

Our key can't encrypt anything yet, so we have to add that functionality to it. First we run this command

gpg --expert --edit-key 4C96764DF7144DC98E9361F3BE4F05434888A05C
  1. Now, in the GPG command prompt, type the commands in this order
addkey
12
1
0
y
y
addkey
11
s
a
q
1
0
y
y

If you've done everything correctly, your key should look like this

sec  ed25519/BE4F05434888A05C
     created: 2021-06-30  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  cv25519/36F7D98EE727357A
     created: 2021-06-30  expires: never       usage: E
ssb  ed25519/44439E3117572BB3
     created: 2021-06-30  expires: never       usage: A
[ultimate] (1). Isaac Mills (Test Key) <[email protected]>
  1. Quit out of GPG by typing q and then saving your changes

Activate your YubiKey's HMAC-SHA1 capabilities

Here we will activate and configure our YubiKeys' HMAC-SHA1 capabilites by using ykpersonalize to copy the same HMAC-SHA1 key to two different YubiKeys

  1. Install and run the Yubikey Personalization Tool
  2. Click the Challenge-Response Mode button.
  3. Click the HMAC-SHA1 button
  4. Make sure that the configuration is as follows
  • Configuration Slot 2 is selected
  • Require user input (button press) is checked
  • Variable input is selected
  1. Click the Generate button next to the Secret Key (20 bytes hex) field
  2. Copy and paste the key generated in the text box to a notepad program of some kind, but don't save it yet, we'll put it somewhere safe later.
  3. With your YubiKey plugged in, click the Write Configuration button.
  4. Unplug your first YubiKey, plug in the second YubiKey, and click the Write Configuration button again.

Encrypted FS

Now we will create an encrypted filesystem that we can use to store backups of our GPG key and the HMAC token we have ready in our notepad.

  1. Install ykfde
  2. Create a file using dd with a size of 200 megabytes called VHD.img
sudo dd if=/dev/zero of=VHD.img bs=1M count=200
  1. Format the new file with ykfde encryption
sudo ykfde-format VHD.img
  1. Open the new encrypted file and create it's file system
sudo ykfde-open -d VHD.img -n cryptVHD
sudo mkfs.ext4 /dev/mapper/cryptVHD
  1. Mount the new encrypted filesystem
sudo mount /dev/mapper/cryptVHD /mnt
  1. Now save the HMAC-SHA1 key from your notepad to the /mnt directory
  2. Export your GPG key to the /mnt directory
gpg --armor --export 4C96764DF7144DC98E9361F3BE4F05434888A05C > /mnt/public.asc
gpg --armor --export-secret-key 4C96764DF7144DC98E9361F3BE4F05434888A05C > /mnt/private.asc

Move your GPG key to your YubiKey

Now we will move our GPG keys onto our Yubikeys.

  1. Begin editing your GPG key
gpg --expert --edit-key 4C96764DF7144DC98E9361F3BE4F05434888A05C
  1. Run these commands in the command prompt in this order (The default pin is 123456 and the default admin pin is 12345678, we will change these later)
keytocard
1
key 1
keytocard
2
key 1
key 2
keytocard
3
q
  1. Now we should probably change the PINs on our key to be a little bit more secure. So to do that, first we run this command
gpg --expert --edit-card
  1. Now run these commands in this order
admin
passwd
1
3
q
q
  1. Unplug your first YubiKey and re-import your secret and public keys into your computer
gpg --import /mnt/private.asc
  1. Plug in your second YubiKey and repeat steps 1-4 of this section
  2. At this point we can unmount our encrypted file
sudo umount -R /mnt
sudo cryptsetup close cryptVHD

Actually initialize the password database

Now we can actually create our password database.

  1. Install yupass (use make install not sudo make install)
git clone https://github.com/StratusFearMe21/yupass.git
cd yupass/
make install
  1. Run the init command
yupass init 4C96764DF7144DC98E9361F3BE4F05434888A05C