Replacing a lost Yubikey
Some weeks ago I lost my purse with everything in there, from residency card, driving license, credit cards, cash cards, all kind of ID cards, and last but not least my Yubikey NEO. Being Japan I did expect that the purse will show up in a few days, most probably the money gone but all the cards intact. Unfortunately not this time. So after having finally reissued most of the cards, I also took the necessary procedures concerning the Yubikey, which contained my GnuPG subkeys, and was used as second factor for several services (see here and here).
Although the GnuPG keys on the Yubikey are considered safe from extraction, I still decided to revoke them and create new subkeys – one of the big advantage of subkeys, one does not start at zero but just creates new subkeys instead of running around trying to get signatures again.
Other things that have to be made is removing the old Yubikey from all the services where it has been used as second factor. In my case that were quite a lot (Google, Github, Dropbox, NextCloud, WordPress, …). BTW, you have a set of backup keys saved somewhere for all the services you are using, right? It helps a lot getting into the system.
GnuPG keys renewal
To remind myself of what is necessary, here are the steps:
- Get your master key from the backup USB stick
- revoke the three subkeys that are on the Yubikey
- create new subkeys
- install the new subkeys onto a new Yubikey, update keyservers
All of that is quite straight-forward: Use gpg --expert --edit-key YOUR_KEY_ID, after this you select the subkey with key N, followed by a revkey. You can select all three subkeys and revoke them at the same time: just type key N for each of the subkeys (where N is the index starting from 0 of the key).
Next create new subkeys, here you can follow the steps laid out in the original blog. In the same way you can move them to a new Yubikey Neo (good that I bought three of them back then!).
Last but not least you have to update the key-servers with your new public key, which is normally done with gpg --send-keys (again see the original blog).
The most tricky part was setting up and distributing the keys on my various computers: The master key remains as usual on offline media only. On my main desktop at home I have the subkeys available, while on my laptop I only have stubs pointing at the Yubikey. This needs a bit of shuffling around, but should be obvious somehow when looking at the previous blogs.
Full disk encryption
I had my Yubikey also registered as unlock device for the LUKS based full disk encryption. The status before the update was as follows:
$ cryptsetup luksDump /dev/sdaN
Version: 1
Cipher name: aes
....
Key Slot 0: ENABLED
...
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
...
I was pretty sure that the Slot for the old Yubikey was Slot 7, but I wasn’t sure. So I first registered the new Yubikey in slot 6 with
yubikey-luks-enroll -s 6 -d /dev/sdaN
and checked that I can unlock during boot using the new Yubikey. Then I cleared the slot information in slot 7 with
cryptsetup luksKillSlot /dev/sdaN 7
and again made sure that I can boot using my passphrase (in slot 0) and the new Yubikey (in slot6).
TOTP/U2F second factor authentication
The last step was re-registering the new Yubikey with all the favorite services as second factor, removing the old key on the way. In my case the list comprises several WordPress sites, GitHub, Google, NextCloud, Dropbox and what else I have forgotten.
Although this is the nearly worst case scenario (ok, the main key was not compromised!), everything went very smooth and easy, to my big surprise. Even my Debian upload ability was not interrupted considerably. All in all it shows that having subkeys on a Yubikey is a very useful and effective solution.
Nice, I’ve been admiring the yubikey but could not find out what you would do in this scenario (losing the key) on their website. Or perhaps it was there and I didn’t understand it as well as you’ve explained it here. Anyway, I’m thinking other distros, and repositories like the Arch folks should invest in this idea, if they haven’t already. Judging by the
Informative article – It looks like the takehome advice from this is both to keep a record of where you have registered your security key, and to ensure all of these devices have a backup key should something happen to the key you keep with you.