GnuPG Installation, Key Generation, & Decryption · 1) In Kleopatra, select the Configure Kleopatra screen (Main Menu > Settings > Configure Kleopatra) 2) The Configure Kleopatra

GnuPG Installation, Key Generation, & Decryption© 2014 Yubico. All rights reserved. Page 1 of 21

yubico

cococo

GnuPG Installation, Key Generation, &

Decryption

Creating a Public/Private Key Pair for YubiKey Secrets

Ver 1.1

March 27, 2014


yubico

cococo


yubico

cococo Introduction

Yubico is the leading provider of simple, open online identity protection. The company’s flagship

product, the YubiKey®, uniquely combines driverless USB hardware with open source software.

More than a million users in 100 countries rely on YubiKey strong two-factor authentication for

securing access to computers, mobile devices, networks and online services. Customers range

from individual Internet users to e-governments and Fortune 500 companies. Founded in 2007,

Yubico is privately held with offices in California, Sweden and UK.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing.

Trademarks

Yubico and YubiKey are trademarks of Yubico Inc.

Contact Information

Yubico Inc

228 Hamilton Avenue, 3rd Floor

Palo Alto, CA 94301

USA

[email protected]

mailto:[email protected]


yubico

cococo


yubico

cococo Contents

Introduction.......................................................................................................................................... 3

Disclaimer............................................................................................................................................ 3

Trademarks ......................................................................................................................................... 3

Contact Information ............................................................................................................................. 3

1 Windows Installation ....................................................................................................................... 6

2 Creating a Public/Private Key Pair .................................................................................................. 8

3 Importing Yubico Keys for Validation ............................................................................................ 15

4 Decrypting Files Encrypted with a Public Key ............................................................................... 18


yubico

cococo 1 Windows Installation

For the secure transfer of YubiKey secrets, Yubico employs a PGP Public/Private Key Pair schema, using

Public Encryption keys provided by customers to encrypt secret data before sending it. This document will

outline the process of installing the necessary software to generate the PGP Public and Private key pairs,

the creation of the Key Pairs themselves, and the Decryption of files received from Yubico encrypted with

the provided public Key.

1) First, download the open source windows application Gpg4win from:

http://gpg4win.org/download.html .

It is highly recommend that this application is loaded on a secure computer which is regularly

backed up to ensure the created PGP Public/Private Key Pairs are not lost.

2) Install Gpg4win selecting the default options, making sure the following components are installed:

GnuPG

Kleopatra

GpgOL

GpgEX

Gpg4win Compendium

http://gpg4win.org/download.html


yubico

cococo 3) At the “Define Trustable root Certificates, select the option “Root certificate defined or skip

configuration.

4) Finish the default installation of the gpg4win application.


yubico

cococo 2 Creating a Public/Private Key Pair

To ensure YubiKey secrets can only be accessed by the customer who purchased the corresponding

YubiKeys, Yubico requests that customers provide a Public Key which can be used to encrypt files

containing secret information. The provided public key will ensure that only the customer who created the

Public/Private key pair will be the only entity who can decrypt the files encrypted in such a manner.

To generate a Public/Private Key pair and provide the Public Key to Yubico, follow the steps below:

1) Launch Kleopatra (Start > All Programs > Gpg4win > Kleopatra)

2) In Kleopatra, start the process to generate a new Public/Private key pair by selecting “File > New

Certificate”. Public/Private Key Pairs are also referred to as “Certificates”.


yubico

cococo

3) In the opening page of the Certificate Creation Wizard, select the option “Create a personal

OpenPGP key pair”

4) In the provided fields, enter your name and email address. In the field labeled comment, enter the

name of the business or entity you represent. Once the requested information has been entered,

click “Next”. A full first and last name as well as a complete email address is required.


yubico

cococo

5) On the next page, confirm the provide Certificate Parameters and click the “Create Key” button

6) Enter and confirm a passphrase of at least 8 characters, containing at least 1 letter, number and

symbol. Record this passphrase in a safe location –files encrypted with this Public/Private Key

Pair will not be able to be decrypted without this passphrase.


yubico

cococo


yubico

cococo 7) After successfully creating the Key Pair, click the button labelled “Finish”

Once the Public/Private Key Pair has been created, you will need to export the Public Key and

send it to Yubico.

8) In the main menu, right click the newly created Certificate and select “Export Certificate”. This will

create a public Key which can be used to encrypt a file, but not decrypt it. The files encrypted with

this Public Key can be decrypted with the Private Key stored on the originating computer.


yubico

cococo

9) When Exporting the Public Key, name it with the Business or Company Name followed by the

Contact Name and Date.

10) Send the generated file to the email address provided by Yubico.


yubico

cococo

DO NOT remove or delete the certificate in Kleopatra without first backing up the certificate in a safe

location. This can be done by right clicking the certificate and selecting the “Export Secret Keys”

option. The file exported is your private key, do NOT compromise it by sending it over an insecure

line of communication, such as email or an unsecured network. Note that the Passphrase will also

need to be recorded, as the private key will not work without it.

If the certificate or secret key become lost or deleted, encrypted files sent from Yubico will not be able

to be decrypted.


yubico

cococo 3 Importing Yubico Keys for Validation

Encrypted files sent from Yubico will be “signed” with the Public Key for the programming station

which the YubiKeys were configured on. By verifying the signature of the Yubico Programming

station using the Yubico Public Key, the validity of the file being sent can be confirmed.

A new instance of OpenPGP may require the user to configure it to communicate with the Public

Key storage server. This can be done following the steps below:

1) In Kleopatra, select the Configure Kleopatra screen (Main Menu > Settings > Configure Kleopatra)

2) The Configure Kleopatra window will open to the Directory Services tab. Verify there is an entry in

the Directory services for “keys.gnupgp.net”. If this entry is present, close the window and skip the

next step.


yubico

cococo

3) If there is not an entry for “keys.gnupgp.net”, one will need to be added. Click the “New” button to

create a new entry. Verify the settings in the entry are:

Scheme: hkp

Server Name: keys.gnupg.net

Server Port: 11371

Base DN should be blank/empty

X.509 should NOT be checked

OpenPGP should be checked.

Click “Ok” at the bottom to save the new Directory service settings.

4) In Kleopatra, click open the Certificate Server Certificate Lookup screen (Main Menu > File > Look up

Certificates on Server).


yubico

cococo

5) In the Certificate Server Certificate Lookup screen, locate the "Find" field at the top and type in "Yubico",

then click the Search button. This will display a list of all Yubico Certificates.

6) Please select the options "Yubico Inc, Programming station #1" and Yubico Limited (Programming Station

#2) and click the button labelled "Import". This will import the public key for the Yubico Programming

stations, allowing you to verify the Yubico signatures.


yubico

cococo 4 Decrypting Files Encrypted with a Public Key

When receiving files from Yubico which have been encrypted with the provided Public Key, they will need

to be decrypted with the same certificate as the public Key was generated from.

1) Launch Kleopatra (Start > All Programs > Gpg4win > Kleopatra) and select “Decrypt/Verify Files”

2) In the file browser that opens, select the Encrypted file provided by Yubico.


yubico

cococo

3) In the Decrypt/Verify Files window, click the button labeled “Decrypt/Verify”

4) A prompt will ask for the passphrase associated with the private key. Enter the passphrase set

when creating the original certificate.


yubico

cococo


yubico

cococo 5) The encrypted file will be successfully decrypted, and can be opened as normal.

Notes To Remember:

Always store your generated certificates and passphrases in a safe location to ensure that files

received from Yubico can be decrypted.

Make sure only to send out the Public Key (Export Certificate) and NEVER the private key (Export

Secret Keys).

Make sure to send only out a public Key that corresponds to a private key you have on record.

Documents

GnuPG Installation, Key Generation, & Decryption · 1) In Kleopatra, select the Configure Kleopatra screen (Main Menu > Settings > Configure Kleopatra) 2) The Configure Kleopatra