Yubikey 1 - Securely Generating PGP Keys

Oh my gosh, this is fantastic.

Would you care leaving an .img from this microSD online somewhere? It's like nothing can really break it right?

Why would I want to enter my name and email when generating my master key?
Why would I not want to do it?

Could you please elaborate on that?

Very sexy indeed. Thanks again for everything, learning so much.

Thank you very much for creating such lovely series. Its quite insightful and easy to follow. Can you also explain how to use the same pair of Private and Public keys (signing key) and generate a certificate which we can load back onto Yubikey and use it to sign PDF files. (How to generate the certificate and what to send to a Certifying Authority for them to add to their database / directory, so if anyone signs the PDF the same can be validated. That would be really very helpful.

So sexy ❤

This work can all be done using the basic "Yubikey Security Keys", as oppose to the " Yubikey 5 Series" etc,.?

Also, do 2 keys suffice?

I watch a ton of tech tuts and this has got to be one of the best, despite the monotonous robot voice, I've ever seen. Thanks!

Can anybody explain, why Ithe extra step of exporting the keys, when in the end the entire gnupg girectory get saved anyways?

why don't use dd instead of all the balena nonsense

how would I use this private key with Mailvelope? for me to be able to sign documents, I would have to upload my private key to it, right?

I had to come back here to ask: I'm doing this myself and it seems more reliable than industrial microSDs. Have you considered burning data onto a long-term Blu-ray or DVD instead? The ones that last for hundreds of years are virtually unbreakable, even against solar cosmic rays.

The current version of GnuPG is 2.4.3 and GnuPG on Tails is 2.2.27 is there any problems with it? Do you know how to check if gpg is safe?

I tried to convince someone to Tails, but he’s a little wary about it, asked me the question is whether the version in this system has not been modified by someone to generate keys with specific properties? How can be sure with it? Is there a way to check this? E.g. by fingerprints of executable files as a security mechanism?

What’s the point of making subkeys? You use here option 8, which is RSA (set your own capabilities) and at first generate a master key which is used to certification and then generate subkeys for signing, encrypting and authenticating, but the default option is SCA. Can’t we just generate the master key with all options SCEA or SCA?

When I see someone’s key, it often shows that the master key is used for certification and signing (SC), does it matter what the distribution of these keys is? Are there any option that are better/worse?
Why in this case, we used only the master key for certification and generated subkeys for all operations separately?

Would you consider a singleboard computer like a raspberry pi with an IR receiver to be not sufficiently airgapped?

Theyre pretty low bandwidth but...

Hi, I’ve watched this, congrats for your work. But I’ve one doubt, why you create a master key as C and not as a SC? Thanks

Sorry my ignorance, but what's the difference between having a luks encryption or a strong passphrase on a PGP key ? Why is not dangerous having my luks encryption in others people hands but it's dangerous having my PGP key lost even it having he same strong passphrase?

How do you renew the sub keys when they expire? And will you still be able to decrypt any files you’ve encrypted with the expired sub key after renewing it?

When you say a good USB drive, do you have advice about what brand and model?

Curious why you're chosing RSA vs ECC for this ? Just familiarity and understandability of RSA?

Do I need to have Linux as operating system to do this, or can I just use virtual machine with Linux?

you made an awsome series! can you pls make a video update to this in order to use Nitrokey instead Yubikey?

hello, what if i have already a PGP keys generated for my self-hosted email address? can i regenerate them and continue air-gapped? what is the difference in steps?

dude, thank you

thanks, very useful

great series! completed all ;) I can't thank you enough for providing such useful tutorials.

How Can I change the email of my pubkey?

What's the reason behind restricting your master key to certify?

AWESOME SERIES /... thanx very much...

Why use BelenaEtcher? Don't you have to trust an app that can be compromised then? the cp command in linux can litteraly write the image to the usb drive as well ( yes so it is bootable)

I do not get the “airgapped” part. Any old laptop would be already be “compromised” for having been on the internet. So removing hdd and network makes no sense. Second. Tails is already booting without “network”, booting in memory and therefor sufficient for all steps mentioned. Or am i missing something?

you back <3