some tools to help manage yubikey tokens

risks and warnings

good security practice is far beyond the scope of this document, however, where appropriate, these scripts are designed to work in offline environments such as the tails liveCD or just about any linux installer liveCD. they are designed this way as that is the correct type of environment to generate new secure tokens.

if you choose to do it correctly, you will need a way to copy the pubkey out of the ephemeral environment other than relying on keyservers.

change-pgp-pin.sh

shows a list of random pins to pick from to ensure you can pick something memorable while also ensuring randomness. accepts no arguments.

usage:

bash change-pgp-pin.sh

update-pgp-keys.sh

walks you through the process of rotating out your subkeys, designed to be used when your primary subkeys are about to expire. exercise caution if you have created additional subkeys, this script might try to revoke them!

in some environments you may need to insert the card with your main signing key and run the command gpg --card-status to have gpg recognize its existence before this script will work. if you work with many keys or run in to trouble it is advised to restart gpg-agent before beginning.

dry run:

bash update-pgp-keys.sh 7F47B726CA6B3135EFD35F8C9A164D591B680ED2

doing it for real:

bash update-pgp-keys.sh --force 7F47B726CA6B3135EFD35F8C9A164D591B680ED2

• force: this must be given for the script to write to the cards, otherwise it does a dry run by default.
• keyid: your pgp key fingerprint

if you run in to a problem, it's safe to remove or overwrite the output file on a subsequent run, do not send it to a keyserver! after a successful run it will contain your new pubkey and should be shared widely and stored safely.

rekey-nixos.sh

updates the salted key used to unlock our nixos-config. this script can also be used to transfer to a new HMAC challenge hash (new set of yubikeys).