index2.html

<!DOCTYPE html>
<html lang="en">
<head>
        <meta charset="utf-8" />
        <title>Andrea Grandi</title>
        <link rel="stylesheet" href="https://www.andreagrandi.it/theme/css/main.css" />
        <link rel="stylesheet" href="https://www.andreagrandi.it/theme/tipuesearch/css/tipuesearch.css">
        <link href="https://www.andreagrandi.it/feeds/all.rss.xml" type="application/rss+xml" rel="alternate" title="Andrea Grandi RSS Feed" />

        <!--[if IE]>
            <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
        <![endif]-->
        <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
        <link rel="icon" href="/favicon.ico" type="image/x-icon">
</head>

<body id="index" class="home">
        <header id="banner" class="body">
                <h1><a href="https://www.andreagrandi.it/">Andrea Grandi </a></h1>
                <nav><ul>
    
                        <li><a href="https://www.andreagrandi.it/about/">About</a></li>
    
                        <li><a href="https://www.andreagrandi.it/curriculum/">Curriculum</a></li>
    
                        <li><a href="https://www.andreagrandi.it/pgp-key/">PGP Key</a></li>
                </ul>
<form id="search" action="https://www.andreagrandi.it/search.html" onsubmit="return validateForm(this.elements['q'].value);">
                        <input type="text" class="search-query" placeholder="" name="q" id="tipue_search_input">
                    </form>
                </nav>
        </header><!-- /#banner -->

                <section id="content" class="body">
                    <ol id="posts-list" class="hfeed" start="3">
            <li><article class="hentry">
                <header>
                    <h1><a href="https://www.andreagrandi.it/2018/10/16/using-ipdb-with-python-37-breakpoint/" rel="bookmark"
                           title="Permalink to Using ipdb with Python 3.7.x breakpoint">Using ipdb with Python 3.7.x breakpoint</a></h1>
                </header>

                <div class="entry-content">
<footer class="post-info">
        <span>Tue 16 October 2018</span>
	        <span>| in <a href="https://www.andreagrandi.it/category/python.html">Python</a></span>
<span>| tags: <a href="https://www.andreagrandi.it/tag/python.html">python</a><a href="https://www.andreagrandi.it/tag/debugging.html">debugging</a><a href="https://www.andreagrandi.it/tag/programming.html">programming</a><a href="https://www.andreagrandi.it/tag/software.html">software</a><a href="https://www.andreagrandi.it/tag/development.html">development</a></span>
</footer><!-- /.post-info -->                <p>Python 3.7.x introduced a <a href="https://docs.python.org/3/whatsnew/3.7.html#pep-553-built-in-breakpoint">new method to insert a breakpoint</a> in the code.
Before Python 3.7.x to insert a debugging point we had to write <code>import pdb; pdb.set_trace()</code> which honestly I could never remember (and I also created a snippet on VS Code to auto complete it).</p>
<p>Now you can just write <code>breakpoint()</code> that's it!</p>
<p>Now... the only problem is that by default that command will use <strong>pdb</strong> which is not exactly the best debugger you can have. I usually use <strong>ipdb</strong> but there wasn't an intuitive way of using it... and no, just installing it in your virtual environment, it won't be used by default.</p>
<p>How to use it then? It's very simple. The new debugging command will read an environment variable named <strong>PYTHONBREAKPOINT</strong>. If you set it properly, you will be able to use ipdb instead of pdb.</p>
<div class="highlight"><pre><span></span>export PYTHONBREAKPOINT=ipdb.set_trace
</pre></div>


<p>At this point, any time you use <code>breakpoint()</code> in your code, <strong>ipdb</strong> will be used instead of <strong>pdb</strong>.</p>
<h4>References</h4>
<ul>
<li><a href="https://hackernoon.com/python-3-7s-new-builtin-breakpoint-a-quick-tour-4f1aebc444c">https://hackernoon.com/python-3-7s-new-builtin-breakpoint-a-quick-tour-4f1aebc444c</a></li>
</ul>
                <a class="readmore" href="https://www.andreagrandi.it/2018/10/16/using-ipdb-with-python-37-breakpoint/">read more</a>
<p><a href="https://www.andreagrandi.it/2018/10/16/using-ipdb-with-python-37-breakpoint/#disqus_thread">comments</a></p>                </div><!-- /.entry-content -->
            </article></li>

            <li><article class="hentry">
                <header>
                    <h1><a href="https://www.andreagrandi.it/2018/04/14/machine-learning-pima-indians-diabetes/" rel="bookmark"
                           title="Permalink to Machine Learning: Pima Indians Diabetes">Machine Learning: Pima Indians Diabetes</a></h1>
                </header>

                <div class="entry-content">
<footer class="post-info">
        <span>Sat 14 April 2018</span>
	        <span>| in <a href="https://www.andreagrandi.it/category/development.html">Development</a></span>
<span>| tags: <a href="https://www.andreagrandi.it/tag/machine-learning.html">Machine Learning</a><a href="https://www.andreagrandi.it/tag/python.html">Python</a><a href="https://www.andreagrandi.it/tag/scikit-learn.html">scikit-learn</a><a href="https://www.andreagrandi.it/tag/tutorial.html">tutorial</a></span>
</footer><!-- /.post-info -->                <p>Solving the Pima Indians Diabetes problem with Machine Learning using Python and scikit-learn</p>
                <a class="readmore" href="https://www.andreagrandi.it/2018/04/14/machine-learning-pima-indians-diabetes/">read more</a>
<p><a href="https://www.andreagrandi.it/2018/04/14/machine-learning-pima-indians-diabetes/#disqus_thread">comments</a></p>                </div><!-- /.entry-content -->
            </article></li>

            <li><article class="hentry">
                <header>
                    <h1><a href="https://www.andreagrandi.it/2017/10/21/keybase-pgp-encryption-made-easy/" rel="bookmark"
                           title="Permalink to Keybase: PGP encryption made easy">Keybase: PGP encryption made easy</a></h1>
                </header>

                <div class="entry-content">
<footer class="post-info">
        <span>Sat 21 October 2017</span>
	        <span>| in <a href="https://www.andreagrandi.it/category/howto.html">HowTo</a></span>
<span>| tags: <a href="https://www.andreagrandi.it/tag/gnupg.html">GnuPG</a><a href="https://www.andreagrandi.it/tag/pgp.html">PGP</a><a href="https://www.andreagrandi.it/tag/security.html">Security</a><a href="https://www.andreagrandi.it/tag/encryption.html">Encryption</a><a href="https://www.andreagrandi.it/tag/keybase.html">Keybase</a></span>
</footer><!-- /.post-info -->                <p>Using PGP can be quite hard, even if you have a lot of experience with computers.
By the way encryption is what gives us privacy and permits us to safely transmit information
and for this reason it should be easy to use, for everyone.</p>
<p><a href="https://keybase.io">Keybase</a> really makes encryption easy to use.</p>
<h3>PGP identity</h3>
<p>When Keybase was launched it was mainly a wrapper for PGP commands
to encrypt and decrypt a message for a certain user, but it also introduced a very nice
chain of trust.</p>
<p>In Keybase it's possible to either generate a new PGP key or import an existing one
but the most important thing is being able to verify our own identity using multiple proofs.</p>
<p>Many of us have a personal blog, a Twitter or Facebook accounts, a GitHub account etc...
All these accounts combined together make our online identity.</p>
<p>Every Keybase account can be verified by other online identities. In Keybase
you don't just say "I'm Andrea Grandi, this is my PGP key...". In Keybase you
can link your existing online accounts to your Keybase account and show additional
proofs of your identity.</p>
<p>Unless an attacker controls all your social accounts, they cannot impersonate and verify
themselves as if they were you.</p>
<p><a href="https://www.andreagrandi.it/images/2017/10/keybase_identity.png"><img alt="" src="https://www.andreagrandi.it/images/2017/10/keybase_identity.png" width="100%"></a></p>
<p>Once you are on Keybase, other users can look for you even using your GitHub or Twitter username
without having to know your email address or Keybase username. This concept can be
very useful in some situations, we will see it later.</p>
<h3>Encrypted Filesystem</h3>
<p>One of the first features launched by Keybase was their encrypted filesystem.
There is a virtual folder located at <strong>/keybase</strong> (on OSX/Linux or k:\keybase on Windows)
where you will find at least three other folders: <strong>public</strong>, <strong>private</strong>, <strong>team</strong>.</p>
<h4>Public folders</h4>
<p>Anything you place inside the /public folder can be accessed by any Keybase user and it's
automatically signed. Every user public folder/file can be accessed using their Keybase username,
like for example <strong>/keybase/public/andreagrandi/hello.txt</strong> but you can also use any other identity like
<strong>/keybase/public/andreagrandi@github/hello.txt</strong> or <strong>/keybase/public/andreagrandi@twitter/hello.txt</strong></p>
<p><strong>Note:</strong> This is very useful if you only know a person on Twitter (or GitHub etc...) and you want to
share a file with them (or send a message, as we will see later) but you don't follow each other
and you can't reach them privately.</p>
<p>This is a public folder example of one of the Keybase developers:</p>
<p><a href="https://www.andreagrandi.it/images/2017/10/keybase_chris_folder.png"><img alt="" src="https://www.andreagrandi.it/images/2017/10/keybase_chris_folder.png" width="60%"></a></p>
<p>You can put whatever you want in these folders: your public PGP key, your official avatar,
your Signal fingerprint etc... the other users will access these files with the assurance they
haven't been changed by anyone else in the middle.</p>
<p><strong>Note:</strong> please keep in mind that Keybase doesn't work like Dropbox or similar. Files are not
synced between your devices and Keybase servers. Files are streamed on demand, so <strong>you won't be able to access these files without a working Internet connection</strong>.</p>
<h4>Private folders</h4>
<p>Hey but... where is the encryption here?! Whatever you put inside your <strong>private</strong>
folder can only be read by you and only you. <strong>Not even Keybase employees can access the content of your files</strong>,
because they are encrypted before leaving your devices and decrypted on demand
when you want to access them.</p>
<p>Do you want to share files with <strong>anotheruser</strong>? No problem. Just create a file inside <strong>/keybase/private/andreagrandi,anotheruser</strong>
(the folder <strong>andreagrandi,anotheruser</strong> will implicitely exist already) and that file will only be readable by you and <strong>anotheruser</strong>.</p>
<h4>Security and other information</h4>
<p>Keybase employes only have access to: 1) your top level folder names (like: "andreagrandi,anotheruser"),
2) when and for how long you are reading/writing, 3) how much space you are using.</p>
<p>They won't be able to access the content of your files and not even the files or folders names.</p>
<p>Every user initially had 10GB quota available, but a few hints (including one of their <a href="https://www.andreagrandi.it/images/2017/10/teams-splash-announcement.png">recent screenshots</a>)
say that now <strong>users have 250GB available</strong> to store their files.</p>
<p>You can find more technical information about Keybase encrypted folders in this article: <a href="https://keybase.io/docs/kbfs">https://keybase.io/docs/kbfs</a></p>
<h3>Encrypted Chat</h3>
<p>A few months ago Keybase introduced the encrypted chat. Messages between users
are <strong>end to end encrypted</strong> and cannot be read by anyone else, not even having access to Keybase
servers.</p>
<p><a href="https://www.andreagrandi.it/images/2017/10/keybase_chat.png"><img alt="" src="https://www.andreagrandi.it/images/2017/10/keybase_chat.png" width="100%"></a></p>
<h4>A better address book</h4>
<p>When we use services like WhatsApp or Signal, we are forced to share our telephone number if we want
the other person to be able to contact us.</p>
<p>On Keybase I don't need to share my telephone number. Anyone can reach me using one of my online
identities: <strong>andreagrandi@twitter</strong>, <strong>andreagrandi@github</strong> etc...</p>
<p>You can even send a message to a person who is <strong>not on Keybase yet</strong>: if you send a message to
randomuser@twitter, when randomuser joins Keybase and verify their Twitter account, the message
will be encrypted for them and will be safely delivered.</p>
<h4>Security</h4>
<p>Keybase doesn't use PGP to encrypt chat or files. Transmitting the key across all devices
wouldn't be safe so each message is encrypted using the public key of every device connected
to the account.</p>
<h4>Command line</h4>
<p>Keybase works from the command line too. There is no need to use the graphic
client to send a message to another user, you can do something like this:</p>
<div class="highlight"><pre><span></span>keybase chat send andreagrandi <span class="s2">&quot;Hello mate!&quot;</span>
</pre></div>


<p>You can integrate messages in any script and it's even available a JSON API:</p>
<div class="highlight"><pre><span></span>keybase chat <span class="nb">help</span> api
</pre></div>


<p>For more details you can have a look a this blog post on their website: <a href="https://keybase.io/blog/keybase-chat">https://keybase.io/blog/keybase-chat</a></p>
<h3>Teams</h3>
<p>Keybase has recently introduced Teams feature. The Chat becomes more similar to Slack, but with the difference that
only team members can read the content of messages and files: the server only knows about team names and users, nobody else can
access the content.</p>
<p><a href="https://www.andreagrandi.it/images/2017/10/teams-splash-announcement.png"><img alt="" src="https://www.andreagrandi.it/images/2017/10/teams-splash-announcement.png" width="100%"></a></p>
<p>It's important to mention that in Keybase there aren't private channels like there are in Slack: if a team wants to have
channels accessible only from a restricted group of users, the admin needs to create a sub team. For example if you have a
team called <strong>keybaselovers</strong> you can create a sub team for admins only called <strong>keybaselovers.admins</strong></p>
<p>Teams have a dedicated encrypter folder that you will find under <strong>/keybase/team/keybaselovers</strong></p>
<p>At the moment the features available from the UI are quite limited and are only available from the command line. In the next
weeks these features will be available from the UI too. In the mean time you can have a look at the commandline help:</p>
<div class="highlight"><pre><span></span>keybase team --help <span class="c1"># for admin&#39;ing teams</span>
keybase chat --help <span class="c1"># for admin&#39;ing chat channels</span>
</pre></div>


<h4>Create a Team</h4>
<div class="highlight"><pre><span></span>keybase team create keybaselovers
</pre></div>


<h4>Add a user to a Team</h4>
<div class="highlight"><pre><span></span>keybase team add-member keybaselovers --user<span class="o">=</span>alice --role<span class="o">=</span>writer
</pre></div>


<p>For more information you can have a look at the official announcement page: <a href="https://keybase.io/blog/introducing-keybase-teams">https://keybase.io/blog/introducing-keybase-teams</a></p>
<h3>Git</h3>
<p>Sometimes we have the need to store private information in a safe way and we want to be sure that nobody else is
able to access these information.</p>
<p>Latest feature that has been added to Keybase is <strong>encrypted Git repositories</strong>. They are like normal GitHub
repositories, but their content is stored in a safer way.</p>
<p><a href="https://www.andreagrandi.it/images/2017/10/keybase_git.png"><img alt="" src="https://www.andreagrandi.it/images/2017/10/keybase_git.png" width="100%"></a></p>
<h4>Privacy and Security</h4>
<p>What is the <strong>difference</strong> with GitHub private repositories? In GitHub a private repository is used to store information that
only our account can access, but the files are accessible in plain text by GitHub employees. With encrypted Git repositories
instead, the <strong>information are encrypted before they leave our device</strong> and they are stored encrypted. Nobody, without having our
private key can read them, not even Keybase employees.</p>
<h4>Teams and Quota</h4>
<p>Encrypted Git repositories are of course available for teams too. Creating a team repository, it will be available to
all the members of the team.</p>
<p>Both teams and single users have <strong>100GB of space</strong> available (which is separate from Folders quota).</p>
<h4>Usage</h4>
<p>If I create my personal repository called <strong>documents</strong> all I have to do to clone it and use it is:</p>
<div class="highlight"><pre><span></span>git clone keybase://private/andreagrandi/documents
</pre></div>


<p>and I can use it as a normal git repository. Every time I commit and push something, the content will be <strong>signed and encrypted</strong>
and only available to the repository owner (which is me) or to the whole team if it's a team repository.</p>
<p>For more information, please have a look at the official announcement here: <a href="https://keybase.io/blog/encrypted-git-for-everyone">https://keybase.io/blog/encrypted-git-for-everyone</a></p>
<h3>Conclusion</h3>
<p>Keybase is still in continuous development but it already offers a few interesting features which can help people
in their every day life. I strongly advise anyone to <a href="https://keybase.io"><strong>get an account</strong></a>, play with the available features and <strong>report any bug</strong>
so the developers will be able to fix them and build an even better product. I can't wait to see the features they will
announce in the next months!</p>
                <a class="readmore" href="https://www.andreagrandi.it/2017/10/21/keybase-pgp-encryption-made-easy/">read more</a>
<p><a href="https://www.andreagrandi.it/2017/10/21/keybase-pgp-encryption-made-easy/#disqus_thread">comments</a></p>                </div><!-- /.entry-content -->
            </article></li>

            <li><article class="hentry">
                <header>
                    <h1><a href="https://www.andreagrandi.it/2017/09/30/configuring-offline-gnupg-masterkey-subkeys-on-yubikey/" rel="bookmark"
                           title="Permalink to Configuring an offline GnuPG master key and subkeys on YubiKey">Configuring an offline GnuPG master key and subkeys on YubiKey</a></h1>
                </header>

                <div class="entry-content">
<footer class="post-info">
        <span>Sat 30 September 2017</span>
	        <span>| in <a href="https://www.andreagrandi.it/category/howto.html">HowTo</a></span>
<span>| tags: <a href="https://www.andreagrandi.it/tag/gnupg.html">GnuPG</a><a href="https://www.andreagrandi.it/tag/pgp.html">PGP</a><a href="https://www.andreagrandi.it/tag/security.html">Security</a><a href="https://www.andreagrandi.it/tag/yubikey.html">YubiKey</a><a href="https://www.andreagrandi.it/tag/encryption.html">Encryption</a></span>
</footer><!-- /.post-info -->                <p>I've recently bought a <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey 4</a> and 
decided to use it for GnuPG too, other than using it as hardware 2FA.</p>
<p>I've also decided to make my GnuPG configuration much more safe, generating the <strong>master key</strong>
on an <strong>offline</strong> computer (in my case a simple RaspberryPi not connected to Internet) and <strong>generating a subkey</strong>
that will be moved to my <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>.</p>
<h4>Disclaimer</h4>
<p>Always think about what your <strong>threat model</strong> is before deciding something is 100% safe for you.
I'm not claiming this setup/configuration is bullet proof. If you want to protect your GnuPG key from most of the hackers,
keyloggers and if you want to use it on different computers without ever compromising your secret key, this setup
can be what you are looking for. If you think you may be victim of a targeted state sponsored attack, I'm not sure this
setup could be enough.</p>
<h4>Why keeping offline the master key?</h4>
<p>If you only use your master key on a computer that never connects to Internet (I reckon you will want to update/patch it
from time to time, that's why we are going to keep the master key on an external USB key) you are at least safe from remote attacks.</p>
<h4>Why using subkeys?</h4>
<p>Your GnuPG master key is also your "identity" among every PGP user. If you loose your master key or if your key is compromised
you need to rebuild your identity and reputation from scratch. Instead, if a subkey is compromised, you can revoke the subkey (using your
master key) and generate a new subkey.</p>
<h4>How a YubiKey makes things safer?</h4>
<p>If you always use your subkey from a <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>, it's very unlikely that your
private key can be stolen: it's impossible to read it from the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> and if you loose your YubiKey
or if it's physically stolen, the attacker will still need your passphrase and your YubiKey PIN.</p>
<h3>Requirements</h3>
<ul>
<li>1 <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey 4</a></li>
<li>2 USB keys (in theory you only need one, but I strongly suggest you have another one as backup)</li>
<li>1 offline computer (a simple RaspberryPi with no Internet connection will be fine)</li>
</ul>
<h3>Initial setup</h3>
<p>From now on, I will assume that you have prepared a computer for offline use (in my case I'm using a RaspberryPi 2 with
Raspbian) and you will type the next commands there and only there.</p>
<p>Plug one of the <strong>USB key</strong> (you can format it with VFAT for simplicity) in the offline computer and wait for the system to mount it.
At this point it should be mounted in a path like this: <strong>/media/AABB-BAAC</strong></p>
<p>Now set the GnuPG working directory and create it:</p>
<div class="highlight"><pre><span></span>user@debian:~$ export GNUPGHOME=/media/AABB-BAAC/gnupghome
user@debian:~$ mkdir $GNUPGHOME
</pre></div>


<h4>Second disclaimer</h4>
<p>If you think your threat model doesn't include someone can hack your computer from remote,
you can ignore my advice and type these commands on your main laptop (at your own risk).</p>
<h4>Note</h4>
<p>For my own convenience, to write this tutorial I reproduced all these steps on my MacBook because it was easier to copy/paste
commands and outputs but I've tested it with the exact setup I'm describing, and it
should be compatible with OSX and Linux.
When you see something has been masked it's just to hide (from spam) things like my email or to protect the serial number
of my <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>. Last but not least, the output shown here could not match exactly the one you get on your own PC and this also
depends on the GnuPG version you are using.</p>
<h3>Generating the master key</h3>
<p>The master key must be generated using the advanced mode, because by default when a new master key is generated, also a new subkey
is created with all the capabilities (Authentication + Signing + Encryption), while we want something different.</p>
<p><strong>Note:</strong> PGP keys up to <strong>4096 bits</strong> are only supported in <strong>YubiKey 4</strong> models. If you have a <strong>YubiKey NEO</strong> you must use
a <strong>2048 bits</strong> key because it's the maximum size supported. Here you will create a PGP key with <strong>only
the Authentication capability</strong>. If your GnuPG version doesn't allow this, choose "sign only", just don't
create the encryption capability at this time.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --expert --gen-key
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/media/AABB-BAAC/gnupghome&#39; created
gpg: new configuration file `/media/AABB-BAAC/gnupghome/gpg.conf&#39; created
gpg: WARNING: options in `/media/AABB-BAAC/gnupghome/gpg.conf&#39; are not yet active during this run
gpg: keyring `/media/AABB-BAAC/gnupghome/secring.gpg&#39; created
gpg: keyring `/media/AABB-BAAC/gnupghome/pubring.gpg&#39; created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
    &lt;n&gt;  = key expires in n days
    &lt;n&gt;w = key expires in n weeks
    &lt;n&gt;m = key expires in n months
    &lt;n&gt;y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 25 Sep 18:39:49 2019 BST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Andrea Grandi
Email address: user@email.com
Comment:
You selected this USER-ID:
    &quot;Andrea Grandi &lt;user@email.com&gt;&quot;

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /media/AABB-BAAC/gnupghome/trustdb.gpg: trustdb created
gpg: key 2240402E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2019-09-25
pub   4096R/2240402E 2017-09-25 [expires: 2019-09-25]
    Key fingerprint = 7D4C 4090 DB50 1693 4614  F6FC 6206 9DE9 2240 402E
uid       [ultimate] Andrea Grandi &lt;user@email.com&gt;
</pre></div>


<p><strong>Note:</strong> please remember to save your passphrase in a safe place. Choose something you
can remember because you will need it every time you need to sign, encrypt or decrypt something.</p>
<h3>Creating a revocation certificate</h3>
<p>It's very important to create a revocation certificate to be used if and when 
in the future you want to change your master key and revoke the existing one:</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --gen-revoke 2240402E &gt; 2240402E-revocation-certificate.asc

sec  4096R/2240402E 2017-09-25 Andrea Grandi &lt;user@email.com&gt;

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
&gt;
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: &quot;Andrea Grandi &lt;user@email.com&gt;&quot;
4096-bit RSA key, ID 2240402E, created 2017-09-25

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
</pre></div>


<h3>Creating Encryption subkey</h3>
<p>To create a subkey we need to edit the existing key (please note that <strong>2240402E</strong>
is the last 8 chars from the fingerprint of the previously generated master key)
and specify we want to create an Encryption only key.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --edit-key 2240402E
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25  usage: C
                    trust: ultimate      validity: ultimate
[ultimate] (1). Andrea Grandi &lt;user@email.com&gt;

gpg&gt; addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: &quot;Andrea Grandi &lt;user@email.com&gt;&quot;
4096-bit RSA key, ID 2240402E, created 2017-09-25

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
        0 = key does not expire
    &lt;n&gt;  = key expires in n days
    &lt;n&gt;w = key expires in n weeks
    &lt;n&gt;m = key expires in n months
    &lt;n&gt;y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 25 Sep 18:47:21 2019 BST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25  usage: C
                    trust: ultimate      validity: ultimate
sub  4096R/01731555  created: 2017-09-25  expires: 2019-09-25  usage: E
[ultimate] (1). Andrea Grandi &lt;user@email.com&gt;

gpg&gt; save
</pre></div>


<h3>Export a backup of the secret keys</h3>
<p>It's very important to export a backup of the secret keys at this point.
Writing the secret subkey to the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> is a destructive process: keys are moved
to the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>, they are not copied.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --export-secret-key 2240402E &gt; 2240402E-secret.pgp
</pre></div>


<p><strong>Note:</strong> this backup includes both the secret master key and the secret subkey.
Please remember to <strong>save a backup of this key</strong> on a couple of separate USB keys: you will need
this keys to generate future subkeys and/or to revoke the existing ones.</p>
<h3>Programming the YubiKey with all GnuPG keys</h3>
<p>We have previously created the <strong>master key</strong> and the <strong>encryption subkey</strong>. Now we will
create the <strong>authentication</strong> and <strong>signing</strong> keys directly on the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> (we don't
need to have a copy of these keys) and we will move the secret encryption key
to the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --edit-key 2240402E
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25  usage: C
                    trust: ultimate      validity: ultimate
sub  4096R/01731555  created: 2017-09-25  expires: 2019-09-25  usage: E
[ultimate] (1). Andrea Grandi &lt;user@email.com&gt;

gpg&gt; addcardkey
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 1

What keysize do you want for the Signature key? (4096)
Key is protected.

You need a passphrase to unlock the secret key for
user: &quot;Andrea Grandi &lt;user@email.com&gt;&quot;
4096-bit RSA key, ID 2240402E, created 2017-09-25

Please specify how long the key should be valid.
        0 = key does not expire
    &lt;n&gt;  = key expires in n days
    &lt;n&gt;w = key expires in n weeks
    &lt;n&gt;m = key expires in n months
    &lt;n&gt;y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 25 Sep 18:50:42 2019 BST
Is this correct? (y/N) y
Really create? (y/N) y

pub  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25  usage: C
                    trust: ultimate      validity: ultimate
sub  4096R/01731555  created: 2017-09-25  expires: 2019-09-25  usage: E
sub  4096R/771B0554  created: 2017-09-25  expires: 2019-09-25  usage: S
[ultimate] (1). Andrea Grandi &lt;user@email.com&gt;

gpg&gt; addcardkey
Signature key ....: 6FAB DC46 1847 3550 3769  2D32 0DE1 36B4 771B 0554
Encryption key....: [none]
Authentication key: [none]

Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 3

What keysize do you want for the Authentication key? (4096)
Key is protected.

You need a passphrase to unlock the secret key for
user: &quot;Andrea Grandi &lt;user@email.com&gt;&quot;
4096-bit RSA key, ID 2240402E, created 2017-09-25

Please specify how long the key should be valid.
        0 = key does not expire
    &lt;n&gt;  = key expires in n days
    &lt;n&gt;w = key expires in n weeks
    &lt;n&gt;m = key expires in n months
    &lt;n&gt;y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 25 Sep 18:54:51 2019 BST
Is this correct? (y/N) y
Really create? (y/N) y

pub  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25  usage: C
                    trust: ultimate      validity: ultimate
sub  4096R/01731555  created: 2017-09-25  expires: 2019-09-25  usage: E
sub  4096R/771B0554  created: 2017-09-25  expires: 2019-09-25  usage: S
sub  4096R/A9B5334C  created: 2017-09-25  expires: 2019-09-25  usage: A
[ultimate] (1). Andrea Grandi &lt;user@email.com&gt;

gpg&gt; toggle

sec  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25
ssb  4096R/01731555  created: 2017-09-25  expires: never
ssb  4096R/771B0554  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
ssb  4096R/A9B5334C  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
(1)  Andrea Grandi &lt;user@email.com&gt;

gpg&gt; key 1

sec  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25
ssb* 4096R/01731555  created: 2017-09-25  expires: never
ssb  4096R/771B0554  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
ssb  4096R/A9B5334C  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
(1)  Andrea Grandi &lt;user@email.com&gt;

gpg&gt; keytocard
Signature key ....: 6FAB DC46 1847 3550 3769  2D32 0DE1 36B4 771B 0554
Encryption key....: [none]
Authentication key: BD26 3AD8 985E CAB0 9F32  7307 DF7C F7C0 A9B5 334C

Please select where to store the key:
(2) Encryption key
Your selection? 2

You need a passphrase to unlock the secret key for
user: &quot;Andrea Grandi &lt;user@email.com&gt;&quot;
4096-bit RSA key, ID 01731555, created 2017-09-25


sec  4096R/2240402E  created: 2017-09-25  expires: 2019-09-25
ssb* 4096R/01731555  created: 2017-09-25  expires: never
                    card-no: 0006 05672181
ssb  4096R/771B0554  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
ssb  4096R/A9B5334C  created: 2017-09-25  expires: 2019-09-25
                    card-no: 0006 05672181
(1)  Andrea Grandi &lt;user@email.com&gt;

gpg&gt; save
</pre></div>


<h4>Check public keys</h4>
<p>Just to verify everything has been created correctly, we check the public keys.
We should see one <strong>pub</strong> key and three <strong>sub</strong>:</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg -k
/media/AABB-BAAC/gnupghome/pubring.gpg
--------------------------------
pub   4096R/2240402E 2017-09-25 [expires: 2019-09-25]
uid       [ultimate] Andrea Grandi &lt;user@email.com&gt;
sub   4096R/01731555 2017-09-25 [expires: 2019-09-25]
sub   4096R/771B0554 2017-09-25 [expires: 2019-09-25]
sub   4096R/A9B5334C 2017-09-25 [expires: 2019-09-25]
</pre></div>


<h4>Check private keys</h4>
<p>When we check the private keys we should see that one key is still local, marked as <strong>sec</strong> (it's
the private key of the master key), while three other keys are marked as <strong>ssb&gt;</strong>
which means they have been moved to the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>:</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg -K
/media/AABB-BAAC/gnupghome/secring.gpg
--------------------------------
sec   4096R/2240402E 2017-09-25 [expires: 2019-09-25]
uid                  Andrea Grandi &lt;user@email.com&gt;
ssb&gt;  4096R/01731555 2017-09-25
ssb&gt;  4096R/771B0554 2017-09-25
ssb&gt;  4096R/A9B5334C 2017-09-25
</pre></div>


<h4>Import back secret keys from backup (only for multiple YubiKeys)</h4>
<p>As previously said, when we write the encryption subkey to the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>, the key
is <strong>moved</strong> and not just copied, so we need to import back the secret key into
the keyring. It's important to have a backup of the subkey too, not because we need it
in case the key is compromised etc... but because we need it in case we want to write
multiple YubiKeys with the same encryption key, so that we have a backup key to use.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --import &lt; 2240402E-secret.pgp
</pre></div>


<h4>Completely remove secret keys from laptop</h4>
<p>Once you have programmed the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> and you are sure the secret keys are
backed up on a couple of USB keys, you are ready to remove the secret keys from your laptop.</p>
<p><strong>Note:</strong> you don't need to remove anything if you have conducted the whole setup
on a spare offline PC (or on a RaspberryPi) because that's not your every day computer.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --delete-secret-key 2240402E
</pre></div>


<h3>Exporting the public PGP key</h3>
<p>As you know, PGP keys are composed by a secret part and a public one. The public one
must be distributed publicly and it's the one people will use to encrypt messages directed
to you.</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --armor --export 2240402E &gt; 2240402E.asc
</pre></div>


<p>If you have a personal blog/website I suggest to upload it there (for example mine
can be found here <a href="https://www.andreagrandi.it/2240402E.asc">https://www.andreagrandi.it/2240402E.asc</a>)</p>
<h3>Change YubiKey PINs and complete configuration</h3>
<p>Every <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> is sold with a certain default configuration: there is a <strong>user PIN</strong>
that is required every time we need to use the key to sign/decrypt something (in addition
to our passphrase) and there is an <strong>admin PIN</strong> that is required every time we change
certain settings on the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a>.</p>
<p>The default values are:</p>
<ul>
<li>user PIN: 123456</li>
<li>admin PIN: 12345678</li>
</ul>
<p>I strongly recommend you to change them following this example:</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --card-edit

Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D000000000000000000000000000000000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 012345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 3
Signature key ....: 6FAB DC46 1847 3550 3769  2D32 0DE1 36B4 771B 0554
    created ....: 2017-09-25 17:50:37
Encryption key....: FC6F 40BC 4173 8D13 2D7C  E958 BCDC EA84 0173 1555
    created ....: 2017-09-25 17:47:09
Authentication key: BD26 3AD8 985E CAB0 9F32  7307 DF7C F7C0 A9B5 334C
    created ....: 2017-09-25 17:54:49
General key info..: sub  rsa4096/0DE136B4771B0554 2017-09-25 Andrea Grandi &lt;user@email.com&gt;
sec#  rsa4096/62069DE92240402E  created: 2017-09-25  expires: 2019-09-25
ssb&gt;  rsa4096/BCDCEA8401731555  created: 2017-09-25  expires: 2019-09-25
                                card-no: 0006 05672181
ssb&gt;  rsa4096/0DE136B4771B0554  created: 2017-09-25  expires: 2019-09-25
                                card-no: 0006 05672181
ssb&gt;  rsa4096/DF7CF7C0A9B5334C  created: 2017-09-25  expires: 2019-09-25
                                card-no: 0006 05672181

gpg/card&gt; admin
Admin commands are allowed

# Change the PIN and Admin PINs
gpg/card&gt; passwd
gpg: OpenPGP card no. D000000000000000000000000000000000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

# Make sure the PIN is entered before signing
gpg/card&gt; forcesig

# Set the URL where the OpenPGP public key can be found.
gpg/card&gt; url
URL to retrieve public key: https://www.andreagrandi.it/2240402E.asc

# Fetch the public key into the local keyring
gpg/card&gt; fetch

gpg/card&gt; quit
</pre></div>


<p><strong>Note:</strong> when you want to use your <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> on any computer (for example your work laptop)
you need to at least import your public PGP key into the keyring. If the key is not
read automatically, you may need to give it a refresh using this command:</p>
<div class="highlight"><pre><span></span>user@debian:~$ gpg --card-status
</pre></div>


<h4>Careful with PINs</h4>
<p>Please remember that you can only digit a wrong user PIN for a maximum of three times.
After three time you will need to edit the <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> (with <strong>gpg --card-edit</strong>) become admin
and use the <strong>unblock PIN</strong> option. If you digit the wrong admin PIN for three time, you will have
to follow a quite complicated procedure (explained at this address: <a href="https://developers.yubico.com/ykneo-openpgp/ResetApplet.html">https://developers.yubico.com/ykneo-openpgp/ResetApplet.html</a>)
and your <a href="https://www.amazon.co.uk/Yubico-Y-158-YubiKey-4-Black/dp/B018Y1Q71M/ref=as_li_ss_tl?ie=UTF8&amp;qid=1507054059&amp;sr=8-1&amp;keywords=yubico+4&amp;linkCode=ll1&amp;tag=andreagrandi-21&amp;linkId=6da97357c6fe86ca94df918c172f6605">YubiKey</a> will be reset with factory settings, deleting your PGP keys from it.</p>
<h3>References</h3>
<p>To write this tutorial I originally followed other articles online. The main ones are:</p>
<ul>
<li><a href="https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/">https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/</a></li>
<li><a href="https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/">https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/</a></li>
<li><a href="https://wiki.debian.org/Subkeys">https://wiki.debian.org/Subkeys</a></li>
<li><a href="https://www.paulfurley.com/gpg-for-humans-preparing-an-offline-machine/">https://www.paulfurley.com/gpg-for-humans-preparing-an-offline-machine/</a></li>
<li><a href="https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/">https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/</a></li>
<li><a href="https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac">https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac</a></li>
</ul>
<h4>Amazon Association disclaimer</h4>
<p>I'm trying a little experiment with the Amazon Association program. Basically, if you click
on any of the YubiKey links and decide to buy it, I will get a little commission from it.
I've never tried this before and I've no idea if it works or not. I'm writing this here just for the
sake of transparency.</p>
                <a class="readmore" href="https://www.andreagrandi.it/2017/09/30/configuring-offline-gnupg-masterkey-subkeys-on-yubikey/">read more</a>
<p><a href="https://www.andreagrandi.it/2017/09/30/configuring-offline-gnupg-masterkey-subkeys-on-yubikey/#disqus_thread">comments</a></p>                </div><!-- /.entry-content -->
            </article></li>
            </ol><!-- /#posts-list -->
<p class="paginator">
        <a href="https://www.andreagrandi.it/index.html">&laquo;</a>
    Page 2 / 50
        <a href="https://www.andreagrandi.it/index3.html">&raquo;</a>
</p>
            </section><!-- /#content -->
        <section id="extras" class="body">
                <div class="social">
                        <h2>social</h2>
                        <ul>
                            <li><a href="https://www.andreagrandi.it/feeds/all.rss.xml" type="application/rss+xml" rel="alternate">rss feed</a></li>

                            <li><a href="https://twitter.com/andreagrandi">twitter</a></li>
                            <li><a href="https://github.com/andreagrandi">github</a></li>
                        </ul>
                </div><!-- /.social -->
        </section><!-- /#extras -->

        <footer id="contentinfo" class="body">
                <p>
                    Powered by <a href="http://getpelican.com/">Pelican</a> and Python -
                    Source code available on <a href="https://github.com/andreagrandi/andreagrandi.it">GitHub</a>
                    <a rel="license" href="http://creativecommons.org/licenses/by-nc/4.0/">
                        <img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc/4.0/80x15.png" />
                    </a>
                </p>
        </footer><!-- /#contentinfo -->

    <script type="text/javascript">
    var _gaq = _gaq || [];
    _gaq.push(['_setAccount', 'UA-2140684-3']);
    _gaq.push(['_trackPageview']);
    (function() {
        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
    })();
    </script>
<script type="text/javascript">
    var disqus_shortname = 'andrea-grandi-it';
    (function () {
        var s = document.createElement('script'); s.async = true;
        s.type = 'text/javascript';
        s.src = '//' + disqus_shortname + '.disqus.com/count.js';
        (document.getElementsByTagName('HEAD')[0] || document.getElementsByTagName('BODY')[0]).appendChild(s);
    }());
</script>
</body>
</html>