In the above blog, it was seen that libre office reads the ~/.gnupg home directory of GPG in order to encrypt/decrypt. This may be stolen by malware since it is located in a standard place.
It possible however, to shift the private sub key to a Yubikey’s OpenPGP card module. By doing so, libre office will wait for a valid yubikey before it can encrypt/decrypt the document.
Let’s make sure you have a private key pair in your key store.
> gpg --list-keys
uid [ultimate] Research DocumentsThe above command should show the uid of your private key pair.
Make sure it is backed up to a password manager like KeePass.
> gpg --export-secret-keys Research > Research-Documents.keyNow lets edit the secret key.
> gpg --edit-key Research
Secret key is available.
pub 4096R/XXXXXXXX created: 2021-10-23 expires: xxxx usage: SC
trust: ultimate validity: ultimate
sub 4096R/XXXXXXXX created: 2021-10-23 expires: xxxx usage: E
[ultimate] (1). Xxxxxxxx (Research Documents)Create and Transfer a Signing Subkey
From here we can create a signing subkey, and move it to a smart card like the Yubikey.
gpg> addkey
Please select what kind of key you want:
(3) RSA (sign only)
Your selection? 3
gpg> saveAt this point you should have a master copy of the secret key in your password manager. If you do not, your secret will be lost forever in the Yubikey Smart Card. Moving keys to the Yubikey is a one way shot. It cannot be pulled back.
Find the signing subkey, where usage: S. Toggle to view the private secrets. Select the second key to mark the signing subkey.
gpg> list
sub 4096R/XXXXXXXX created: 2021-10-23 expires: xxxx
usage: S
[ultimate] (1). Xxxxxxxx (Research Documents)
gpg> toggle
ssb 4096R/XXXXXXXX created: 2021-10-23 expires: never
gpg> key 2
ssb* 4096R/XXXXXXXX created: 2021-10-23 expires: neverMake sure your Yubikey is plugged in. Now transfer it.
gpg> keytocard
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
ssb* 4096R/XXXXXXXX created: 2021-10-23 expires: never
card-no: 000x xxxxxxxTransfer an Encryption Subkey
Lets select the encryption key. Notice how an asterisk appears next to the key you select?
gpg> list
sub 4096R/XXXXXXXX created: 2021-10-23 expires: xxxx
usage: E
[ultimate] (1). Xxxxxxxx (Research Documents)
gpg> toggle
ssb 4096R/XXXXXXXX created: 2021-10-23 expires: never
gpg> key 1
gpg> key 2
ssb* 4096R/XXXXXXXX created: 2021-10-23 expires: neverMake sure your Yubikey is plugged in. Now transfer it.
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
ssb* 4096R/XXXXXXXX created: 2021-10-23 expires: never
card-no: 000x xxxxxxxxEvery time you open an encrypted libre office document, it will search for your plugged in yubikey smart card and use its OpenPGP smart card keys.
Conclusion
If you already use symmetric encryption with libre office, then that is great. You resist the impacts of a data breach. However, if you also use a Yubikey, you protect the private key used to encrypt your documents. It will no longer be on your computer, but on your smart card Yubikey.
I hope this helps people protect their digital assets and resist the impact of data breaches.
Leave a Reply