Comment on page
YubiKey Provisioning
https://github.com/DefGuard/YubiKey-Provision
Our provisioning client allows you to easily populate the OpenPGP application on a YubiKey, and share its public information inside Defguard.
It's completely safe, we are not storing private keys. Every key is provisioned inside an encapsulated session so any gpg related files are deleted right after the process ends successfully or not. Only public PGP and SSH keys are sent to Defguard so you can access them at any time.
Currently, we provide Linux .rpm and .deb packages alongside Docker image, but provisioning clients can also be compiled and run under Windows and MacOS.
Note that if you decide to use Docker make sure your container has access to host machine devices, otherwise, you will encounter
No keys detected error.All of the available options are described in help:
yubikey-provision -h
Configuration can be provided in CLI with options, in environment variables, or via
.env file. Name | Description | Required | CLI option | Environment variable | Default value |
|---|---|---|---|---|---|
Provisioner ID | Shown in Defguard UI | --id | WORKER_ID | YubikeyProvisioner | |
Log level | Sets logging level | --log-level | LOG_LEVEL | info | |
GRPC Endpoint | Url of your Defguard instance GRPC endpoint | --grpc | GRPC_URL | ||
Authorization Token | Authorization Token found in Defguard UI on Provisioners page. | --token | DEFGUARD_TOKEN | | |
Detection retries | How many times provisioner will check for YubiKey presence in system before abandoning the process. | --smartcard-retries | YUBIKEY_RETRIES | 1 | |
Retry interval | How long between retries provisioner will wait ( in seconds ) | --smartcard-retry-interval | YUBIKEY_RETRY_INTERVAL | 15 | |
GPG debug level | Sets debug level for gpg command during gpg operations | --gpg-debug-level | GPG_DEBUG_LEVEL | none |
To register a new provisioning client you will need an access token provided by your instance. You can find it in the info card on the "Provisioners" page.
You can see available clients in Defguard web-application under "provisioners" tab.
To provision the key:
- 1.select the user from "Users" page in Defguard web application (or go to "My Profile" if you're provisioning a key for yourself)
- 2.insert a YubiKey to machine that is running the provisioner client.
- 3.select "Provision YubiKey" from the actions menu for a User in list.
- 4.select your provisioner and click the "Provision YubiKey" button
The service will take a short moment to prepare and provision your keys. Once that's done you'll see a modal with your public keys that are now stored in Defguard. If the process fails for some reason you will see a short error reason returned by the provisioner.
If the client will not detect your YubiKey, it may work if you unplug and plug it back into your machine. If you are running on Linux, try to restart the pcscd service. If you are using docker image, make sure the container has access to your host devices.
Last modified 1mo ago