Import Keys To Yubikey KSM

To import keys into the YK-KSM database from text files in the encrypted/signed KeyProvisioningFormat format, you can use the tool ykksm-import. The tool reads the data on standard input, and will import the data to the database. On any error, execution is aborted, so be careful about partial imports leaving the database in an intermediate state.

The tool requires that your system has a GnuPG private key, read Generate KSM Key on how to generate it.

For example, to import the file generated by the Generate Keys document:

user@ksm:~$ ykksm-import --verbose --database 'DBI:Pg:dbname=ykksm;host=127.0.0.1' --db-user ykksmimporter --db-passwd otherpassword < ~/keys.txt

You need a passphrase to unlock the secret key for
user: "YK-KSM crater Import Key"
2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)

Verification output:
[GNUPG:] ENC_TO 8C73EAF1140A17F1 16 0
[GNUPG:] USERID_HINT 8C73EAF1140A17F1 YK-KSM crater Import Key
[GNUPG:] NEED_PASSPHRASE 8C73EAF1140A17F1 AE7279678B88A11B 16 0
[GNUPG:] GOOD_PASSPHRASE
gpg: encrypted with 2048-bit ELG-E key, ID 140A17F1, created 2009-12-14
      "YK-KSM crater Import Key"
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] PLAINTEXT 62 1260805257
gpg: Signature made Mon 14 Dec 2009 04:40:57 PM CET using DSA key ID 8B88A11B
[GNUPG:] SIG_ID YGplk8qkUkb75lY0aurb/iS1Oog 2009-12-14 1260805257
[GNUPG:] GOODSIG AE7279678B88A11B YK-KSM crater Import Key
gpg: Good signature from "YK-KSM crater Import Key"
[GNUPG:] VALIDSIG 9B1820A2F02E3C3B84E344F5AE7279678B88A11B 2009-12-14 1260805257 0 4 0 17 2 00 9B1820A2F02E3C3B84E344F5AE7279678B88A11B
[GNUPG:] TRUST_ULTIMATE
[GNUPG:] DECRYPTION_OKAY
[GNUPG:] GOODMDC
[GNUPG:] END_DECRYPTION
encrypted to: 8C73EAF1140A17F1
signed by: 8B88A11B

You need a passphrase to unlock the secret key for
user: "YK-KSM crater Import Key"
2048-bit ELG-E key, ID 140A17F1, created 2009-12-14 (main key ID 8B88A11B)

line: 1,cccccccccccb,d74fbdf6a890,82211e0854e7369e83d941f24761a84e,881ae7bee927,2009-12-14T16:40:57,
serialnr 1 publicName cccccccccccb internalName d74fbdf6a890 aesKey 82211e0854e7369e83d941f24761a84e lockCode 881ae7bee927 created 2009-12-14T16:40:57 accessed  eol
line: 2,cccccccccccd,7a5ad1886b70,3091a8048524ab8407ae816457d764e5,8e5ab609e346,2009-12-14T16:40:57,
serialnr 2 publicName cccccccccccd internalName 7a5ad1886b70 aesKey 3091a8048524ab8407ae816457d764e5 lockCode 8e5ab609e346 created 2009-12-14T16:40:57 accessed  eol
line: 3,ccccccccccce,981abbbeafb8,91be4bfd2f40e24ebd39386868aa9619,037b6f6ae73c,2009-12-14T16:40:57,
serialnr 3 publicName ccccccccccce internalName 981abbbeafb8 aesKey 91be4bfd2f40e24ebd39386868aa9619 lockCode 037b6f6ae73c created 2009-12-14T16:40:57 accessed  eol
line: 4,cccccccccccf,c1f33c17f77b,a2389839d7b80bfe4c80258184aff4ce,abf92cbbdab3,2009-12-14T16:40:57,
serialnr 4 publicName cccccccccccf internalName c1f33c17f77b aesKey a2389839d7b80bfe4c80258184aff4ce lockCode abf92cbbdab3 created 2009-12-14T16:40:57 accessed  eol
line: 5,cccccccccccg,c55773192393,7387b5f6bede83f64a9cd75b2023826a,d70c937bbbff,2009-12-14T16:40:57,
serialnr 5 publicName cccccccccccg internalName c55773192393 aesKey 7387b5f6bede83f64a9cd75b2023826a lockCode d70c937bbbff created 2009-12-14T16:40:57 accessed  eol

user@ksm:~$

When importing large data sets it is recommended to avoid the --verbose flag to reduce noise.

To test the import, you can attempt to decrypt an (invalid) OTP for one of the AES keys. Like this:

user@ksm:~$ curl 'http://localhost/wsapi/decrypt?otp=cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv'
ERR Corrupt OTP
user@ksm:~$

In the system log file /var/log/ykksm.log you should get this error:

Dec 14 17:20:08 crater ykksm[12693]: UID error: cccccccccccdvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv a515841f249c5f4bb8e9007ab0f7ac2b: a515841f249c vs 7a5ad1886b70

Note that the actual values may differ slightly because the AES key you generated was random.