How to generate and store a RSA key into the YubiKey

I have stored my RSA private keys in my PC’s hard drive, since a short time ago I bought a YubiKey, which makes it possible to store my private key in a safe place. The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key cryptography and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. In this tutorial, I’m going to generate a new RSA key and store it into my YubiKey.

What makes the YubiKey storage to be better than store RSA key into the hard drive, is that when RSA key is stored into the YubiKey, it’s not possible to get it back again. It means that, if I don’t physically lost my YubiKey device, I can be sure that nobody doesn’t have a copy of my RSA key.

There is two options to generate your RSA key. The first one is to use the YubiKey’s built-in GPG and generate a new RSA key pair inside of the key. This option’s advantages is that your private key hasn’t ever been on any other device, but disadvantages is that you can’t create a backup YubiKey with the same RSA key. Therefore this options advantages is the same time it’s disadvantages. The second option is that you generate the private key externally from the YubiKey by your computer.

I decided to go with the second option, because I want to make a backup key with the same RSA key.

This tutorial is following pretty much of this tutorial and here is Yubico’s official tutorial.

I highly recommend you to generate your private key in the live linux distribution and offline! Live linux is running in the RAM, so once you shutdown the OS all it’s data is gone, which means that your private key hasn’t ever been in the hard drive, only in the RAM.

Generate GPG master, sub and revocation keys

$ gpg --quick-generate-key "Firstname Lastname <[email protected]>" rsa4096 cert,sign 5y
$ gpg --gen-revoke 1234ABCD > 1234ABCD-revocation.asc
-> Select 3
-> Enter
-> y
$ gpg --quick-add-key rsa4096 encrypt 5y
$ gpg --export-secret-keys > yourname_1234ABCD_secret-key.asc
$ gpg -a --export 1234ABCD >

Move secret keys into the YubiKey

$ gpg --edit-key 1234ABCD
-> keytocard
-> 1
-> keytocard
-> 3

In addition to this, I moved those three files (yourname_1234ABCD_secret-key.asc, and 1234ABCD-revocation.asc) just in case to the USB stick, which I kept in a safe place. Also I did another backup YubiKey, which I will do next.

Backup a YubiKey

Follow these instructions, if you would like to copy the previous generated key to the another YubiKey. For some reason GPG prevents to move the secret key into two devices and it gives a following error message:

gpg: KEYTOCARD failed: Unusable secret key

I found discussion about this topic here.

The workaround is to delete ~/.gnupg directory and then import your secret key again. Caution! In this step I’m going to delete my whole gpg keyring and after that all it’s secrets is gone! If you understand what we are going to do, run the following commands:

$ rm -r ~/.gnupg
$ gpg --import yourname_1234ABCD_secret-key.asc

And then repeat a last chapter “Move secret keys to YubiKey”.

Other usefull gpg commands

$ gpg --card-status
$ gpg -k
$ gpg --list-keys
$ gpg --with-keygrip -k
$ gpg -K
$ gpg --list-secret-keys

[Solved] Lenovo lagging while browsing

I came across with frustrating problem when I deployed my new Lenovo ThinkPad T570 laptop. Screen keeps freezing and lagging all the time. Things getting worse during I browsing with Chrome, laptop was totally useless. I had up-to-date Windows 10 operating system and also I had updated my all drivers including BIOS. Luckily for I seen as soon that I wasn’t only one who has got this problem.

The problem occurs only when laptop’s AC is plugged off. It depends on battery usages, when computer used on battery it turns on battery save mode which turns “System cooling policy” from Active to Passive, and low down computer’s power for getting longer battery usage.

My college have also same laptop as me, and he has experienced the same problem. Fortunately I finally found the solution which helps both of us and seems that it has really works. The solution is change your computer’s Power Plan’s Cooling policy to Active mode:

  1. Go to “Control Panel” -> “Hardware and Sound” -> “Power Options” -> “Edit Plan Settings” -> “Change advanced power settings”.
  2. Expand “Processor power management” -> “System cooling policy” -> Change “On battery” from Passive to Active.

This solution is tested with two Lenovo T570 laptops, and I expect it works too with Lenovo Yoga models.

I really appreciate if everyone who will test this method could also leaves comment on this post does it works.

Post which related on this problem:

How to generate GPG keys and encrypt files

GNU Privacy Guard or better known as GPG is public key cryptography implementation and it is free software replacement for the Symantec’s PGP cryptographic.
In this post I will show you how to generate new GPG key pairs and encrypt or/and signature files.

Generate new GPG key pair

At beginning we have to generate public and private key pair using gpg --gen-key. This introductions follow way how I did my GPG keys, but if you would like to know more about every step I recommend go to look at

$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Select 1 (default) and press Enter.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Default 2048 bits long key enough for me, so I press Enter.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

I use default value 0 (key does not expire).

Key does not expire at all
Is this correct? (y/N)

If you also choose no expire, then press y and Enter.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Niko Kiuru
Email address: [email protected]
Comment:You selected this USER-ID:
    "Niko Kiuru <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Give your real name, email address and comment section is optional, I left it empty. And when your identify information is inputted, press O.
Now new key pair located in ~/.gnupg/ -directory.

List of keys

When we are created one key in keyring, we can list all our keys to terminal.

$ gpg --list-keys
pub   2048R/AAAAXXXX 2015-10-04
uid                  Niko Kiuru <[email protected]>
sub   2048R/BBBBXXXX 2015-10-04

Pub section tell us my master key User ID, which are in my option AAAAXXXX.

Encrypt file

We are generate new key pair and we are looking for how it looks like from terminal. Now we will encrypt one file.
First write some text file which we would like to encrypt later.

$ echo "Hello GPG! I would like to encrypt this messages" > hello
$ cat hello
Hello GPG! I would like to encrypt this messages

Okay, now we have a file, and we are wrote some message from there. Next I would like to encrypt and signature that file by my GPG private key. When I encrypt file, I have to specify which is my master key’s User ID. Command gpg --list-keys show all my keys and I selected my key.

$ gpg -r AAAAXXXX -e hello

Encrypted file is named by hello.gpg which are binary format encrypted file. There is only one way to open this file, and it is decrypt file by your private key. Next we decrypt this file.

$ gpg hello.gpg

You need a passphrase to unlock the secret key for
user: "Niko Kiuru <[email protected]>"
2048-bit RSA key, ID BBBBXXXX, created 2015-10-04 (main key ID AAAAXXXX)

gpg: encrypted with 2048-bit RSA key, ID BBBBXXXX, created 2015-10-04
      "Niko Kiuru <[email protected]>"
Hello GPG! I would like to encrypt this messages

Print tells that I am signature file by myself, and at the end of print is my encrypted message.

Simple passphrase protected file

If you would like to protect some file in simple, you can also use symmetric protection which are protected via passphrase.
Write some file and encrypt it.

$ echo "Hello GPG! This file will be passphrase protected." > hello
$ gpg -c hello

Now you have to give some passphrase, and then file hello.gpg is the same file but encrypted. In default gpg use CAST5 cipher algorithm for encrypt symmetric files. You can decrypt hello.gpg by command gpg hello.gpg.

$ gpg hello.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected


Nordea tunnusluvut-sovellus ja rootattu puhelin

Käyn kirjoituksessa läpi kuinka saat käyttöönotettua Nordea tunnusluvut-sovelluksen rootatulla Android puhelimella. Esittämäni tapa on vain yksi keino muiden joukossa ja sivun kommenteista löydätte paljon muita neuvoja.


Nordea julkaisi mennellä viikolla uuden tunnusluvut-sovelluksen, joka poistaa kokonaan tarpeen käyttää vanhaa paperista tunnuslukukorttia. Isolle osalle Android-puhelimen omistajista jäi kuitenkin karvas maku suuhun, kun Nordea oli tietoturvauhkaan vedoten estänyt sovelluksen käytön rootatussa Android-puhelimessa. Väitteen tietoturvauhasta tekee hauskaksi se, että tunnetusti Android-puhelinvalmistajat eivät ole ahkerasti päivittäneet vanhoja puhelinmallejaan, vaan he keskittyvät lähinnä uusimpiin puhelinmalleihin ja niiden päivityksiin. Monet ovatkin tästä johtuen joutuneet turvautumaan kolmannen osapuolen kustomoituihin ROMeihin (ei virallinen käyttöjärjestelmä), jotka ovat tuoneet puhelimeen päivittyneemmän Android version, ja näin ollen nimenomaan parantaneet omaa tietoturvaansa. Tunnetuimpana näistä toimii CyanogenMod. Kustomoidun ROMin asennus vaatii puhelimen roottauksen, eli toisin sanoen se antaa käyttäjällensä valtuuden kirjoittaa uuden ROMin vanhan päälle. Korjattu: ROMin ei tarvitse olla rootattu, mutta kyseessä on myös periaate – eikö minulla saisi olla omistamaani puhelimeen kaikkia oikeuksia?

Tunnusluvut-sovellus ilmoittaa seuraavasti rootatun puhelimen
“Laitteesi käyttöjärjestelmä näyttää olevan murrettu. Sovelluksen käyttö ei ole sallittua murretulla käyttöjärjestelmällä tietoturvasyistä.”.

Sama englanninkielisellä käyttöliittymällä:
“Your phone seems to be rooted/jailbroken. Application usage is not allowed with such a device for security reasons.”.

Kuinka kiertää rajoitus?

Xposed Framework

Tällä hetkellä helpoin tapa kiertää rajoitus on käyttää Xposed Frameworkin päälla rakennettua Nordea RootBypasser -moduulia. Ikävänä puolena on se, että Xposed Framework ei toimi uusimmissa Android versiossa, joka rajaa paljon sen käyttöä.

Patch APK

Toinen tapa on noudattaa Razerin julkaisemaa ohjetta, jossa muokataan pois tarkistus itse apk:sta. Ohjeet löydät seuraavan linkin takaa:

Kuinka rajoituksen sai kierrettyä vanhoissa versioissa?

Tämä kappale on vanhentunut. Suosittelen ensisijaisesti kokeilemaan edellä mainittuja tapoja.

Android-puhelimessa ei ole mitään suoranaista tapaa tarkistaa onko puhelin rootattu tai ei, joka on hyvä meidän kannalta, jotka haluamme saada Nordean tunnusluvut-sovelluksen toimimaan rootatussa Android-puhelimessa. Alla on ohjeet, kuinka voit kiertää Nordean tunnusluvut-sovelluksen tekemän tarkistuksen rootatussa Android-puhelimesta.

Nordean tunnusluvut-sovellus yrittää etsiä su-binääritiedostoa /system/bin ja /system/xbin hakemistoista, joka kertoo sen onko puhelin rootattu. Yksinkertainen ratkaisu on siis nimetä uudelleen su-tiedoston nimi toiseksi kuin sen oletus on. Ohjeissani se on nimetty subackup nimiseksi.

– CyanogenMod 10.2.0-i9300


Aja seuraavat komennot puhelimen Terminalissa tai adb shellissä, ja nauti Nordea tunnusluvut-sovelluksesta

$ su
$ mount -o remount,rw /system /system
$ cd /system/bin
$ mv su subackup
$ cd /system/xbin
$ mv su subackup
$ mount -o remount,ro /system /system
$ exit

Ohjeet vaiheittain selitettynä

Asenna Terminal Emulator.

Nosta Terminal Emulatorissa käyttöoikeutesi super-käyttäjän tasolle

$ su

Meidän pitää uudelleen nimetä /system-hakemiston alla olevaa tiedostoa. Oletuksena /system on mountattu vain lukuoikeuksilla, joten ensimmäiseksi meidän on lisättävä siihen mukaan myös kirjoitusoikeudet.

$ mount -o remount,rw /system /system

Siirrytään /system/bin-hakemistoon ja muutetaan su tiedoston nimeksi subackup. Sama tehdään myös /system/xbin-hakemiston alle.

$ cd /system/bin
$ mv su subackup
$ cd /system/xbin
$ mv su subackup

Muutetaan /system-hakemistoon takaisin vain lukuoikeudet ja poistutaan hallitusti super-käyttäjän oikeuksista

$ mount -o remount,ro /system /system
$ exit

Tämän jälkeen Nordean tunnusluvut-sovellus ei enää herjaa rootatusta puhelimesta.

Päivitetty: 02.07.2017

Hide Apache server signature

In default Apache write server signatures to HTTP-responses. In production server this is not recommended action, because it gives more attacking area to criminals. Web servers would like to advice themselves and that is the reason why they add their signatures in default to HTTP-responses.

In this post I will show you how to hide unnecessary Apache server signature.

Tested on Ubuntu 14.04 and Ubuntu 12.04.

At beginning

you can watch how your server HTTP-response looks like now. Do HTTP-request e.g. with curl:

$ curl -I

There is your HTTP-header and now you see exactly what all informations Apache gives to client. We still want to limit information of our server from outside.

Hide Apache signatures

At first open Apache configuration file apache2.conf

$ sudoedit /etc/apache2/apache2.conf

Add two lines on below to apache2.conf

ServerTokens Prod
ServerSignature Off

Save file and reload Apache daemon

$ sudo service apache2 reload

Hide also information of PHP

If you are using PHP HTTP-header also contain some information of PHP. Here is the way how to hide it.

Open php.ini

$ sudoedit /etc/php5/apache2/php.ini

In default expose_php is set to On, but now you take it Off

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off

After changes you have to reload Apache

$ sudo service apache2 reload

Now you’re a little further safe.

© 2021 Niko Kiuru

Theme by Anders NorenUp ↑