Prep Live USB

GPG generation should be done on a air-gapped, temporal, encrypted OS to minimize secret key exposure. Persistent disk should be created so that packages may be installed / updated as needed (e.g. Yubikey manager). All GPG operations should be done offline with the exception of uploading public keys to services.

Set a root password.


Do not store secret material directly on live USB filesystems.


Network is required for this step. Disable after packages are installed.

Update and install Yubikey management.
apt update && apt upgrade
apt-add-repository ppa:yubico/stable
apt update
apt install software-properties-common yubikey-manager yubikey-manager-qt scdaemon hopenpgp-tools gpg


yubikey-manager-qt is a GUI frontend which has limited functionality but does provide easy ways to ensure specific applets are enabled. scdaemon enables smartcard support for gpg.


Ubuntu 18.04+ needs to add universe multiverse repositories to all apt sources in /etc/apt/sources.list.