Prep Live USB
GPG generation should be done on a air-gapped, temporal, encrypted OS to minimize secret key exposure. Persistent disk should be created so that packages may be installed / updated as needed (e.g. Yubikey manager). All GPG operations should be done offline with the exception of uploading public keys to services.
Set a root password.
Danger
Do not store secret material directly on live USB filesystems.
Note
Network is required for this step. Disable after packages are installed.
apt update && apt upgrade
apt-add-repository ppa:yubico/stable
apt update
apt install software-properties-common yubikey-manager yubikey-manager-qt scdaemon hopenpgp-tools gpg
Note
yubikey-manager-qt is a GUI frontend which has limited functionality but does provide easy ways to ensure specific applets are enabled. scdaemon enables smartcard support for gpg.
Hint
Ubuntu 18.04+ needs to add universe multiverse
repositories to all apt
sources in /etc/apt/sources.list
.