1. 15

  2. 9

    I’ve used the YubiKey, GPG smart cards, and crypto keys (USB GPG smart cards) for a while and let me tell you, it’s a real pain. I ran into the following kinds of problems:

    • Difficulty getting the smart cards to work across machines (I have separate work, dev, and personal machines),
    • Difficulty getting them working on anything other than Debian/Ubuntu,
    • Difficulty getting the smart card daemon software set up properly (I have checklists for this now),
    • System updates occasionally broke everything.

    I’ve worked in places that required this level of security given, I’ve written smart card software, and in general I’m fairly competent at this. However, it seems like entirely too much work for anyone but security enthusiasts.

    1. 6

      I used a YubiKey with GPG/SSH for a while, and it was a big hassle. First, you need to have the right combination of pcscd and friends, then you have to configure the GnuPG agent so the socket is available to SSH. To make things worse, the installation process changes from Linux to Linux and to OS X. And this is not counting the work of setting up the YubiKey itself. Finally, only the larger YubiKey can be used with an Android phone.

      1. 5

        I love how there are 3 comments with 3 different experiences about setting this up here. Given all the trouble, it’s no wonder it’s not in vogue….

        1. 1

          To be honest that seems to be pretty common in general for things like GPG from my own experience.

          1. 1

            Oh, for sure! GPG isn’t really user friendly at all. Keybase helps a bunch though, for sure.

        2. 3

          I’ve been using one for a few weeks. I’m using it on Void Linux and FreeBSD, and the setup was not too hard. I really like how it works, especially the added security of a physical button push to actually do the crypto, so even if some software logs your pin, it can still not use your key without you knowing.

          It has greatly simplified key management across machines for me, too. I can recommend it, but you can probably get a more flexible setup from smartcards and readers.