1. 30
  1.  

  2. 8

    Paperkey https://www.jabberwocky.com/software/paperkey/ is another option for physical backup. I’d also like to point out that the yubikey 5 DOES support ECC but you need the newer version of it with updated firmware, a disappointing revelation I ran into as well.

    If you’re interested, a decent way to post your public key is with keybase. In days of yore, you’d upload to a keyserver but that depended on good faith actors and experienced an attack a while ago. It seems to remain vestigial in a lot of software. Trust chains are a major part of this and having a place to do this is useful.

    I also prefer to make an ultimate trust key that is only on backup that signs and makes my yk root, that has its own subkeys. With that air gapped, never online key, you can have it not expire thus maintaining trust signatures.

    One more note, you should also make sure you generate revocation certs and keep those backed up as well. Ideally your authorized keys on your server should check a known keyserver location for revocation prior to authorizing a user. If a key is compromised and you revoke it, it doesn’t matter if your server never checks to see if it has been revoked

    1. 2

      5 DOES support ECC but you need the newer version of it with updated firmware

      Yes, you missed the footnote.

      ? Paperkey https://www.jabberwocky.com/software/paperkey/ is another option for physical backup

      Indeed! Thanks for the link. Though I might do something similar with QR codes.

      One more note, you should also make sure you generate revocation certs and keep those backed up as well. Ideally your authorized keys on your server should check a known keyserver location for revocation prior to authorizing a user. If a key is compromised and you revoke it, it doesn’t matter if your server never checks to see if it has been revoked

      That’s a good improvement.

    2. 3

      I’d like to set up my Yubikey for all of this, but good grief, it looks like a long slog. Key topologies? Seriously?

      For the average coder not working in a highly-secure environment, the effort doesn’t seem worth the reward.

      1. 2

        but good grief, it looks like a long slog. Key topologies? Seriously?

        That’s exactly why I wrote scripts to automate it.

      2. 2

        I don’t like how they use the old-fashioned GPG SSH auth, when the new U2F auth built into openSSH is a lot easier to set up and use.

        1. 2

          Well, the new key types aren’t supported everywhere yet.

          1. 2

            True, but it requires server support and configuration.

            1. 1

              Doesnt require special configuration on the server, only that the openSSH version on it is recent enough.

            2. 1

              Are you able to use openSSH’s U2F while using the hardware key for other things, like GPG keys, or is it one or the other?

              1. 2

                I use both. I have a resident SSH key (ed25510-sk) on it, and also a PGP key with subkeys. And I also use it for fido2 u2f with sites like gitlab etc.

                1. 1

                  Thanks for the reply. What model YubiKey do you use? I’m thinking of getting one soon.

                  1. 2

                    I have two yubikey 5 NFC. One on my keyring, one at home.

              2. 1

                SSH auth is only a part of the article. It also mentions integration with Pass, which can be encrypted with GPG, which works with YubiKey. I don’t know if it can be encrypted with an SSH key that’s stored on a YubiKey?

                1. 2

                  I don’t recall if pass supports encrypting secrets for multiple keys, this being the reason why I migrated to gopass a long time ago, but for the later you can have your secrets encrypted for both (or multiple) gpg keys, one of which can be on the Yubikey. I’ve been using this setup for a number of years and it’s pretty good. It allows for key rotation a lot better than a single key setup.

                  1. 2

                    Pass does permit multiple keys. You can provide any number to pass init as arguments. I believe there’s also a facility to make different parts of the hierarchy use different keys, but I haven’t used it. Incidentally, you can use pass init with an existing database to re-key the whole thing.

                    1. 1

                      That’s great to hear. Gopass in the past year or two has had a habit of bolting a couple of kitchen sinks to their functionality.

                  2. 1

                    You can have both ssh keys and GPG keys on the yubikey. Multiple of each even.

                2. 1

                  Great article, I had set up a couple of the things from the article already, but I haven’t been able to get SSH authentication to work. This is a great motivator to try again.

                  In order to use your Yubikey for everything in this article, it has to contain the only copy of your GPG private keys

                  I’m a bit afraid that my YubiKey might break, so I have a copy on an airgapped (offline) machine. But I understand the recommendation.

                  Something I also haven’t been able to get to work, is smart card authentication in Firefox. Ideally, I’d set up a proxy in front of my personal projects and require certificate authentication, where the certificate is on the YubiKey. Firefox is supposed to support PKCS11, but I haven’t been able to get it to work.

                  1. 4

                    I’m a bit afraid that my YubiKey might break, so I have a copy on an airgapped (offline) machine. But I understand the recommendation.

                    It’s why I have two yubikeys and a backup copy of the pgp key on an airgapped machine. I’ve been in a situation where my yubikey snapped after I dropped my laptop. Did not have a backup yubikey. A good time was not had by all, lol.

                    1. 2

                      That quote it’s a bit weird since it’s not completely correct. You’re free to generate the key on your machine, make a digital/paper copy of it and then move the key to yubikey. Your can still use it the same way.

                      1. 1

                        Something I also haven’t been able to get to work, is smart card authentication in Firefox. Ideally, I’d set up a proxy in front of my personal projects and require certificate authentication, where the certificate is on the YubiKey. Firefox is supposed to support PKCS11, but I haven’t been able to get it to work.

                        It’s not that hard: Have a PIV Authentication cert configured (slot 9a), have pcscd running and add /usr/lib/opensc-pkcs11.so to Security Devices in Firefox’s settings. Client cert auth should then work. Sometimes you have to Ctrl-F5 five times for Firefox to notice the Yubikey’s presence though.