Unfortunately this doesn’t appear to address what I thought would have been one of the main lessons of the recent LastPass breach (though it’s also something I’ve been whinging about for a while regarding similar designs): password metadata is also sensitive, and storing it in plaintext is a major mistake, IMO.
“During credential registration, a new key pair is randomly generated by the YubiKey […] This master key is unique per YubiKey, generated by the device itself […] “
I’m a great fan of using hardware tokens to store keys. With yubikeys these can’t be exported (by design) so you usually have to have multiple keys on hand & registered in case one breaks or is lost. One of the few useful things to come out of the cryptocurrency field are hardware tokens (wallets) where you can actually export, backup, and import the private key. This takes the form of 26 codewords you write down on paper, or center-punch into a steel plate, then store wherever. It makes a good backup-of-a-backup to your regular U2F keys.
Unfortunately this doesn’t appear to address what I thought would have been one of the main lessons of the recent LastPass breach (though it’s also something I’ve been whinging about for a while regarding similar designs): password metadata is also sensitive, and storing it in plaintext is a major mistake, IMO.
Similar tool posted on Lobste.rs: pa - a simple password manager based on age
Yubikeys use a master key that is not settable by the user. I don’t trust any key that I don’t generate myself.
If I can’t produce the entropy myself, I don’t trust it.
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
“During credential registration, a new key pair is randomly generated by the YubiKey […] This master key is unique per YubiKey, generated by the device itself […] “
Is there an alternative you would recommend? Do NitroKeys give you this level of control?
My good friend @qbit recommends solo2.
I found U2F working reasonably well on my solo2 keys, but since the PIV application is not done yet, those won’t work with age/passage yet.
I’m a great fan of using hardware tokens to store keys. With yubikeys these can’t be exported (by design) so you usually have to have multiple keys on hand & registered in case one breaks or is lost. One of the few useful things to come out of the cryptocurrency field are hardware tokens (wallets) where you can actually export, backup, and import the private key. This takes the form of 26 codewords you write down on paper, or center-punch into a steel plate, then store wherever. It makes a good backup-of-a-backup to your regular U2F keys.
If you’re interested in this sort of thing, I’ve made two tools you might find interesting:
A base converter that can ingest DND dice of any size: https://convert.zamicol.com/#?inAlph=DND:20&in=1410021314041719120308011001200710101119171418131313051617160518180320080312030314181420140211130603161907180713030218&outAlph=Hex
That may be imported into this Ed25519 tool: https://cyphr.me/ed25519_applet/ed.html#?msg_encoding=Text&msg_type=Msg&key_encoding=Hex&seed=55BBFEFF5FECC86A462FE46BD582B13F316D59CC932B286077FAA29C5DA31445
Home made entropy.
With a base 20 dice, it takes 60 rolls to produce 256 bits of entropy. Of course, using multiple dice at once makes the process faster.
You can write down the yubikey secret during setup / programming, at least for HMAC.