![]() ![]() In theory, if one of my devices were compromised, an attacker could use this SSH key to modify my Git repository, although they couldn't decrypt anything in it. ![]() As a result, I generated an SSH keypair and store the private key on each device. While it is possible to use a GPG AUTH subkey for SSH, which would allow the YubiKey to function as a one-stop shop for both en/decrypting the passwords and authenticating to Git, this feature is unfortunately not supported by the Android client: largely redundant with the other two but filled in some details I found helpful mechanics and best practices of generating the GPG keys using pass for this exact use case (Linux + Android with a USB-C YubiKey) Already the Git feature has proven useful: I accidentally edited the wrong file on the Windows client today, and it was a matter of "git reset -hard" instead of "git push." This is a beautiful, just-thin-enough abstraction for what I want. I have not attempted to add the requirement that I touch the YubiKey (I consider the PIN secure enough for me), although that use case is mentioned in the links below.Īll devices mentioned above have local repositories of a private Git repo I created on BitBucket. Reason for using subkeys: if my YubiKey is compromised, I can use the master key (which is not stored there) to create a new subkey, re-encrypt the passwords with it, and revoke the old subkey. If the PIN I enter is correct, the password entries are encrypted or decrypted (depending on what I'm trying to do). So now, on each platform, I perform the desired action/command and am prompted to insert the YubiKey then enter the PGP user PIN that I've set up. The subkey's private key also lives on the YubiKey, and the subkey's public key is imported to and trusted on each device/OS I use. I've created a master key with GPG and an encryption subkey, whose private keys I securely store offline. Importing from pwSafe was super easy with the pass-import extension, although I had to be careful since I had to first export my passwords to an intermediate unencrypted XML format. The Android UX for this way exceeded my expectations and seems like it's going to work really well for me. macOS: haven't configured it yet, but probably similar to Linux - the pass homepage links to a "pass.applescript" file that should take care of the non-UNIX bits (think clipboard) Windows: GPG4Win + the Windows Git client + Win10's built-in SSH client + a lightweight but brilliant. Android: the Password Store app (in conjunction with OpenKeychain) Brain dump from the experience is below for those who may find this later. (Support for Windows and Linux is also a requirement macOS would be very nice as well.) Any leads would be much appreciated!įollowing up on where I landed: I was pretty captivated by the idea of password-store (pass) as you may have seen in my earlier comment, and after learning a lot about PGP, I'm pretty happy with the solution. Plugging in the YubiKey to my Android, it seems to work as intended (the OS recognizes it as an external keyboard)-but Googling around, even searching this subreddit, I can't seem to find a password manager that specifically says it supports YubiKey over USB on Android. Since the YubiKey 5C doesn't have NFC capabilities, I'm a bit up a creek. While PasswordSafe indicates that it supports YubiKey on Android, I was disappointed to find out after trying it that its YubiKey support is limited to NFC, not USB. It's worked well enough, but I'm open to switching. I've been using PasswordSafe for the past several years, with copies of the psafe3 file synced up via a separate cloud storage account across Windows, macOS, Linux, and Android devices. Hey everybody! I'm the proud new owner of a YubiKey 5C, bought with the intent of using it with a password manager.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |