Greetings from scenic,

Category: Internet
Tags: Key Keys

How I Manage Passwords via my Yubikey Necklace

For some years I've used Pass, so branded "the standard Unix password manager", to store and retrieve my passwords for various tools I use and websites I sign up for. This was nice because pass is a password manager which integrates tightly with GPG on Linux boxes, which I use an awful lot, and password managers are inherently better than just using the same password over and over. After I started using pass but before I began using my Yubikey, my passwords were encrypted with an encryption key on my personal GPG keyring. This was, at the time, a marked improvement over memorizing 10 character passwords made of a random string of letters and symbols I generated via openssl and I greatly enjoyed the sense of security using pass afforded me.

However, as I transitioned out of college and into my current full-time role I found that this practice was unmaintainable as I began developing across different physical machines. I may need to log in to a testbed on one machine while another was compiling software on a totally different branch. While this "unified key" approach could work, I would have needed to:

  1. Copy my public and private keys to any new machine
  2. Update all machines with the new keys any time I made changes to a key on any machine

Obviously, (1) increases my vulnerability to attacks greatly, as a compromise on any of those machines would put my private key at risk. Although private keys are encrypted by default, if someone keylogged me at any point while entering my password they could have full access to my private key... I'd rather not risk my identity and passwords like that. I had investigated SELinux and a few other methods for implementing access control on my private key, however I found that no tools did this job particularly well. SELinux, for instance, is too broad of a suite to warrant setting up and caring for it across many computers. What I did find during this period of research, however, was a technique for completely eliminating the need to store a private key on any computer at all.

Endtroducing Hardware Tokens

Using a hardware key compatible with GPG, I could move my private key onto the security key itself and never worry about this issue again. Then I would only need to move around my public keys to these computers, which is par-for-course when it comes to creating a cryptographic web of trust anyhow. With the private key wiped from my daily-use computers and backed up securely (and hopefully, redundantly) I could use my computers and access my passwords without the worry that someone, somewhere could be harvesting my credentials or stealing my cryptographic identity in real-time.

The hardware key I identified for this job was the Yubikey 4 series. It's a cute little key which can handle this PGP task and much more, serving both as a store for my secret key and as a 2FA device for any webapps which offer it; for example, I also use this necklace as my Twitter 2FA, allowing me to decrease my reliance on SMS-based authentication codes. Obviously I would need to be a far, far more important person for this to be an issue but just going through the motions and improving my crypto hygiene is helping me be a more secure and responsible digital citizen while also scratching some itch of mine to reduce my potential as a target even a bit more.

My Yubikey Necklace
My Yubikey necklace, FFXIII pendant and a small USB drive

You can see here the Yubikey itself is attached to the necklace via a small loop of nylon. This necklace is one I've had for a few years, at least since I bought the Lightning pendant in Tōkyō in 2018 but I really started wearing it more after then.

On this necklace also is a 16 GiB USB key which is essentially a Gentoo live ISO with persistent storage, loaded with all kinds of kernel modules and UEFI + legacy boot capability so I can take a copy of my favorite OS and some essential files with me anywhere I go. Included on this drive is a copy of all my writing for this site as well as many others. I don't need to use it particularly often but it is pleasant to just plug this into a computer and boot into my familiar computing environment.

Crypto System

The architecture behind this is actually really simple. First, I generated 3 subkeys underneath my "main" GPG key:

  1. One subkey for signing
  2. A second one for encryption
  3. ...and a third one for authentication

I've never used my authentication key for what it's worth but I doesn't seem to hurt having it. With these keys generated (just a simple addkey at the GPG prompt) I backed up my GPG directory to two separate flash drives. Then, after removing the flash drives and ensuring all data was backed up, I used the GPG directive keytocard to move each generated subkey to the Yubikey, then deleted all secret keys on the host computer by shredding the files in .gnupg/private-keys-v1.d/ corresponding to each key I generated before. This, in short, guarantees that I have no remaining trace of the secret keys on the machine I use daily.

Now when I use pass I see this nice little popup:

GPG popup on my desktop prompting me to insert my Yubikey

... and after entering the 6-digit PIN to "unlock" the hardware key my password will be decrypted and I'll be on my way!

Things I Really Like About This

This approach is just a strict improvement on how I had managed passwords before. If you're coming from an even worse situation (God forbid not using a password manager at all!) then I think you'll find this system easy to adjust to. Hell, there's even a good PGP client on Windows and you could probably even make this sort of system work in a Windows-only environment, though you won't see me writing anything about that!

Recently I've also taken to signing my git commits with my signing subkey as well. This is pleasant, I feel, as long as I keep these up to date. On Github in particular it shows a little green "Verified" box next to my commits which makes me feel nice. Personally I don't care if commits are verified or not, as long as they do the job then they get in, but it's fun to play around with all the things I can do with this little necklace.

Finally, the hardware key jingles around my neck with the USB and pendant; this is a strict positive because important people always carry things that jingle around, like fancy car keys or a security badge. Because I only have the concierge key to my 318TI for reasons of not wanting to pay a dealer to dig up my car's lock schematics and cut a new key this is one of the few jingly bits I've got so you bet I'm going to wear it!

Related / Browse