For some years I've used [Pass](https://www.passwordstore.org/), so branded "the
standard Unix password manager", to store and retrieve my passwords for various
tools I use and websites I sign up for. This was nice because pass is a password
manager which integrates tightly with GPG on Linux boxes, which I use an awful
lot, and password managers are inherently better than just using the same
password over and over. After I started using `pass` but before I began using my
Yubikey, my passwords were encrypted with an encryption key on my personal GPG
keyring. This was, at the time, a marked improvement over memorizing 10 character
passwords made of a random string of letters and symbols I generated via
`openssl` and I greatly enjoyed the sense of security using `pass` afforded me.
However, as I transitioned out of college and into my current full-time role I
found that this practice was unmaintainable as I began developing across
different physical machines. I may need to log in to a testbed on one machine
while another was compiling software on a totally different branch. While this
"unified key" approach *could* work, I would have needed to:
1. Copy my public and private keys to any new machine
2. Update all machines with the new keys any time I made changes to a key on any
machine
Obviously, (1) increases my vulnerability to attacks greatly, as a compromise on
any of those machines would put my private key at risk. Although private keys
*are* encrypted by default, if someone keylogged me at any point while
entering my password they could have full access to my private key... I'd rather
not risk my identity and passwords like that. I had investigated SELinux and a
few other methods for implementing access control on my private key, however I
found that no tools did this job particularly well. SELinux, for instance, is
too broad of a suite to warrant setting up and caring for it across many
computers. What I did find during this period of research, however, was a
technique for completely eliminating the need to store a private key on any
computer at all.
Endtroducing Hardware Tokens
----------------------------
Using a hardware key compatible with GPG, I could move my private key onto the
security key itself and never worry about this issue again. Then I would only
need to move around my public keys to these computers, which is par-for-course
when it comes to creating a cryptographic web of trust anyhow. With the private
key wiped from my daily-use computers and backed up securely (and hopefully,
redundantly) I could use my computers and access my passwords without the worry
that someone, somewhere could be harvesting my credentials or stealing my
cryptographic identity in real-time.
The hardware key I identified for this job was the Yubikey 4 series. It's a cute
little key which can handle this PGP task and much more, serving both as a store
for my secret key and as a 2FA device for any webapps which offer it; for
example, I also use this necklace as my Twitter 2FA, allowing me to decrease my
reliance on SMS-based authentication codes. Obviously I would need to be a far,
far more important person for this to be an issue but just going through the
motions and improving my crypto hygiene is helping me be a more secure and
responsible digital citizen while also scratching some itch of mine to reduce my
potential as a target even a bit more.
You can see here the Yubikey itself is attached to the necklace via a small
loop of nylon. This necklace is one I've had for a few years, at least since I
bought the Lightning pendant in Tōkyō in 2018 but I really started wearing it
more after then.
On this necklace also is a 16 GiB USB key which is essentially a Gentoo live ISO
with persistent storage, loaded with all kinds of kernel modules and UEFI +
legacy boot capability so I can take a copy of my favorite OS and some essential
files with me anywhere I go. Included on this drive is a copy of all my writing
for this site as well as many others. I don't need to use it particularly often
but it is pleasant to just plug this into a computer and boot into my familiar
computing environment.
Crypto System
-------------
The architecture behind this is actually really simple. First, I generated 3
subkeys underneath my "main" GPG key:
1. One subkey for signing
2. A second one for encryption
3. ...and a third one for authentication
I've never used my authentication key for what it's worth but I doesn't seem to
hurt having it. With these keys generated (just a simple `addkey` at the GPG
prompt) I backed up my GPG directory to two separate flash drives. Then, after
removing the flash drives and ensuring all data was backed up, I used the GPG
directive `keytocard` to move each generated subkey to the Yubikey, then deleted
all secret keys on the host computer by shredding the files in
`.gnupg/private-keys-v1.d/` corresponding to each key I generated before. This,
in short, guarantees that I have no remaining trace of the secret keys on the
machine I use daily.
Now when I use `pass` I see this nice little popup:
... and after entering the 6-digit PIN to "unlock" the hardware key my password
will be decrypted and I'll be on my way!
Things I Really Like About This
-------------------------------
This approach is just a strict improvement on how I had managed passwords
before. If you're coming from an even worse situation (God forbid not using a
password manager at all!) then I think you'll find this system easy to adjust
to. Hell, there's even a good PGP client on Windows and you could probably even
make this sort of system work in a Windows-only environment, though you won't
see me writing anything about that!
Recently I've also taken to signing my git commits with my signing subkey as
well. This is pleasant, I feel, as long as I keep these up to date. On Github in
particular it shows a little green "Verified" box next to my commits which makes
me feel nice. Personally I don't care if commits are verified or not, as long as
they do the job then they get in, but it's fun to play around with all the
things I can do with this little necklace.
Finally, the hardware key jingles around my neck with the USB and pendant; this
is a strict positive because important people always carry things that jingle
around, like fancy car keys or a security badge. Because I only have the
concierge key to my 318TI for reasons of not wanting to pay a dealer to dig up
my car's lock schematics and cut a new key this is one of the few jingly bits
I've got so you bet I'm going to wear it!