> hardware tokens generally don't allow you to extract the private key again. <div><br></div><div>Yep - sorry for any confusion there; I meant that you can use the Yubikey to create a decrypted copy of the password store, *not* that one can extract a decrypted copy of the private key from the Yubikey.</div><div><br></div><div>Cheers,</div><div>Steve<br><br><div class="gmail_quote"><div dir="ltr">On Fri, 22 Feb 2019, 12:16 GOYOT Martin, <<a href="mailto:martin@piwany.com">martin@piwany.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Hi!<div dir="auto"><br></div><div dir="auto">You might be interested in looking into something like hashicorp vault for shared secrets. The use case you are mentioning is a common yet Hard to deal with one that is solved by Vault for instance. I only know this tool but others might exist. </div></div><br><div class="gmail_quote"><div dir="ltr">Le ven. 22 févr. 2019 à 00:05, Tobias Girstmair <<a href="mailto:t-passwd@girst.at" target="_blank">t-passwd@girst.at</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Feb 22, 2019 at 11:55:22AM +1300, Steve Gilberd wrote:<br>
>Lars - nothing prevents the user from using the Yubikey to create a<br>
>decrypted copy, <br>
<br>
hardware tokens generally don't allow you to extract the private key <br>
again.<br>
<br>
>or re-encrypting to an additional key controlled by the<br>
>user. <br>
<br>
agree. (or just keeping the plaintext around)<br>
<br>
>While a hardware token is a good idea, confiscating it doesn't<br>
>provide a secure solution to denying an untrustworthy user access to the<br>
>password store. The only safe option is to change the passwords.<br>
<br>
indeed. the OP might be interested in <br>
<a href="https://github.com/ddevault/pass-rotate" rel="noreferrer noreferrer" target="_blank">https://github.com/ddevault/pass-rotate</a> , a tool to help change <br>
passwords on multiple online services automatically.<br>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" rel="noreferrer" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
</blockquote></div>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p dir="ltr">Cheers,</p>
<p dir="ltr"><b>Steve Gilberd</b><br>
<span style="color:rgb(102,102,102)">Erayd LTD </span><span style="color:rgb(102,102,102)"><b>·</b></span><span style="color:rgb(102,102,102)"> Consultant</span><br>
<span style="color:rgb(102,102,102)"><i>Phone: +64 4 974-4229 </i></span><span style="color:rgb(102,102,102)"><i><b>·</b></i></span><span style="color:rgb(102,102,102)"><i> Mob: +64 27 565-3237</i></span><br>
<span style="color:rgb(102,102,102)"><i>PO Box 10019, The Terrace, Wellington 6143, NZ</i></span></p>
</div></div>