best use of yubikey with pass

Brian Candler b.candler at pobox.com
Sat Jan 7 10:44:30 CET 2017


On 06/01/2017 22:13, Oliver Albertini wrote:
> Forgive me if this is is the wrong place to ask, or if it has already been addressed. Also, thanks to the developers of pass, it is a really useful program.
>
> What is the best practice for using a yubikey to authenticate gpg in the context of pass?

Which kind of Yubikey do you have?

I have a Yubikey standard (no longer available). It does OTP in the 
first slot. I could use the second slot to store my GPG passphrase as a 
static string - but I don't, since I know it :-) Since it just types in 
the static string, it would be vulnerable to keyloggers.

A Yubikey U2F isn't usable for this application as far as I can see. 
It's intended for 2FA to web apps.

A Yubikey 4 or Yubikey Neo has the ability to store your GPG private 
key, and decrypt messages inside the key. That would be the strongest 
solution I think, but I've not tried it yet. There's a nice writeup here:

https://malcolmsparks.com/posts/yubikey-gpg.html

It sounds like the PIN is cached, which is useful for bulk operations 
like "pass grep" which has to decrypt all the files in your repo.

HTH,

Brian.


More information about the Password-Store mailing list