best use of yubikey with pass

Brian Candler b.candler at
Sat Jan 7 10:44:30 CET 2017

On 06/01/2017 22:13, Oliver Albertini wrote:
> Forgive me if this is is the wrong place to ask, or if it has already been addressed. Also, thanks to the developers of pass, it is a really useful program.
> What is the best practice for using a yubikey to authenticate gpg in the context of pass?

Which kind of Yubikey do you have?

I have a Yubikey standard (no longer available). It does OTP in the 
first slot. I could use the second slot to store my GPG passphrase as a 
static string - but I don't, since I know it :-) Since it just types in 
the static string, it would be vulnerable to keyloggers.

A Yubikey U2F isn't usable for this application as far as I can see. 
It's intended for 2FA to web apps.

A Yubikey 4 or Yubikey Neo has the ability to store your GPG private 
key, and decrypt messages inside the key. That would be the strongest 
solution I think, but I've not tried it yet. There's a nice writeup here:

It sounds like the PIN is cached, which is useful for bulk operations 
like "pass grep" which has to decrypt all the files in your repo.



More information about the Password-Store mailing list