best use of yubikey with pass
Brian Candler
b.candler at pobox.com
Sat Jan 7 10:44:30 CET 2017
On 06/01/2017 22:13, Oliver Albertini wrote:
> Forgive me if this is is the wrong place to ask, or if it has already been addressed. Also, thanks to the developers of pass, it is a really useful program.
>
> What is the best practice for using a yubikey to authenticate gpg in the context of pass?
Which kind of Yubikey do you have?
I have a Yubikey standard (no longer available). It does OTP in the
first slot. I could use the second slot to store my GPG passphrase as a
static string - but I don't, since I know it :-) Since it just types in
the static string, it would be vulnerable to keyloggers.
A Yubikey U2F isn't usable for this application as far as I can see.
It's intended for 2FA to web apps.
A Yubikey 4 or Yubikey Neo has the ability to store your GPG private
key, and decrypt messages inside the key. That would be the strongest
solution I think, but I've not tried it yet. There's a nice writeup here:
https://malcolmsparks.com/posts/yubikey-gpg.html
It sounds like the PIN is cached, which is useful for bulk operations
like "pass grep" which has to decrypt all the files in your repo.
HTH,
Brian.
More information about the Password-Store
mailing list