best use of yubikey with pass
b.candler at pobox.com
Sat Jan 7 10:44:30 CET 2017
On 06/01/2017 22:13, Oliver Albertini wrote:
> Forgive me if this is is the wrong place to ask, or if it has already been addressed. Also, thanks to the developers of pass, it is a really useful program.
> What is the best practice for using a yubikey to authenticate gpg in the context of pass?
Which kind of Yubikey do you have?
I have a Yubikey standard (no longer available). It does OTP in the
first slot. I could use the second slot to store my GPG passphrase as a
static string - but I don't, since I know it :-) Since it just types in
the static string, it would be vulnerable to keyloggers.
A Yubikey U2F isn't usable for this application as far as I can see.
It's intended for 2FA to web apps.
A Yubikey 4 or Yubikey Neo has the ability to store your GPG private
key, and decrypt messages inside the key. That would be the strongest
solution I think, but I've not tried it yet. There's a nice writeup here:
It sounds like the PIN is cached, which is useful for bulk operations
like "pass grep" which has to decrypt all the files in your repo.
More information about the Password-Store