best use of yubikey with pass

Oliver Albertini oliver.ruben at gmail.com
Sun Jan 8 19:39:24 CET 2017


Thanks Brian,

I have a yubikey 4, so this write-up should definitely get me started.

On Jan 07,2017 09:44, Brian Candler wrote:
> On 06/01/2017 22:13, Oliver Albertini wrote:
> > Forgive me if this is is the wrong place to ask, or if it has already been addressed. Also, thanks to the developers of pass, it is a really useful program.
> >
> > What is the best practice for using a yubikey to authenticate gpg in the context of pass?
>
> Which kind of Yubikey do you have?
>
> I have a Yubikey standard (no longer available). It does OTP in the first
> slot. I could use the second slot to store my GPG passphrase as a static
> string - but I don't, since I know it :-) Since it just types in the static
> string, it would be vulnerable to keyloggers.
>
> A Yubikey U2F isn't usable for this application as far as I can see. It's
> intended for 2FA to web apps.
>
> A Yubikey 4 or Yubikey Neo has the ability to store your GPG private key,
> and decrypt messages inside the key. That would be the strongest solution I
> think, but I've not tried it yet. There's a nice writeup here:
>
> https://malcolmsparks.com/posts/yubikey-gpg.html
>
> It sounds like the PIN is cached, which is useful for bulk operations like
> "pass grep" which has to decrypt all the files in your repo.
>
> HTH,
>
> Brian.

--
Oliver Albertini


More information about the Password-Store mailing list