best use of yubikey with pass

Niklas Hambüchen mail at nh2.me
Mon Jan 9 00:49:14 CET 2017


You can use models older than Yubikey 4 with gpg, too.

The table https://www.yubico.com/products/yubikey-hardware/ has an
"OpenPGP" row to indicate whether the key acts as a PGP smartcard; I'd
imagine that with the Internet Archive's Wayback Machine you could bring
up a table like that also for older models.

I like to use the Yubikey NEO, which is NFC-capable, and works with
"Password Manager" app on Android (a `pass` implementation); that way I
can conveniently access and sync passwords from my phone with my PC
`pass` ones. It works reliably.

On Android, I tap the password I want to see; then I get queried for the
Yubikey PIN, and have to hold the Yubikey next to the phone.

On the PC, I get the standard gpg-agent popup to enter the PIN. That
also automatically falls back to an ncurses terminal interface if I'm
ssh'd in.

The Yubikey Neo doesn't have tap-to-allow-PGP as the Yubikey 4 has;
instead it stays "unlocked" for a given amount of time. While this is
convenient for batch GPG operations, I also like to pull out the Yubikey
whenever I'm done with pass, to make sure it is only physically
accessible when I need it.

In summary, using the Yubikey with pass is surprisingly easy, on both PC
(I mean Linux) and Android. Depending on your Linux distribution, you
may have to spend a bit of time to get gpg to work with the Yubikey; but
once gpg works with it, pass will work automatically. On Android it
worked out of the box for me.

In all cases, the nice thing about it is that your private key never
leaves the Yubikey (which is the promise of PGP smartcards in general).

Hope this helps.

On 08/01/17 19:39, Oliver Albertini wrote:
> I have a yubikey 4, so this write-up should definitely get me started.


More information about the Password-Store mailing list