user gone and expiring access

Steve Gilberd steve at erayd.net
Fri Feb 22 00:20:17 CET 2019


> hardware tokens generally don't allow you to extract the private key
again.

Yep - sorry for any confusion there; I meant that you can use the Yubikey
to create a decrypted copy of the password store, *not* that one can
extract a decrypted copy of the private key from the Yubikey.

Cheers,
Steve

On Fri, 22 Feb 2019, 12:16 GOYOT Martin, <martin at piwany.com> wrote:

> Hi!
>
> You might be interested in looking into something like hashicorp vault for
> shared secrets. The use case you are mentioning is a common yet Hard to
> deal with one that is solved by Vault for instance. I only know this tool
> but others might exist.
>
> Le ven. 22 févr. 2019 à 00:05, Tobias Girstmair <t-passwd at girst.at> a
> écrit :
>
>> On Fri, Feb 22, 2019 at 11:55:22AM +1300, Steve Gilberd wrote:
>> >Lars - nothing prevents the user from using the Yubikey to create a
>> >decrypted copy,
>>
>> hardware tokens generally don't allow you to extract the private key
>> again.
>>
>> >or re-encrypting to an additional key controlled by the
>> >user.
>>
>> agree. (or just keeping the plaintext around)
>>
>> >While a hardware token is a good idea, confiscating it doesn't
>> >provide a secure solution to denying an untrustworthy user access to the
>> >password store. The only safe option is to change the passwords.
>>
>> indeed. the OP might be interested in
>> https://github.com/ddevault/pass-rotate , a tool to help change
>> passwords on multiple online services automatically.
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019, The Terrace, Wellington 6143, NZ*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190222/ccf13ad7/attachment-0001.html>


More information about the Password-Store mailing list