blogng/blog/2019-10-30-one-key-to-rule-them-all.markdown

---
layout: post
title: "One key to rule them all!"
date: 2019-10-30
comments: true
tags: gnupg, nitrokey, security
---

_"Alternatively, how I use Nitrokeys/GnuK/YubiKeys"_

Most popular use for [NitroKeys](https://www.nitrokey.com/) seems to
be **2FA** [FIDO](https://en.wikipedia.org/wiki/Universal_2nd_Factor)
key. But these devices can also behave (_emulate_ technically
speaking) as an OpenPGP smartcard to store your gpg keys[^gpgsupport].

![one of my smartcards](/images/nitrokey.jpg)

## Why should you use a smartcard?

### 1. Security

GnuPG keys stored on smartcards only allow very narrow access to how
one can use them. Smartcards exposes APIs to perform specific PGP
operations like _sign_, _encrypt_, _verify signature_ etc and no more;
opposed to keys stored on local disk which gives all out access to
keys if one has access to disk. Most important access that smartcards
deny is the ability to copy them; essentially tieing your key to a
physical object that can't be replicated. As long as you have your key
with you, no one else has access to them.

Almost _all of the software_ we run has access to users disk on most
operating systems, and we have seen exploits that target keys stored
on disk
[again](https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/)
and [again](https://en.wikipedia.org/wiki/Careto_(malware)). The keys
stored on disk are often encrypted, but stealing that encryption
password is just a matter of chaining another exploit.

### 2. Compossibility
Having a physical root of trust combined with the fact that a lot of
software supports GnuPG makes this a really nice composable component
in my daily life.

__Some work-flows that I use daily:__

#### SSH support
GnuPG has native support for SSH. Your smartcard becomes my ssh key as
well and I can roam between my multiple machines without actually
having to copy and leave keys around or having to manage multiple
keys.

I also use a similar key for github since they use ssh to authenticate
as well.

#### Pass password manager
[pass](https://www.passwordstore.org/) is a password manager following
UNIX philosophy. It uses GnuPG keys to encrypt passwords, and by using
a key on the smartcard, you can tie the trust to the smartcard.

Pass also opens up a lot more composable behaviors, I use it mostly
for the next one --

#### AWS Vault
[aws-vault](https://github.com/99designs/aws-vault) is a nifty tool to
manage AWS credentials. It can transparently issue temporary keys and
populate shell environment.

There is possibly more, I have seen people use the same key to unlock
their disk encryption at boot :-)

I am not going to cover setting up the card here, since there are a
lot of documentation about how to do so, and it varies slightly by the
card that one is using. However I'd suggest to not generate keys on
the card, since you have zero backups in case you loose the card and
also, we have seen [it is really hard to generate good keys on small
devices](https://en.wikipedia.org/wiki/ROCA_vulnerability).


## List of OpenPGP cards
Ones that I know, there are possibly more.

- [NitroKey](https://shop.nitrokey.com/shop)
- [Yubikey](https://www.yubico.com/products/yubikey-hardware/compare-products-series/)
- [GnuK](https://www.fsij.org/category/gnuk.html)[^gnuk]


[^gpgsupport]: Each manufacturer have some models (usually the
    cheapest) are exclusivly FIDO keys and thus does not support this
    feature. NitroKey calls this feature _"Email encryption"_ while
    Yubikey calls this _"open PGP"_.

[^gnuk]: unlike others Gnuk is a project to provide open
  firmware that implements smartcard. NitroKey sells a version
  based on GnuK called NitroKey Start.