Add post about open PGP keys.
This commit is contained in:
parent
9ceed4ccb2
commit
7bf7721d2b
@ -6,46 +6,89 @@ comments: true
|
||||
tags: gnupg, nitrokey, security
|
||||
---
|
||||
|
||||
_"alternatively, how I use Nitrokeys/GnuK/YubiKeys"_
|
||||
_"Alternatively, how I use Nitrokeys/GnuK/YubiKeys"_
|
||||
|
||||
Most popular use for [NitroKeys](https://www.nitrokey.com/) seems to be as a **2FA** [FIDO](https://en.wikipedia.org/wiki/Universal_2nd_Factor) key. Most of these devices can also behave (_emulate_ technically speaking) as an OpenPGP smartcard[^gpgsupport] to store your gpg keys.
|
||||
Most popular use for [NitroKeys](https://www.nitrokey.com/) seems to
|
||||
be **2FA** [FIDO](https://en.wikipedia.org/wiki/Universal_2nd_Factor)
|
||||
key. But these devices can also behave (_emulate_ technically
|
||||
speaking) as an OpenPGP smartcard to store your gpg keys[^gpgsupport].
|
||||
|
||||
![one of my smartcards along with the nice "Where the wild things are" library card](https://vault.thaum.space/apps/files_sharing/publicpreview/wNtSPtfKkrPMGsr?x=1910&y=501&a=true&file=19-10-30%252009-55-36%25203280.jpg&scalingup=0)
|
||||
![one of my smartcards](/images/nitrokey.jpg)
|
||||
|
||||
## Why should you use a smartcard?
|
||||
|
||||
### 1. Security
|
||||
|
||||
GnuPG keys stored on smartcards only allow narrow access. Smartcards exposes APIs to perform specific PGP operations like _sign_, _encrypt_, _verify signature_ etc and no more as opposed to keys stored on local disk which gives all out access to keys if one has access to disk. Most important access that smartcards deny is the ability to copy them; essentially tieing your key to a physical object that can't be replicated. As long as you know where your physical key is, none else has access to them (at that point).
|
||||
GnuPG keys stored on smartcards only allow very narrow access to how
|
||||
one can use them. Smartcards exposes APIs to perform specific PGP
|
||||
operations like _sign_, _encrypt_, _verify signature_ etc and no more;
|
||||
opposed to keys stored on local disk which gives all out access to
|
||||
keys if one has access to disk. Most important access that smartcards
|
||||
deny is the ability to copy them; essentially tieing your key to a
|
||||
physical object that can't be replicated. As long as you have your key
|
||||
with you, no one else has access to them.
|
||||
|
||||
Almost __all of the software__ we run has access to users disk on most operating systems and we have seen exploits that target keys stored on disk [again](https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/) and [again](https://en.wikipedia.org/wiki/Careto_(malware)). The keys stored on disk are often encrypted, but stealing your key password just the matter of chaining another exploit.
|
||||
Almost _all of the software_ we run has access to users disk on most
|
||||
operating systems, and we have seen exploits that target keys stored
|
||||
on disk
|
||||
[again](https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/)
|
||||
and [again](https://en.wikipedia.org/wiki/Careto_(malware)). The keys
|
||||
stored on disk are often encrypted, but stealing that encryption
|
||||
password is just a matter of chaining another exploit.
|
||||
|
||||
### 2. Compossibility[D[D[D[D[D[D[D[D[D[D[D[D[
|
||||
Having a physical root of trust combined with the fact that a lot of software supports GnuPG makes this a really nice composable component in my daily life.
|
||||
### 2. Compossibility
|
||||
Having a physical root of trust combined with the fact that a lot of
|
||||
software supports GnuPG makes this a really nice composable component
|
||||
in my daily life.
|
||||
|
||||
Some work-flows that I use daily:
|
||||
__Some work-flows that I use daily:__
|
||||
|
||||
#### SSH support
|
||||
GnuPG has native support for SSH. Your smartcard becomes my ssh key as well and I can roam between my multiple machines without actually having to copy and leave keys around or having to manage multiple keys.
|
||||
GnuPG has native support for SSH. Your smartcard becomes my ssh key as
|
||||
well and I can roam between my multiple machines without actually
|
||||
having to copy and leave keys around or having to manage multiple
|
||||
keys.
|
||||
|
||||
I also use a similar key for github.
|
||||
I also use a similar key for github since they use ssh to authenticate
|
||||
as well.
|
||||
|
||||
#### Pass password manager
|
||||
[pass](https://www.passwordstore.org/) is a password manager following UNIX philosophy. It uses GnuPG keys to encrypt passwords, and by using a key on the smartcard, you can tie the trust to the smartcard.
|
||||
[pass](https://www.passwordstore.org/) is a password manager following
|
||||
UNIX philosophy. It uses GnuPG keys to encrypt passwords, and by using
|
||||
a key on the smartcard, you can tie the trust to the smartcard.
|
||||
|
||||
Pass also opens up a lot more composable behaviors, I use it mostly for the next one --
|
||||
Pass also opens up a lot more composable behaviors, I use it mostly
|
||||
for the next one --
|
||||
|
||||
#### AWS Vault
|
||||
[aws-vault](https://github.com/99designs/aws-vault) is a nifty tool to manage AWS credentials. It can transparently issue temporary keys and populate shell environment.
|
||||
[aws-vault](https://github.com/99designs/aws-vault) is a nifty tool to
|
||||
manage AWS credentials. It can transparently issue temporary keys and
|
||||
populate shell environment.
|
||||
|
||||
There is possibly more, I have seen people use the same key to unlock
|
||||
their disk encryption at boot :-)
|
||||
|
||||
I am not going to cover setting up the card here, since there are a
|
||||
lot of documentation about how to do so, and it varies slightly by the
|
||||
card that one is using. However I'd suggest to not generate keys on
|
||||
the card, since you have zero backups in case you loose the card and
|
||||
also, we have seen [it is really hard to generate good keys on small
|
||||
devices](https://en.wikipedia.org/wiki/ROCA_vulnerability).
|
||||
|
||||
|
||||
I am not going to cover setting up the card here, since there are a lot of documentation about how to do so, and it varies slightly by the card that one is using. However I'd suggest to not generate keys on the card card it self, since you have zero backups in case you loose the card and also, we have seen [it is really hard to generate good keys on small devices](https://en.wikipedia.org/wiki/ROCA_vulnerability).
|
||||
## List of OpenPGP cards
|
||||
Ones that I know, there are possibly more.
|
||||
|
||||
- [NitroKey](https://shop.nitrokey.com/shop)
|
||||
- [Yubikey](https://www.yubico.com/products/yubikey-hardware/compare-products-series/)
|
||||
- [GnuK](https://www.fsij.org/category/gnuk.html)[^gnuk]
|
||||
|
||||
|
||||
## List of OpenPGP cards:
|
||||
- [NitroKey](https://shop.nitrokey.com/shop) Look for _"Email encryption"_ in supported features.
|
||||
- [Yubikey](https://www.yubico.com/products/yubikey-hardware/compare-products-series/) Look for _"open PGP"_ in supported features.
|
||||
- [GnuK](https://www.fsij.org/category/gnuk.html) unlike others Gnuk is a project aiming to provide open firmware that impliments card emulation. NitroKey sells a version based on GnuK.
|
||||
[^gpgsupport]: Each manufacturer have some models (usually the
|
||||
cheapest) are exclusivly FIDO keys and thus does not support this
|
||||
feature. NitroKey calls this feature _"Email encryption"_ while
|
||||
Yubikey calls this _"open PGP"_.
|
||||
|
||||
|
||||
[^gpgsupport]: There are some models usually the cheapest ones that does not support this feature, look for GPG/PGP support.
|
||||
[^gnuk]: unlike others Gnuk is a project to provide open
|
||||
firmware that implements smartcard. NitroKey sells a version
|
||||
based on GnuK called NitroKey Start.
|
||||
|
BIN
images/nitrokey.jpg
Normal file
BIN
images/nitrokey.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 164 KiB |
Loading…
Reference in New Issue
Block a user