dbalan/blogng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9ceed4ccb2
blogng/blog/2019-10-30-one-key-to-rule-them-all.markdown
Dhananjay Balan 9ceed4ccb2 Intial, bad picture
2019-10-30 18:35:04 +01:00

3.6 KiB
Raw Blame History

layout title date comments tags
post One key to rule them all! 2019-10-30 true gnupg, nitrokey, security

"alternatively, how I use Nitrokeys/GnuK/YubiKeys"

Most popular use for NitroKeys seems to be as a 2FA FIDO key. Most of these devices can also behave (emulate technically speaking) as an OpenPGP smartcard1 to store your gpg keys.

one of my smartcards along with the nice "Where the wild things are" library card

Why should you use a smartcard?

1. Security

GnuPG keys stored on smartcards only allow narrow access. Smartcards exposes APIs to perform specific PGP operations like sign, encrypt, verify signature etc and no more as opposed to keys stored on local disk which gives all out access to keys if one has access to disk. Most important access that smartcards deny is the ability to copy them; essentially tieing your key to a physical object that can't be replicated. As long as you know where your physical key is, none else has access to them (at that point).

Almost all of the software we run has access to users disk on most operating systems and we have seen exploits that target keys stored on disk again and again. The keys stored on disk are often encrypted, but stealing your key password just the matter of chaining another exploit.

2. Compossibility[

Having a physical root of trust combined with the fact that a lot of software supports GnuPG makes this a really nice composable component in my daily life.

Some work-flows that I use daily:

SSH support

GnuPG has native support for SSH. Your smartcard becomes my ssh key as well and I can roam between my multiple machines without actually having to copy and leave keys around or having to manage multiple keys.

I also use a similar key for github.

Pass password manager

pass is a password manager following UNIX philosophy. It uses GnuPG keys to encrypt passwords, and by using a key on the smartcard, you can tie the trust to the smartcard.

Pass also opens up a lot more composable behaviors, I use it mostly for the next one --

AWS Vault

aws-vault is a nifty tool to manage AWS credentials. It can transparently issue temporary keys and populate shell environment.

I am not going to cover setting up the card here, since there are a lot of documentation about how to do so, and it varies slightly by the card that one is using. However I'd suggest to not generate keys on the card card it self, since you have zero backups in case you loose the card and also, we have seen it is really hard to generate good keys on small devices.

List of OpenPGP cards:

  • NitroKey Look for "Email encryption" in supported features.
  • Yubikey Look for "open PGP" in supported features.
  • GnuK unlike others Gnuk is a project aiming to provide open firmware that impliments card emulation. NitroKey sells a version based on GnuK.

  1. There are some models usually the cheapest ones that does not support this feature, look for GPG/PGP support. ↩︎