95 lines
3.6 KiB
Markdown
95 lines
3.6 KiB
Markdown
---
|
|
layout: post
|
|
title: "One key to rule them all!"
|
|
date: 2019-10-30
|
|
comments: true
|
|
tags: gnupg, nitrokey, security
|
|
---
|
|
|
|
_"Alternatively, how I use Nitrokeys/GnuK/YubiKeys"_
|
|
|
|
Most popular use for [NitroKeys](https://www.nitrokey.com/) seems to
|
|
be **2FA** [FIDO](https://en.wikipedia.org/wiki/Universal_2nd_Factor)
|
|
key. But these devices can also behave (_emulate_ technically
|
|
speaking) as an OpenPGP smartcard to store your gpg keys[^gpgsupport].
|
|
|
|
|
|
|
|
## Why should you use a smartcard?
|
|
|
|
### 1. Security
|
|
|
|
GnuPG keys stored on smartcards only allow very narrow access to how
|
|
one can use them. Smartcards exposes APIs to perform specific PGP
|
|
operations like _sign_, _encrypt_, _verify signature_ etc and no more;
|
|
opposed to keys stored on local disk which gives all out access to
|
|
keys if one has access to disk. Most important access that smartcards
|
|
deny is the ability to copy them; essentially tieing your key to a
|
|
physical object that can't be replicated. As long as you have your key
|
|
with you, no one else has access to them.
|
|
|
|
Almost _all of the software_ we run has access to users disk on most
|
|
operating systems, and we have seen exploits that target keys stored
|
|
on disk
|
|
[again](https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/)
|
|
and [again](https://en.wikipedia.org/wiki/Careto_(malware)). The keys
|
|
stored on disk are often encrypted, but stealing that encryption
|
|
password is just a matter of chaining another exploit.
|
|
|
|
### 2. Compossibility
|
|
Having a physical root of trust combined with the fact that a lot of
|
|
software supports GnuPG makes this a really nice composable component
|
|
in my daily life.
|
|
|
|
__Some work-flows that I use daily:__
|
|
|
|
#### SSH support
|
|
GnuPG has native support for SSH. Your smartcard becomes my ssh key as
|
|
well and I can roam between my multiple machines without actually
|
|
having to copy and leave keys around or having to manage multiple
|
|
keys.
|
|
|
|
I also use a similar key for github since they use ssh to authenticate
|
|
as well.
|
|
|
|
#### Pass password manager
|
|
[pass](https://www.passwordstore.org/) is a password manager following
|
|
UNIX philosophy. It uses GnuPG keys to encrypt passwords, and by using
|
|
a key on the smartcard, you can tie the trust to the smartcard.
|
|
|
|
Pass also opens up a lot more composable behaviors, I use it mostly
|
|
for the next one --
|
|
|
|
#### AWS Vault
|
|
[aws-vault](https://github.com/99designs/aws-vault) is a nifty tool to
|
|
manage AWS credentials. It can transparently issue temporary keys and
|
|
populate shell environment.
|
|
|
|
There is possibly more, I have seen people use the same key to unlock
|
|
their disk encryption at boot :-)
|
|
|
|
I am not going to cover setting up the card here, since there are a
|
|
lot of documentation about how to do so, and it varies slightly by the
|
|
card that one is using. However I'd suggest to not generate keys on
|
|
the card, since you have zero backups in case you loose the card and
|
|
also, we have seen [it is really hard to generate good keys on small
|
|
devices](https://en.wikipedia.org/wiki/ROCA_vulnerability).
|
|
|
|
|
|
## List of OpenPGP cards
|
|
Ones that I know, there are possibly more.
|
|
|
|
- [NitroKey](https://shop.nitrokey.com/shop)
|
|
- [Yubikey](https://www.yubico.com/products/yubikey-hardware/compare-products-series/)
|
|
- [GnuK](https://www.fsij.org/category/gnuk.html)[^gnuk]
|
|
|
|
|
|
[^gpgsupport]: Each manufacturer have some models (usually the
|
|
cheapest) are exclusivly FIDO keys and thus does not support this
|
|
feature. NitroKey calls this feature _"Email encryption"_ while
|
|
Yubikey calls this _"open PGP"_.
|
|
|
|
[^gnuk]: unlike others Gnuk is a project to provide open
|
|
firmware that implements smartcard. NitroKey sells a version
|
|
based on GnuK called NitroKey Start.
|