Hacker News new | past | comments | ask | show | jobs | submit login

I've got the same setup, it's pretty great. One thing, though: make sure you have another way of decrypting your passwords! I lost my Yubikey once, and I lost all my passwords. Now I have a copy of that key on a USB drive I keep at home in a small safe.



Yeah, my passwords are encrypted to two private keys. One is on the Yubikey, the other is printed and stored securely.


What's the best way to backup the private key on your yubikey? Do you just generate it on your computer instead of on your device, and then back that up?


Generally a good way to do this is via GPG subkeys. You keep your master/certifying key offline, in your safety deposit box, and load a subkey onto your Yubikey. If the Yubikey is lost, you can easily revoke the subkeys and generate new ones.

Here's a nice tutorial on it: https://www.jfry.me/articles/2015/gpg-smartcard/


Thanks for the link. I started reading through that, and it is quite involved. I'm still deciding if it's worth it.

I'm not sure I fully understand subkeys. It looks like they can be used in place of my main key, and I can generate new subkeys from my main key. Is this so I can revoke my subkeys if they are ever compromised? Can other subkeys decrypt my 'pass' files or is that limited to the subkey that generated them? It seems like the existing private key would be able to decrypt passwords in the future even after it was revoked, if the user still had the original files.


Yes -- revocation is just an indicator of the subkey's trust going forward. Once revoked, the user would generate a new subkey and re-encrypt their password wallet. While the git features and multi-key capabilities of pass lend well to very lightweight team usage, the model is definitely best suited for use by an individual.


So a subkey is aware of all revocations from before it was generated?

If I generate 2 subkeys, can they both encrypt and decrypt my passwords? The only difference is that I can revoke them independently?


Sorry, to clarify, you need to keep a backup of all subkeys along side your master/certifying key. Data encrypted to a given subkey can only be decrypted by that same subkey.

Honestly, if you're using GPG strictly for personal password wallet encryption, and don't intend to maintain an identity tied with the key long term, there's no need to do the subkey thing -- just create an offline key, load it to your YK, then securely store the offline key.

Subkeys shines when you want to maintain an identity long term, while allowing rotation of the keys that do your day to day encryption (or signing/auth)


General recommendation is to have a backup for everything on a yubi key. Two keys or printed backup codes or whatever.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: