Another potential downside is that the NEO only supports 2048-bit RSA keys although those are still acceptably strong. One downside is that there is no on-device PIN entry mechanism so you rely on a software PIN which is susceptible to key logging. The Yubikey is a authentication swiss-army knife. They support various OTP schemes, OpenPGP smart card, and Fido U2F. I’ve LOVED the Yubikey product line for years because they are clever, small, versatile, and indestructible. I want to use the smart card for GnuPG (encryption / signing) and SSH (remote login)įor day-to-day use I chose the Yubikey Neo.I want to support Windows, OSX and Linux.2048-bit Sub-keys for encryption, signing and authentication are created and stored on Yubikey NEO for daily use.Master key is used for key signing and updating expiry dates on my keys (rarely).4096-bit Master GnuPG key is generated and stored on an offline computer.Much like the reason Simon wrote his post, this article was primarily created to document my setup for my future reference. This article is heavily based on “ Offline GnuPG Master Key and Subkeys on YubiKey NEO Smartcard” by Unfortunately, despite existing for over a decade, it’s been difficult to find comprehensive information about setting up and using smart cards, for use with GPG and SSH, under Linux, Windows and OSX. The smart cards significantly increase the security of my keys and don’t require me to use long passwords to secure my GPG/SSH keys on my individual machines. If the administrative PIN is entered incorrectly the card is rendered inoperable or the key is destroyed (I’m not sure which). If the PIN is entered incorrectly three times the card is blocked and must be reset using the administrative PIN. To prevent unauthorized use the smart code requires the user provide a short PIN. Software can ask the smart card to perform cryptographic operations on its behalf without disclosing the key to the computer (in fact, there is no reasonable way to extract the private key from a smart card). Smart cards let you store the private key on a tamper resistant piece of hardware instead of scattered across various computers (where it can be accessed by other users of the machine, malicious software, etc). To mitigate this problem I used a strong password on each of these keys which makes actually using them annoying. I don’t like leaving secret keys on my work computer, work laptop, various home computers, etc. I use SSH daily (with SSH keys) and would like to use GPG routinely (if only people I conversed with would use it) but key management is always a problem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |