From b1f1acc21a3532d6a4cd0d290db2f23cb05b0a24 Mon Sep 17 00:00:00 2001 From: Konstantin Nazarov Date: Sun, 3 Sep 2023 21:22:37 +0100 Subject: [PATCH] Publish a post about YubiKeys --- .../yubikey_for_personal_security/note.md | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 content/posts/yubikey_for_personal_security/note.md diff --git a/content/posts/yubikey_for_personal_security/note.md b/content/posts/yubikey_for_personal_security/note.md new file mode 100644 index 0000000..9a9c3fa --- /dev/null +++ b/content/posts/yubikey_for_personal_security/note.md @@ -0,0 +1,128 @@ +X-Date: 2023-09-03T20:00:00Z +X-Note-Id: 9b465c2a-d05d-4df5-9678-b3a8067c71ef +Subject: Using YubiKey for personal security +X-Slug: yubikey_for_personal_security + +If you haven't heard about [YubiKeys](https://www.yubico.com/products/yubikey-5-overview/) yet, +it is a small USB device that can securely store various kinds of secrets. The best feature of +it is that secrets are not extractable, even if the attacker has full control of the machine +to which the device is attached. + +I'm writing this note for people who might find some of the use-cases interesting, as not all +of them are widely known. + +## Precautions + +When dealing with hardware security devices, always have a backup. I have two YubiKeys, one of +which is in one of the machines that I'm using, and another on my keychain. If one of them is +lost, stolen or damaged -- you can use the second one to recover. + +## Authentication + +This is kind of obvious, and one of the primary use-cases of the hardware tokens. Many services +will allow you to use it out of the box through the browser. You don't even have to configure +anything: just plug the key into a USB port and it will work. + +My most important uses: + +- Domain registrar [Gandi](https://www.gandi.net). I care for my domain to not be taken over if + a password for my account leaks. +- [Fastmail](https://fastmail.com) e-mail service. +- [Vultr](https://www.vultr.com/) VPS hosting where I host my website and Matrix server + +Regarding e-mail, there's another important detail. Many people have a single address for both +the correspondence and accounts. This is problematic because authentication tokens from your +e-mail client can be stolen, and a potential attacker can then use them to reset all your +passwords on all your accounts (and they can easily get a list of accounts by traversing your +mail history). Because of this, you'd be better off with a separate e-mail address for all +your accounts, which you only access through web interface with a strong 2-factor auth. + +I have to admit that having a separate email address for accounts didn't seem obvious to me +in the past, and I still have a common one. But I will transition in the next couple of weeks. + +Separately, if you're responsible for maintaining security in your company, you may use +YubiKeys with [Duo](https://duo.com/) which can provide two-factor authentication for a lot +of third-party software and services that you keep around. + +## SSH keys + +This is part of authentication, but I'm keeping this in a separate section because SSH keys can be used +for various other purposes. + +Current versions of OpenSSH have native support for a special type of keys with the suffix "-sk", +where the key itself resides on the physical device and only a key stub is stored in ~/.ssh. This +is how you can generate it: + +``` +ssh-keygen -t ed25519-sk +``` + +Notice the "-sk" suffix. When using this key, a physical touch on the token will be required. + +I log in to all my servers through such keys. It is convenient, as the workflow of just dropping +the public key to ~/.ssh/authorized_keys doesn't change in any way. + +In addition to logging into the servers, you can use such SSH keys to commit to a source control +service like GitHub. It gives you additional security where a potential attacker won't be able to +easily commit code on your behalf. Especially important if you're maintaining a library with high +number of users. (But see a section below on signatures, as this is not sufficient) + +## GPG general + +[GPG](https://www.gnupg.org/) is a standard set of open-source tools for asymmetric cryptography. +Even though many people have reasonable grounds to dislike GPG, it is still pretty much the only +mainstream tool that has integrations with all kinds of software (open-source or not). + +Setting up GPG with YubiKeys can be hard. The hardest part is getting the encryption and signing +keys duplicated across the main and a backup key. There is a very good [guide from drduh](https://github.com/drduh/YubiKey-Guide) +which I highly recommend. It will take you a couple of hours of preparation to go through it, +but then a minimal configuration of GPG will just work. + +## GPG Encryption + +The first and most important usage I have for encryption is storing various passwords in source +control (git). There are many ways to do so, but so far only [SOPS](https://github.com/getsops/sops) from Mozilla +covered both my personal and work-related use-cases. When set up properly, it allows you to edit secrets with a single command: + +``` +sops file-with-secrets.yaml +``` + +SOPS has integrations with NixOS (which I care about the most), with Ansible (for provisioning servers), with AWS and other tools. +It looks as if [Hashicorp Vault](https://www.hashicorp.com/products/vault) was reduced to a set of simple core principles. + +If you're interested, [here are some of my personal passwords](https://git.sr.ht/~knazarov/nixos/tree/master/item/secrets.yaml) +stored as a SOPS-encrypted file. + +It is also possible to use GPG for encrypting the passwords stored with [pass](https://www.passwordstore.org/) because it uses +GPG natively. + +## GPG Signatures + +With the GPG configured, you can also sign stuff. Signing gives anyone who has your public key ability to verify that it is you +who authored the message or content. Importantly, this "anyone" could be the future you. + +I personally use GPG to sign all my git commits. It is enabled by default in my configuration, and as such all commits that I make +carry with them my signature. It is completely transparent to other tooling, but allows me to go back and see if any of my code +has been tampered with. + +It is not a coincidence that the Linux Kernel guide for maintainers documents the usage of +[code signing](https://docs.kernel.org/process/maintainer-pgp-guide.html). There were real infrastructure hacks in the past +that led to using GPG eventually. + +In git, this is what you need to put into the config: + +``` +[tag] + gpgSign = true + +[user] + signingKey = "" +``` + +Then every time you commit anything, you'd need to touch the button on the YubiKey to put a signature onto the commit. + +## Conclusion + +As you can see, there are many uses for physical security tokens. It is a shame that many developers are not aware and +are not utilizing them.