Publish a post about YubiKeys
This commit is contained in:
parent
7755edb8c4
commit
b1f1acc21a
1 changed files with 128 additions and 0 deletions
128
content/posts/yubikey_for_personal_security/note.md
Normal file
128
content/posts/yubikey_for_personal_security/note.md
Normal file
|
@ -0,0 +1,128 @@
|
||||||
|
X-Date: 2023-09-03T20:00:00Z
|
||||||
|
X-Note-Id: 9b465c2a-d05d-4df5-9678-b3a8067c71ef
|
||||||
|
Subject: Using YubiKey for personal security
|
||||||
|
X-Slug: yubikey_for_personal_security
|
||||||
|
|
||||||
|
If you haven't heard about [YubiKeys](https://www.yubico.com/products/yubikey-5-overview/) yet,
|
||||||
|
it is a small USB device that can securely store various kinds of secrets. The best feature of
|
||||||
|
it is that secrets are not extractable, even if the attacker has full control of the machine
|
||||||
|
to which the device is attached.
|
||||||
|
|
||||||
|
I'm writing this note for people who might find some of the use-cases interesting, as not all
|
||||||
|
of them are widely known.
|
||||||
|
|
||||||
|
## Precautions
|
||||||
|
|
||||||
|
When dealing with hardware security devices, always have a backup. I have two YubiKeys, one of
|
||||||
|
which is in one of the machines that I'm using, and another on my keychain. If one of them is
|
||||||
|
lost, stolen or damaged -- you can use the second one to recover.
|
||||||
|
|
||||||
|
## Authentication
|
||||||
|
|
||||||
|
This is kind of obvious, and one of the primary use-cases of the hardware tokens. Many services
|
||||||
|
will allow you to use it out of the box through the browser. You don't even have to configure
|
||||||
|
anything: just plug the key into a USB port and it will work.
|
||||||
|
|
||||||
|
My most important uses:
|
||||||
|
|
||||||
|
- Domain registrar [Gandi](https://www.gandi.net). I care for my domain to not be taken over if
|
||||||
|
a password for my account leaks.
|
||||||
|
- [Fastmail](https://fastmail.com) e-mail service.
|
||||||
|
- [Vultr](https://www.vultr.com/) VPS hosting where I host my website and Matrix server
|
||||||
|
|
||||||
|
Regarding e-mail, there's another important detail. Many people have a single address for both
|
||||||
|
the correspondence and accounts. This is problematic because authentication tokens from your
|
||||||
|
e-mail client can be stolen, and a potential attacker can then use them to reset all your
|
||||||
|
passwords on all your accounts (and they can easily get a list of accounts by traversing your
|
||||||
|
mail history). Because of this, you'd be better off with a separate e-mail address for all
|
||||||
|
your accounts, which you only access through web interface with a strong 2-factor auth.
|
||||||
|
|
||||||
|
I have to admit that having a separate email address for accounts didn't seem obvious to me
|
||||||
|
in the past, and I still have a common one. But I will transition in the next couple of weeks.
|
||||||
|
|
||||||
|
Separately, if you're responsible for maintaining security in your company, you may use
|
||||||
|
YubiKeys with [Duo](https://duo.com/) which can provide two-factor authentication for a lot
|
||||||
|
of third-party software and services that you keep around.
|
||||||
|
|
||||||
|
## SSH keys
|
||||||
|
|
||||||
|
This is part of authentication, but I'm keeping this in a separate section because SSH keys can be used
|
||||||
|
for various other purposes.
|
||||||
|
|
||||||
|
Current versions of OpenSSH have native support for a special type of keys with the suffix "-sk",
|
||||||
|
where the key itself resides on the physical device and only a key stub is stored in ~/.ssh. This
|
||||||
|
is how you can generate it:
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh-keygen -t ed25519-sk
|
||||||
|
```
|
||||||
|
|
||||||
|
Notice the "-sk" suffix. When using this key, a physical touch on the token will be required.
|
||||||
|
|
||||||
|
I log in to all my servers through such keys. It is convenient, as the workflow of just dropping
|
||||||
|
the public key to ~/.ssh/authorized_keys doesn't change in any way.
|
||||||
|
|
||||||
|
In addition to logging into the servers, you can use such SSH keys to commit to a source control
|
||||||
|
service like GitHub. It gives you additional security where a potential attacker won't be able to
|
||||||
|
easily commit code on your behalf. Especially important if you're maintaining a library with high
|
||||||
|
number of users. (But see a section below on signatures, as this is not sufficient)
|
||||||
|
|
||||||
|
## GPG general
|
||||||
|
|
||||||
|
[GPG](https://www.gnupg.org/) is a standard set of open-source tools for asymmetric cryptography.
|
||||||
|
Even though many people have reasonable grounds to dislike GPG, it is still pretty much the only
|
||||||
|
mainstream tool that has integrations with all kinds of software (open-source or not).
|
||||||
|
|
||||||
|
Setting up GPG with YubiKeys can be hard. The hardest part is getting the encryption and signing
|
||||||
|
keys duplicated across the main and a backup key. There is a very good [guide from drduh](https://github.com/drduh/YubiKey-Guide)
|
||||||
|
which I highly recommend. It will take you a couple of hours of preparation to go through it,
|
||||||
|
but then a minimal configuration of GPG will just work.
|
||||||
|
|
||||||
|
## GPG Encryption
|
||||||
|
|
||||||
|
The first and most important usage I have for encryption is storing various passwords in source
|
||||||
|
control (git). There are many ways to do so, but so far only [SOPS](https://github.com/getsops/sops) from Mozilla
|
||||||
|
covered both my personal and work-related use-cases. When set up properly, it allows you to edit secrets with a single command:
|
||||||
|
|
||||||
|
```
|
||||||
|
sops file-with-secrets.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
SOPS has integrations with NixOS (which I care about the most), with Ansible (for provisioning servers), with AWS and other tools.
|
||||||
|
It looks as if [Hashicorp Vault](https://www.hashicorp.com/products/vault) was reduced to a set of simple core principles.
|
||||||
|
|
||||||
|
If you're interested, [here are some of my personal passwords](https://git.sr.ht/~knazarov/nixos/tree/master/item/secrets.yaml)
|
||||||
|
stored as a SOPS-encrypted file.
|
||||||
|
|
||||||
|
It is also possible to use GPG for encrypting the passwords stored with [pass](https://www.passwordstore.org/) because it uses
|
||||||
|
GPG natively.
|
||||||
|
|
||||||
|
## GPG Signatures
|
||||||
|
|
||||||
|
With the GPG configured, you can also sign stuff. Signing gives anyone who has your public key ability to verify that it is you
|
||||||
|
who authored the message or content. Importantly, this "anyone" could be the future you.
|
||||||
|
|
||||||
|
I personally use GPG to sign all my git commits. It is enabled by default in my configuration, and as such all commits that I make
|
||||||
|
carry with them my signature. It is completely transparent to other tooling, but allows me to go back and see if any of my code
|
||||||
|
has been tampered with.
|
||||||
|
|
||||||
|
It is not a coincidence that the Linux Kernel guide for maintainers documents the usage of
|
||||||
|
[code signing](https://docs.kernel.org/process/maintainer-pgp-guide.html). There were real infrastructure hacks in the past
|
||||||
|
that led to using GPG eventually.
|
||||||
|
|
||||||
|
In git, this is what you need to put into the config:
|
||||||
|
|
||||||
|
```
|
||||||
|
[tag]
|
||||||
|
gpgSign = true
|
||||||
|
|
||||||
|
[user]
|
||||||
|
signingKey = "<your-key-id>"
|
||||||
|
```
|
||||||
|
|
||||||
|
Then every time you commit anything, you'd need to touch the button on the YubiKey to put a signature onto the commit.
|
||||||
|
|
||||||
|
## Conclusion
|
||||||
|
|
||||||
|
As you can see, there are many uses for physical security tokens. It is a shame that many developers are not aware and
|
||||||
|
are not utilizing them.
|
Loading…
Reference in a new issue