knazarov/knazarov.com
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Publish a post about YubiKeys

Browse source
This commit is contained in:
Konstantin Nazarov 2023-09-03 21:22:37 +01:00
parent 7755edb8c4
commit b1f1acc21a
Signed by: knazarov
GPG key ID: 4CFE0A42FA409C22
1 changed files with 128 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

128
content/posts/yubikey_for_personal_security/note.md Normal file
View file

@ -0,0 +1,128 @@
X-Date: 2023-09-03T20:00:00Z
X-Note-Id: 9b465c2a-d05d-4df5-9678-b3a8067c71ef
Subject: Using YubiKey for personal security
X-Slug: yubikey_for_personal_security
If you haven't heard about [YubiKeys](https://www.yubico.com/products/yubikey-5-overview/) yet,
it is a small USB device that can securely store various kinds of secrets. The best feature of
it is that secrets are not extractable, even if the attacker has full control of the machine
to which the device is attached.
I'm writing this note for people who might find some of the use-cases interesting, as not all
of them are widely known.
## Precautions
When dealing with hardware security devices, always have a backup. I have two YubiKeys, one of
which is in one of the machines that I'm using, and another on my keychain. If one of them is
lost, stolen or damaged -- you can use the second one to recover.
## Authentication
This is kind of obvious, and one of the primary use-cases of the hardware tokens. Many services
will allow you to use it out of the box through the browser. You don't even have to configure
anything: just plug the key into a USB port and it will work.
My most important uses:
- Domain registrar [Gandi](https://www.gandi.net). I care for my domain to not be taken over if
a password for my account leaks.
- [Fastmail](https://fastmail.com) e-mail service.
- [Vultr](https://www.vultr.com/) VPS hosting where I host my website and Matrix server
Regarding e-mail, there's another important detail. Many people have a single address for both
the correspondence and accounts. This is problematic because authentication tokens from your
e-mail client can be stolen, and a potential attacker can then use them to reset all your
passwords on all your accounts (and they can easily get a list of accounts by traversing your
mail history). Because of this, you'd be better off with a separate e-mail address for all
your accounts, which you only access through web interface with a strong 2-factor auth.
I have to admit that having a separate email address for accounts didn't seem obvious to me
in the past, and I still have a common one. But I will transition in the next couple of weeks.
Separately, if you're responsible for maintaining security in your company, you may use
YubiKeys with [Duo](https://duo.com/) which can provide two-factor authentication for a lot
of third-party software and services that you keep around.
## SSH keys
This is part of authentication, but I'm keeping this in a separate section because SSH keys can be used
for various other purposes.
Current versions of OpenSSH have native support for a special type of keys with the suffix "-sk",
where the key itself resides on the physical device and only a key stub is stored in ~/.ssh. This
is how you can generate it:
```
ssh-keygen -t ed25519-sk
```
Notice the "-sk" suffix. When using this key, a physical touch on the token will be required.
I log in to all my servers through such keys. It is convenient, as the workflow of just dropping
the public key to ~/.ssh/authorized_keys doesn't change in any way.
In addition to logging into the servers, you can use such SSH keys to commit to a source control
service like GitHub. It gives you additional security where a potential attacker won't be able to
easily commit code on your behalf. Especially important if you're maintaining a library with high
number of users. (But see a section below on signatures, as this is not sufficient)
## GPG general
[GPG](https://www.gnupg.org/) is a standard set of open-source tools for asymmetric cryptography.
Even though many people have reasonable grounds to dislike GPG, it is still pretty much the only
mainstream tool that has integrations with all kinds of software (open-source or not).
Setting up GPG with YubiKeys can be hard. The hardest part is getting the encryption and signing
keys duplicated across the main and a backup key. There is a very good [guide from drduh](https://github.com/drduh/YubiKey-Guide)
which I highly recommend. It will take you a couple of hours of preparation to go through it,
but then a minimal configuration of GPG will just work.
## GPG Encryption
The first and most important usage I have for encryption is storing various passwords in source
control (git). There are many ways to do so, but so far only [SOPS](https://github.com/getsops/sops) from Mozilla
covered both my personal and work-related use-cases. When set up properly, it allows you to edit secrets with a single command:
```
sops file-with-secrets.yaml
```
SOPS has integrations with NixOS (which I care about the most), with Ansible (for provisioning servers), with AWS and other tools.
It looks as if [Hashicorp Vault](https://www.hashicorp.com/products/vault) was reduced to a set of simple core principles.
If you're interested, [here are some of my personal passwords](https://git.sr.ht/~knazarov/nixos/tree/master/item/secrets.yaml)
stored as a SOPS-encrypted file.
It is also possible to use GPG for encrypting the passwords stored with [pass](https://www.passwordstore.org/) because it uses
GPG natively.
## GPG Signatures
With the GPG configured, you can also sign stuff. Signing gives anyone who has your public key ability to verify that it is you
who authored the message or content. Importantly, this "anyone" could be the future you.
I personally use GPG to sign all my git commits. It is enabled by default in my configuration, and as such all commits that I make
carry with them my signature. It is completely transparent to other tooling, but allows me to go back and see if any of my code
has been tampered with.
It is not a coincidence that the Linux Kernel guide for maintainers documents the usage of
[code signing](https://docs.kernel.org/process/maintainer-pgp-guide.html). There were real infrastructure hacks in the past
that led to using GPG eventually.
In git, this is what you need to put into the config:
```
[tag]
gpgSign = true
[user]
signingKey = "<your-key-id>"
```
Then every time you commit anything, you'd need to touch the button on the YubiKey to put a signature onto the commit.
## Conclusion
As you can see, there are many uses for physical security tokens. It is a shame that many developers are not aware and
are not utilizing them.