On 04/15/2018 07:43 AM, YunQiang Su wrote:
> On Sun, Apr 15, 2018 at 5:09 AM, Thomas Goirand <z...@debian.org> wrote:
>> Forgot "Yubikey" in the subject line ... :)
> How many bits does it support?
The keys support storing 3 4096 bits subkeys, for auth, encryption and
signing. You're not supposed to store your master key in the Yubikey,
instead you'd just save the master key far away in a safe place. The
only issue is that then, you can't exchange key signature only using the
Yubikey, but I guess that's fine.
At Infomaniak, we have a master key without expiration, and the 3
subkeys expire within 365 days, and are renewed every year.
You can also use a GPG derived ssh key, which is what we use for the
every day auth to servers. Typing "ssh-add -L" shows the private part of
the ssh key, and the gpg-agent then takes care of the auth. I also use
that ssh key for login into Debian servers (and for the Git in Salsa).
Knowing that my laptop doesn't hold any ssh or gpg key is nice. When I
leave my desk, I just lock my desktop the normal way, remove the Yubikey
and go. The Yubikey is a way smaller to carry than my laptop... :P
Thomas Goirand (zigo)