On 06/01/2017 22:13, Oliver Albertini wrote:
Forgive me if this is is the wrong place to ask, or if it has already been
addressed. Also, thanks to the developers of pass, it is a really useful
program.
What is the best practice for using a yubikey to authenticate gpg in the
context of pass?
Which kind of Yubikey do you have?
I have a Yubikey standard (no longer available). It does OTP in the
first slot. I could use the second slot to store my GPG passphrase as a
static string - but I don't, since I know it :-) Since it just types in
the static string, it would be vulnerable to keyloggers.
A Yubikey U2F isn't usable for this application as far as I can see.
It's intended for 2FA to web apps.
A Yubikey 4 or Yubikey Neo has the ability to store your GPG private
key, and decrypt messages inside the key. That would be the strongest
solution I think, but I've not tried it yet. There's a nice writeup here:
https://malcolmsparks.com/posts/yubikey-gpg.html
It sounds like the PIN is cached, which is useful for bulk operations
like "pass grep" which has to decrypt all the files in your repo.
HTH,
Brian.
_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store
