-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Dec 01, 2016 at 03:54:51PM -0800, Micah Lee wrote: > I just wrote a quick blog post about using Yubikeys in Qubes. > Specifically, I wanted to share a script that will use qvm-usb to attach > your Yubikey to your gpgvm no matter what USB port you plug it into. > > https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/
Thanks! That's interesting. I'd add two things: The tool run by qvm-usb does support alternative device identification - - using product and vendor ID. Also to specify which device to attach. This isn't exposed by qvm-usb tool, because it may be ambiguous, but may be useful here. See README for more details: https://github.com/QubesOS/qubes-app-linux-usb-proxy I acknowledge that your solution is better in some aspect: it exists and works :) Is communication with YubiKey encrypted, or at least somehow authenticated? Otherwise malicious USB VM could easily perform some kind of man in the middle attack and for example sign document you really didn't want to sign. Or decrypt arbitrary data. It's possible even when physical confirmation (button) is required - by simply waiting until you perform *some* operation. This is general problem with USB devices, which are hard to solve with the current USB infrastructure (USB VM can do anything with any device connected to it). Without some fundamental USB rework - probably at hardware layer, I think the only alternative is protecting the data at individual device protocol level (like you do with encrypted USB sticks for example). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYQMJNAAoJENuP0xzK19csL6UIAJqJSD49PwzMOJBoYVHIWsuM sraQDLT8gkArL7P6vWmCZhd/U6ZMurcXlcrFvjW9bUWm7siOmJn5NpU5DG0ve5pS I83BSkymhGMynXzZCHfW0Sf9hJdOgBtnnpqSTPTfsAXuR8JV3OV6/GbslvcbIOqU JofhflbhqvD9tPI8q7smG6RyRUGH8KXDI8HVgjewlPfHqUNpXF/aZpWLfIhQBesU VPjmgSmOz8ioi9JwlFzJrLkPbp75xx23E5/sl5Bd6BRm2tG+6lZtfbLFH7nk17ci QbjekfytI5/eTKb542OL9UPlUF/6m0Qj5jasrxy4CUbmKC1LEPIQrNPH4kyA06s= =hZPo -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161202003732.GA1371%40mail-itl. For more options, visit https://groups.google.com/d/optout.