Hash: SHA256

On Thu, Dec 01, 2016 at 03:54:51PM -0800, Micah Lee wrote:
> I just wrote a quick blog post about using Yubikeys in Qubes.
> Specifically, I wanted to share a script that will use qvm-usb to attach
> your Yubikey to your gpgvm no matter what USB port you plug it into.
> https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/

Thanks! That's interesting. I'd add two things:

The tool run by qvm-usb does support alternative device identification
- - using product and vendor ID. Also to specify which device to attach. 
This isn't exposed by qvm-usb tool, because it may be ambiguous, but may
be useful here. See README for more details:
I acknowledge that your solution is better in some aspect: it exists and
works :)

Is communication with YubiKey encrypted, or at least somehow
authenticated? Otherwise malicious USB VM could easily perform some kind
of man in the middle attack and for example sign document you really
didn't want to sign. Or decrypt arbitrary data. It's possible even when
physical confirmation (button) is required - by simply waiting until you
perform *some* operation.
This is general problem with USB devices, which are hard to solve with
the current USB infrastructure (USB VM can do anything with any device
connected to it). Without some fundamental USB rework - probably at
hardware layer, I think the only alternative is protecting the data at
individual device protocol level (like you do with encrypted USB sticks
for example).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to