yubitouch VS docker-credential-helpers

Here's a script that will set that mode, in case you'd like to use it. It prevents someone/malware from being able to use your key after you've unlocked it. For example if you hacked my computer and tried to use it to ssh to another machine you'd be unable because you'd need me to tap the key.

I'd suggest trying 'on' before 'fix', but then switching to 'fix' for the extra security it provides.

https://github.com/a-dma/yubitouch

Docker supports a credential-helper module[0], which supports 4 different backends for fetching the docker registry credentials: osxkeychain, pass, wincred, and secretservice.

pass lets you use GPG-smartcards, and many of those (such as Yubikeys) will let you enforce touch-policies for signing/encruption.

As a combination of both these however, I must touch my Yubikey every time I pull a new docker image.

Another cool use-case is that I use the terraform-pass-provider to save secrets for my personal terraform project.

[0]: https://github.com/docker/docker-credential-helpers

# Finds the latest version $ wincred_version=$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/docker/docker-credential-helpers/releases/latest) # Downloads and extracts the .exe $ sudo curl -fL \ "https://github.com/docker/docker-credential-helpers/releases/download/${wincred_version}/docker-credential-wincred-${wincred_version}-$(dpkg --print-architecture).zip" | zcat | sudo tee /usr/local/bin/docker-credential-wincred.exe >/dev/null # Assigns execution permission to it $ sudo chmod +x /usr/local/bin/docker-credential-wincred.exe