Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
yubikey-provisioning-scripts
A set of scripts to automate the provisioning of yubikey's openPGP applet.They set up your yubikey for git commit signing and SSH so you don't have to!
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
OpenSK
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
-
tillitis-key1
Board designs, FPGA verilog, firmware for TKey, the flexible and open USB security key 🔑
For OTP secrets, you could add my yubikey-otp tool, which is a CLI tool for searching and adding otp secrets stored on your YubiKey to your clipboard: https://github.com/MarkusZoppelt/yubikey-otp
Since it mentions age and rage: there is also dage, a Dart implementation https://github.com/Producement/dage .
Also there is age-yubikey-pgp which uses dage to allow you to use X25519 for file encryption/decryption https://github.com/Producement/age-yubikey-pgp
It really depends on what you want to do with the yubikeys. If you're just using the PGP functionality (like SSH-ing and signing git commits) all you have to do is upload the same private (sub)keys to the two yubikeys and they'll be functionally the same*. I wouldn't know about other (more advanced) features though.
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
https://github.com/santiago-mooser/yubikey-provisioning-scri...
Make sure to enable the export of the private key though!
It really depends on what you want to do with the yubikeys. If you're just using the PGP functionality (like SSH-ing and signing git commits) all you have to do is upload the same private (sub)keys to the two yubikeys and they'll be functionally the same*. I wouldn't know about other (more advanced) features though.
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
https://github.com/santiago-mooser/yubikey-provisioning-scri...
Make sure to enable the export of the private key though!
According to this:
* https://github.com/drduh/YubiKey-Guide#configure-smartcard
... it is:
gpg --card-edit
There are many others.
The list of FIDO certified products alone is 39 pages long here: https://fidoalliance.org/certification/fido-certified-produc...
In addition to that, there are open source implementations for Java Card [1], open hardware efforts [2] and much more.
[1] https://github.com/darconeous/u2f-javacard
Unfortunately SoloKey doesn't work as an OpenPGP smart card, which means it's not a real substitute for a Yubikey. I haven't had any luck with resident FIDO2, either.
The Solo team believes that other functionality such as PIV overlaps with GnuPG use cases, so that OpenPGP isn't a priority, and their work on that functionality appears to have stopped in 2021. That's too bad, because OpenPGP's network effects far outweigh its pure functionality, which means a technical substitute isn't a substitute.
https://github.com/solokeys/openpgp
Mullvad VPN has announced that they are working on the "Tillitis"[1] key and it looks like it's releasing pretty soon (2023-03-23).
From the website:
>The TKeyâ„¢ is a new kind of USB security key inspired by measured boot and DICE.
>TKeyâ„¢s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky forend-users.
>TKeyâ„¢ is and always will be open source hardware and software. Schematics, PCB design and FPGA design source as well as all software source code can be found on GitHub.
[1]: https://www.tillitis.se/ -- also "tillit" is Swedish for "trust"
If you get a smartcard, you can install https://github.com/BryanJacobs/FIDO2Applet on it to make it into a FIDO2 authenticator. You can install a GPG and a PIV applet too.
A Yubikey is just a proprietary smartcard with a bunch of apps installed and some HID emulation (pretending to be a keyboard, which you likely do not want).
Related posts
- Thetis, Yubikey, Solokey, Nitrokey, Onlykey, etc. Differences and Compatability?
- Yubico is merging with ACQ Bure and intends to go public
- I have seen in a lot of posts here people say not to use Google Authentication for 2FA. Can someone simply explain why, and what should I use instead?
- Is there a linux equivalent to Windows Hello?
- alternative to yubikey with requirements?