Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
yubikey-manager
Python library and command line tool for configuring any YubiKey over all USB interfaces.
-
gpg-hd
A BIP-39 / seed-phrase / brain-wallet based Hierarchical Deterministic GPG / SSH key generator that also provisions OpenPGP smartcards for easy key backup and recovery.
Unless I've missed something, SSH keys stored on Yubikeys are still hampered because you aren't allowed to a touch policy of "touch never".
Imagine needing to touch the Yubikey with each "git pull" or using Ansible to operate over SSH on a dozen servers in parallel, and needing to touch the Yubikey once for each server.
The feature request I'm tracking is here: https://github.com/FiloSottile/yubikey-agent/issues/95
The proposed feature would allow setting a touch policy for the SSH key.
> As of OpenSSH 8.2 (Feburary 14, 2020) you are able to store an SSH private key on a yubikey! Here's how to do it.
Many systems still don't have OpenSSH 8.2 (Windows 11, older debian stable, etc). For those, another solution is to use the PGP applet of the YubiKey, which exposes a regular RSA key.
This guide has worked well for me: https://github.com/drduh/YubiKey-Guide
You can jump to the SSH sections if that's all you're after.
There's a missing piece for Windows, since the agent coming with WinGPG won't be reachable by SSH. Some guy on GitHub put out a workaround, but I can't find it right now.
Another solution for windows: The support is already there within 8.9.1.0 beta release: https://github.com/PowerShell/Win32-OpenSSH/releases
You must then use the SSH installed within 'C:\Program Files\OpenSSH\ssh.exe' and not the builtin within system32.
I made my own CA for this because nothing else could provide transparency regarding certificate issuance (whether an attacker issued a "spare" backdoor certificate)
- source code: https://github.com/silentsignal/zsca
- my talk about the design and results: https://pretalx.hsbp.org/camppp7e5/talk/D3E9HN/
I tried ed25519-sk keys last year, but abandoned them when GitLab wouldn't recognize their public keys. It seems that as of 3 months ago GitLab has added support (https://gitlab.com/gitlab-org/gitlab/-/issues/213259) so I should give them another try.
There is actually at least one fido2 device that supports backing up (mostly), based on this spec from Dicekeys https://github.com/dicekeys/seeding-webauthn
Solokeys (https://solokeys.com/ - v1, don't think the newew v2 does) have a special firmware version that implements this and allows you to use a custom seed - and as such restore a key from it. It only works on non-resident credentials (most commonly used, as the number of RKs is usually very limited) though.
There is actually at least one fido2 device that supports backing up (mostly), based on this spec from Dicekeys https://github.com/dicekeys/seeding-webauthn
Solokeys (https://solokeys.com/ - v1, don't think the newew v2 does) have a special firmware version that implements this and allows you to use a custom seed - and as such restore a key from it. It only works on non-resident credentials (most commonly used, as the number of RKs is usually very limited) though.
I backup everything directly to GitHub. I first encrypt/seal my passwords/files using a Yubikey+PIN then git push them.
Here's my take on the automation: https://github.com/mihaigalos/pass