Using YubiKey for personal security

If you haven't heard about YubiKeys yet, it is a small USB device that can securely store various kinds of secrets. The best feature of it is that secrets are not extractable, even if the attacker has full control of the machine to which the device is attached.

I'm writing this note for people who might find some of the use-cases interesting, as not all of them are widely known.

Precautions

When dealing with hardware security devices, always have a backup. I have two YubiKeys, one of which is in one of the machines that I'm using, and another on my keychain. If one of them is lost, stolen or damaged -- you can use the second one to recover.

Authentication

This is kind of obvious, and one of the primary use-cases of the hardware tokens. Many services will allow you to use it out of the box through the browser. You don't even have to configure anything: just plug the key into a USB port and it will work.

My most important uses:

• Domain registrar Gandi. I care for my domain to not be taken over if a password for my account leaks.
• Fastmail e-mail service.
• Vultr VPS hosting where I host my website and Matrix server

Regarding e-mail, there's another important detail. Many people have a single address for both the correspondence and accounts. This is problematic because authentication tokens from your e-mail client can be stolen, and a potential attacker can then use them to reset all your passwords on all your accounts (and they can easily get a list of accounts by traversing your mail history). Because of this, you'd be better off with a separate e-mail address for all your accounts, which you only access through web interface with a strong 2-factor auth.

I have to admit that having a separate email address for accounts didn't seem obvious to me in the past, and I still have a common one. But I will transition in the next couple of weeks.

Separately, if you're responsible for maintaining security in your company, you may use YubiKeys with Duo which can provide two-factor authentication for a lot of third-party software and services that you keep around.

SSH keys

This is part of authentication, but I'm keeping this in a separate section because SSH keys can be used for various other purposes.

Current versions of OpenSSH have native support for a special type of keys with the suffix "-sk", where the key itself resides on the physical device and only a key stub is stored in ~/.ssh. This is how you can generate it:

ssh-keygen -t ed25519-sk

Notice the "-sk" suffix. When using this key, a physical touch on the token will be required.

I log in to all my servers through such keys. It is convenient, as the workflow of just dropping the public key to ~/.ssh/authorized_keys doesn't change in any way.

In addition to logging into the servers, you can use such SSH keys to commit to a source control service like GitHub. It gives you additional security where a potential attacker won't be able to easily commit code on your behalf. Especially important if you're maintaining a library with high number of users. (But see a section below on signatures, as this is not sufficient)

GPG general

GPG is a standard set of open-source tools for asymmetric cryptography. Even though many people have reasonable grounds to dislike GPG, it is still pretty much the only mainstream tool that has integrations with all kinds of software (open-source or not).

Setting up GPG with YubiKeys can be hard. The hardest part is getting the encryption and signing keys duplicated across the main and a backup key. There is a very good guide from drduh which I highly recommend. It will take you a couple of hours of preparation to go through it, but then a minimal configuration of GPG will just work.

GPG Encryption

The first and most important usage I have for encryption is storing various passwords in source control (git). There are many ways to do so, but so far only SOPS from Mozilla covered both my personal and work-related use-cases. When set up properly, it allows you to edit secrets with a single command:

sops file-with-secrets.yaml

SOPS has integrations with NixOS (which I care about the most), with Ansible (for provisioning servers), with AWS and other tools. It looks as if Hashicorp Vault was reduced to a set of simple core principles.

If you're interested, here are some of my personal passwords stored as a SOPS-encrypted file.

It is also possible to use GPG for encrypting the passwords stored with pass because it uses GPG natively.

GPG Signatures

With the GPG configured, you can also sign stuff. Signing gives anyone who has your public key ability to verify that it is you who authored the message or content. Importantly, this "anyone" could be the future you.

I personally use GPG to sign all my git commits. It is enabled by default in my configuration, and as such all commits that I make carry with them my signature. It is completely transparent to other tooling, but allows me to go back and see if any of my code has been tampered with.

It is not a coincidence that the Linux Kernel guide for maintainers documents the usage of code signing. There were real infrastructure hacks in the past that led to using GPG eventually.

In git, this is what you need to put into the config:

[tag]
        gpgSign = true

[user]
        signingKey = "<your-key-id>"

Then every time you commit anything, you'd need to touch the button on the YubiKey to put a signature onto the commit.

Conclusion

As you can see, there are many uses for physical security tokens. It is a shame that many developers are not aware and are not utilizing them.