Touch-to-operate password-store with YubiKey 4

There are dozens of tutorials on how to fight GnuPG to use YubiKeys for everything, but my favorite overlooked feature of the YubiKey 4 is "touch to operate", where each cryptographic operation takes a physical touch of the gold surface.

That pairs particularly well with password-store, a PGP backed password manager: when they key resides on the YubiKey, and each decryption takes a physical touch, even compromising the machine won't let an attacker dump all secrets from your store.

The key can't be extracted from the YubiKey, and each use of it must be approved with a touch. Although the touch could be hijacked for a different entry, it will still slow the exfiltration down. You can even set up compartments with extra keys.

Here's the high level of how to set that up, fruit of hours of unnecessary pain. To follow along you'll need the gpg and pass docs, some other tutorials, or the kind of dark experience I don't wish on anyone. This whole ecosystem is not beginner friendly, and I can't help you.

I just wanted a new YubiKey for password-store.

I am now 3 hours in and grepping the git history of gnupg for a feature that I can see on tutorials but can’t reach.

Fuck this shit 🔥

— Filippo Valsorda (@FiloSottile) 9 September 2018

• Set up the YubiKey
  • Disable OTP mode
    • ykman mode FIDO+CCID
  • Change the user and admin PIN
    • --card-edit → passwd
    • PINs don't have to be numeric!
    • There's a minimum length of 8 characters for the admin PIN
  • (Optional) Change the generated key sizes
    • --card-edit → key-attr with a recent enough version of GnuPG
  • Enable touch-to-operate
    • ykman openpgp touch
    • Note that for security you want fixed mode, or an attacker will just turn it off, but realize that it's irreversible
• Generate the keys
  • --card-edit → generate
  • Assume the YubiKey will break or get lost, and either build redundancy at the pass level by encrypting to multiple keys, accept the offer to make a backup of the key, or generate the key (possibly offline) and load it on more than one YubiKey
  • FYI, you still need the local key stubs to use the YubiKey, you won't be able to regenerate them if you delete them
• Initialize pass to use the YubiKey PGP key
  • Now every time you try to access a pass entry the YubiKey will blink and you'll have to touch it to let it through
  • You can use pass init to rekey an existing store
• (Extra) Set up one or more higher security compartments by similarly setting up other YubiKeys which you won't be using day-to-day, and binding a pass subfolder to them (and only them) with pass init -p subfolder
  • The idea is that there will be even fewer touch events to hijack for these compartmented items
  • Note that only one YubiKey works at a time, for some reason, so you'll have to disconnect your daily one to use the special ones
• (Bonus) Use the same YubiKey for SSH
  • Touch-to-operate applies to SSH as well if you enable it for the aut key
• (Bonus) Use the same YubiKey for U2F, the only secure countermeasure to phishing
• (Bonus) Consider a graphical pinentry

By the way, it's no secret that I hate PGP, and I think you should just never use it to communicate, but alas it's the only ecosystem that easily taps into cheap hardware tokens, which are a concrete step up in security, and at least you can rotate them.

I would love to see a PGP-less YubiKey+TouchID driver backing SSH, pass, U2F, and ponies... but until then, you can follow me on Twitter.

Good luck.