age-plugin-yubikey icon indicating copy to clipboard operation
age-plugin-yubikey copied to clipboard

Published 20 hours ago verified publisher icon str4d

Implement importing private keys to the YubiKey

Open jstasiak opened this issue 4 years ago • 5 comments

This comes in two varieties:

  1. Randomly generating a new key on the computer and then importing it. This option prints the newly generated key to stderr in hex form.
  2. Accepting a hex input from the user.

The use case I have for those is as follows: I'd like to be able to generate a private key in a secure environment[1] such that I can both create a secure backup of it[2] and import it to my YubiKey for day to day operations, so that if my YubiKey is lost or destroyed[3] I can buy a new one and keep using my private key or even, in an emergency scenario, use the private key (again, in a secure environment) to decrypt some data in software directly if needed.

I hope the warnings mentioning risks associated with importing keys are appropriate, I'd like the potential users of this to understand them.

This has been tested with YubiKey 4.

[1] Ideally trusted hardware, air-gapped, booted from a live CD etc. [2] Encrypted using a strong passphrase, stored in a safe place [3] Granted, if the YubiKey is actually lost a key rotation is probably a good idea anyway.

jstasiak avatar Jan 11 '21 14:01 jstasiak

Any updates on this? I'm hesitant to use this software if I can't backup my keys somehow. I'd like to make sure there is a way to access my secrets in the event that I loose or destroy my yubikey.

Is there any form of backup for the identity? Or can I copy it to a second yubi?

pinpox avatar Mar 24 '22 10:03 pinpox

I don't think this is a good idea. I have 3 yubikeys, each with it's own key and all my secrets are encrypted with 2 or all 3 recipients

I have one stored in a vault (like you would for your gpg recovery key) and the other two for backup. I think this is better approach as the key never leaves the yubikeys

gitirabassi avatar Mar 24 '22 11:03 gitirabassi

Yubikeys aren't cheap, I know, but I think that if we start exporting keys into and out of the Yubikeys we defeat all the good work done by Age/Rage/age-yubikey-plugin

gitirabassi avatar Mar 24 '22 11:03 gitirabassi

Yubikeys aren't cheap, I know, but I think that if we start exporting keys into and out of the Yubikeys we defeat all the good work done by Age/Rage/age-yubikey-plugin

Not sure I agree, that might be personal preference. For my GPG keys (which I use on the yubikey aswell) I have generated them on a air-gapped machine from a live CD and saved them in plain old paper form among other backups securely. I don't thing having a backup of your key in non-yubikey form is a bad idea if done correctly.

pinpox avatar Mar 24 '22 11:03 pinpox