Yubico with new 4096-bit keys and gpg-agent for ssh authentication

Nitrokey[1] is about the same price as Yubico but has <i>open source firmware &amp; hardware</i>. You might also know them as CryptoStick[2].<p>[1] <a href="https:&#x2F;&#x2F;www.nitrokey.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.nitrokey.com&#x2F;</a><p>[2] <a href="https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2013&#x2F;02&#x2F;13&#x2F;using-cryptostick-as-an-hsm&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.mozilla.org&#x2F;security&#x2F;2013&#x2F;02&#x2F;13&#x2F;using-cryptosti...</a>

May I offer my article on an excellent password manager complementing the Yubico devices well? <a href="https:&#x2F;&#x2F;drupalwatchdog.com&#x2F;blog&#x2F;2015&#x2F;6&#x2F;yubikey-neo-and-better-password-manager-pass" rel="nofollow">https:&#x2F;&#x2F;drupalwatchdog.com&#x2F;blog&#x2F;2015&#x2F;6&#x2F;yubikey-neo-and-bette...</a>

Is there any way to store an ssh <i>server</i> key in it, or an https server&#x27;s key? Basically turning this into a mini-HSM ?

Just so it&#x27;s clear, the previous Yubikey NEO also supports gpg-agent for SSH authentication, not just the new Yubikey 4. I&#x27;ve been using one for months. It presents a standard smarcard CCID interface and runs an OpenPGP applet.<p>The source to the actual Javacard applet that implements is available on Github: <a href="https:&#x2F;&#x2F;github.com&#x2F;Yubico&#x2F;ykneo-openpgp" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Yubico&#x2F;ykneo-openpgp</a>

Buy the one with smaller form factor. the device bends with very nominal pressure and if you are someone as me who works mostly on one device and need to move around a lot with it - unplugging and replugging the key is very cumbersome. You can leave the nano one in port and forget it until you need it in another device. My two cents from using a neo to store production ssh keys.

In the article it&#x27;s written that the yubikey is tamper proof.<p>This is not the case. They report their product as tamper evident but not tamper proof.

Offtopic question:<p>Is there any FDE software that supports keeping decryption keys on a network server? You would still need to enter user authentication to obtain the decryption key of course.<p>Use case: We are a HIPAA environment, I want a hard drive to be useless if it is removed from the building.

for folks interested in more on yubikeys and gpg I also would suggest these two blog posts<p><a href="http:&#x2F;&#x2F;viccuad.me&#x2F;blog&#x2F;secure-yourself-part-1-airgapped-computer-and-GPG-smartcards&#x2F;" rel="nofollow">http:&#x2F;&#x2F;viccuad.me&#x2F;blog&#x2F;secure-yourself-part-1-airgapped-comp...</a><p><a href="http:&#x2F;&#x2F;blog.josefsson.org&#x2F;2014&#x2F;06&#x2F;23&#x2F;offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blog.josefsson.org&#x2F;2014&#x2F;06&#x2F;23&#x2F;offline-gnupg-master-ke...</a>

Are the github keys they sold cheaply compatible with 4096 bit keys? I&#x27;m loathe to buy another, considering i&#x27;ve got 3 already...

Looked at these last year but opted for smartcard and secure pinpad reader instead.

I&#x27;m surprised that more folks haven&#x27;t just gone to 8,192-bit keys, out of an abundance of caution.

Does Yubico support ECDSA?

&gt; Encrypting by default is a good idea.<p>I suspect the author intended to say Signing by default is a good idea.