Nice repo.<p>For those starting from scratch with a YubiKey I always recommend this guide:<p><a href="https://github.com/drduh/YubiKey-Guide" rel="nofollow">https://github.com/drduh/YubiKey-Guide</a><p>Then they know how this stuff works and how to fix it when it breaks.
I've been very pleasantly surprised by how easy it was to get everything set up on NixOS:<p>```
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };<p>services.udev.packages = [
pkgs.yubikey-personalization
pkgs.libu2f-host
];
services.pcscd.enable = true;<p>environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
```<p>The only surprise I had was that I forgot to tell gpg to trust the imported key after I imported it.<p>Combine this with GoPass... its the start of something good :)
> Optional: verify public key on Keybase.<p>For organizations publishing employee keys via Web Key Directory can also be an additional signal that the key is trustworthy.<p>It's also quite simple: for example exporting the key 5C090ED7318B6C1E (binary, <i>not</i> armored) and putting it on this exact URL: <a href="https://datadoghq.com/.well-known/openpgpkey/hu/964aj6q73iatngoya1q7qs4r6utpmb4g" rel="nofollow">https://datadoghq.com/.well-known/openpgpkey/hu/964aj6q73iat...</a> is enough to discover the key using e-mail address.<p>This post goes into more detail: <a href="https://spacekookie.de/blog/usable-gpg-with-wkd/" rel="nofollow">https://spacekookie.de/blog/usable-gpg-with-wkd/</a><p>WKD is used by Linux distros (ArchLinux, Gentoo, Debian...) and kernel.org itself: <a href="https://www.kernel.org/category/signatures.html#using-the-web-key-directory" rel="nofollow">https://www.kernel.org/category/signatures.html#using-the-we...</a> as well as some OpenPGP sites (e.g. ProtonMail).
> For usability while balancing security, cache PIN for at most a day.<p><a href="https://github.com/DataDog/yubikey/blob/master/gpg.sh#147" rel="nofollow">https://github.com/DataDog/yubikey/blob/master/gpg.sh#147</a><p>This statement has no effect when using Yubikey - the PIN is cached by the key itself and it will remain unlocked indefinitely until it's physically unplugged. See <a href="https://dev.gnupg.org/T3362" rel="nofollow">https://dev.gnupg.org/T3362</a>
It's not polished, but here's a vagrant box which can provision Yubikey's PGP and PIV applications. Additional hardening can be performed.<p><a href="https://github.com/justintaft/yubikey-gpg-piv-provision" rel="nofollow">https://github.com/justintaft/yubikey-gpg-piv-provision</a>
Using a hardware token to protect the subkeys is important but it is also necessary to protect the primary key by keeping it offline.<p>The best method I know is to store it on paper with the help of paperkey:<p><a href="http://www.jabberwocky.com/software/paperkey/" rel="nofollow">http://www.jabberwocky.com/software/paperkey/</a><p>The tool also supports a raw output mode which can be piped to a QR encoder. 4096 bit RSA secret keys fit in binary QR codes and they are much easier to use compared to manual data entry.<p>Current versions of zbar can't decode binary data in QR codes properly. I've sent some patches that fix the problem but they haven't been reviewed yet. Hopefully it will be possible to automate this process with zbarcam soon.
Personally I mostly use it for SSH via PKCS11. I found that simpler than GPG because it's already integrated with SSH.<p>Still looking forward to SSH supporting U2F (some day).
Slightly related: Anyone know why Google Chrome (not upstream Chromium, nor any derivative) is the only browser on Android that implements WebAuthn as intended? Do they implement it as a proprietary component?