[piplgobde]

There is NitroKey[0], which seemed to me like a good alternative to Yubikey, but I haven't ordered either yet so I can't say I have first-hand experience. But much luck if you decide to go with it, something I'm looking more and more into, especially since I too use password-store and it would be good having an easier to use setup that is still secure.

[0] https://www.nitrokey.com/

[robryk]

Nitrokey claims on their homepage that the firmware of the Storage version of NitroKey can be updated by software. This seems to mean that there's someone out there with a key that can sign arbitrary code that can be loaded as an update and gains access to the crypto material on the device.

[Karunamon]

I had a look through their instructions and I'm not sure if there is a signing process that happens. You have to enable firmware access from the app, and then it's a bog standard DFU flash to load the new firmware.

[robryk]

Does it require you to perform any physical actions on the dongle? If not, why can't I straightforwardly extract keys if I own the machine the dongle is attached to?