[jopsen]

This reminds me to move to passwordstore with a gpg key on an Yubikey.

[rurban]

I hope you remember that GPG keys created on a Yubikey are unsafe, due to an overly simply RSAlib implementation there for their Infinion chips.

[JshWright]

Keys created on _some_ Yubikeys (it's easy enough to check).

[xelxebar]

I've had a really hard time finding information on this. What exactly is potentially broken and how do I check my key?

[JshWright]

https://www.yubico.com/2017/10/infineon-rsa-key-generation-i...

[xelxebar]

Oh dang. You're quick. Thanks!

[Gnewt]

I had an affected YubiKey -- Yubico shipped out a replacement immediately. It's inconvenient if you have an old YubiKey, but the replacement process is simple.

Additionally, you can always generate GPG keys on your machine, transfer them to the YubiKey, and then delete the keys from the local machine. It depends if that's an acceptable exposure for your threat model, but for me, having the keys locally for a couple minutes is fine.

[jopsen]

I generated on livecd, and exported it to multiple yubikeys + backup.

That way I don't have deal with different subkeys and other complications that just makes everything hard to understand :)