Hacker News new | ask | show | jobs
by lrvick 3095 days ago
Since my GPG subkeys are in my yubikey I literally just tap it to decrypt, ssh, or sign commits. I also plug my key into my phone and tap it to decrypt/sign email or decrypt passwords too.

I have sucessfuly migrated dozens of friends and engineering teams at 3 companies to daily use of gpg via this same non-intrusive setup.

GPG is fairly pain free (and far more secure) if you put in the one time effort to set up a security token.
2 comments
Jtsummers 3095 days ago
> I also plug my key into my phone and tap it to decrypt/sign email or decrypt passwords too.

I assume Android. How easy is this to set up?

https://www.yubico.com/support/knowledge-base/categories/art...

It seems to be a workable option with PGP/GPG, but do you have to plug it in per use rather than leave it in as this post says (to use the onscreen keyboard)?

link
lrvick 3094 days ago
You can just set "always show virtual keyboard" in accessibility options (at least in in android 8.0+).
link
Jtsummers 3094 days ago
I'm not, primarily, an Android user so I wasn't aware of that option. Thanks. I have a USB-A yubikey and just got a laptop with USB-C ports and an adaptor so I guess I'll give this a go on my backup Android phone tonight.
link
jandrese 3094 days ago
Did you have your coworkers publish their public keys in the internet keyservers or did you have them all exchange their public keys by hand?
link
lrvick 3094 days ago
Most of them do, however in multiple groups I have been part of we maintained a git repo containing all trusted public keys ready to batch import.

To make maintianing trust on this easy, all commits to this folder are made with commits signed by the owner of the respective key, and then a merge commit signed by a maintainer that verified it.

This makes it really easy for automation to have a source of trouth to check/validate commit signatures in other repos.

link
Shoothe 3094 days ago
With GPG there are many more options: have internal keyserver, have "certification authority" key that signs new employee keys and everyone else trusts this authority (via trust signatures. For details see: https://www.linuxfoundation.org/blog/pgp-web-of-trust-delega...
link
lmm 3094 days ago
Too many options, honestly. I'd love to see a widely agreed "basic profile" for GPG, so that everyone writing tutorials etc. would be suggesting the same thing.
link