| > In general I'm not sure how the YubiKey stores keys and till now I had no idea you can backup YubiKey Well, actually you can't. You can backup keys if you create them in software and then just copy then to YubiKeys instead of moving them there. If you do that in an offline computer there is no risk of any malware stealing your keys in mid-process: https://news.ycombinator.com/item?id=21701488 Setting up Yubikey and OpenPGP took me some time reading all resources on the net but once done this is just working without any hiccups. > I'm not sure about storing the master keychein file in Git, but the workflow sounds interesting (I didn't fully understand the paragraph though). If it's encrypted there is no much harm to be done here. The only leaking info is that by default pass uses filenames based on domain names so if you have credentials for news.ycombinator.com they'd be in "news.ycombinator.com.gpg" file. For me a private repo for this use case is OK. Oh, there is a browser extension too: https://github.com/browserpass/browserpass-extension#browser... > This is next level and not of immediate interest to me. I was looking at something simpler like: https://cryptomator.org/ Yep, I do store external disk passwords in pass too. Udiskie can use a decryption command so when I put something like this in the config: `password_prompt: ["pass", "devices/{id_uuid}"]` it will grab the password from password store. This has an added benefit that I won't forget the password (it's stored alongside all others) and it's always valid (it's checked on each boot by udiskie). |