| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by phaer 1485 days ago

I think the official recommendation is to store a second yubikey in a safe location.

Personally I just generated my key offline (on a tails livecd) and backed it up to two different LUKS-encrypted USB sticks. One of those is stored at my place and another one at a trusted person, in case my flat burns down or so. The yubikey itself only stores subkeys, my master key stays on said USB sticks.

Been using this setup for about 5 years now and it's been working well for me so far. Once a year, I extend my gpg keys expiration time by using on of the USB sticks.

2 comments

aborsy 1485 days ago

No need for LUKS usb. Gpg stores private keys encrypted with a password.

At that point, you can store the encrypted key anywhere.

link

phaer 1485 days ago

Ah yes good point for the gpg key itself, but I store a few other important secrets there as well ;)

link

beagle3 1485 days ago

Does this also work for the WebAuthn / U2F / TOTP use cases, or just the PGP/PIV/SSH ones?

link

tialaramex 1485 days ago

No. There is no way to push a value for the symmetric key that probably makes the FIDO (thus U2F / WebAuthn) feature work. You can tell the Yubikey to pick a random new one, effectively wiping your key (and rendering any credentials previously minted with it now invalid) but you can't write one over USB and this was I believe intentional.

link

beagle3 1485 days ago

Thanks. I will wait until it’s actually possible to create back up webauthn keys (rather than enlisting two keys with every service).

link

opliko 1485 days ago

There is actually at least one fido2 device that supports backing up (mostly), based on this spec from Dicekeys https://github.com/dicekeys/seeding-webauthn

Solokeys (https://solokeys.com/ - v1, don't think the newer v2 does) have a special firmware version that implements this and allows you to use a custom seed - and as such restore a key from it. It only works on non-resident credentials (most commonly used, as the number of RKs is usually very limited) though. The firmware is here https://github.com/conorpp/solo-dicekeys/releases/tag/5.0.0 But it's also shipped in the keys dicekeys sells and I think only their app implements the client side of seeding anyway: https://www.crowdsupply.com/dicekeys/dicekeys

link