Hacker News new | ask | show | jobs
by jwr 1004 days ago
The excellent guide by drduh should be mentioned here: https://github.com/drduh/YubiKey-Guide — I've been using this approach for years to store my OpenPGP keys on Yubikeys and use them for SSH.

I don't generate my keys on devices. That lets me be flexible and keep backups, as well as use the same keys on multiple physical devices. Using a single yubikey is a bad idea, as you're bound to eventually lose it or break it. Hasn't happened to me yet in 5 years, but I expect it to happen.

I wish more sites supported hardware keys instead of only TOTP tokens, or (heaven forbid, but corporate idiocy is plentiful) SMS.
4 comments
menthe 1004 days ago
I've been using his guide forever as well, except that nowadays you can just use the native OpenSSH support for deriving Ed25519 or ECDSA keys from FIDO. The main advantage is that you do not have to deal with the very subpar GPG Agent anymore... https://www.maths.tcd.ie/~fionn/misc/fido_ssh/

Besides, 1Password now has a very convenient agent, which prompts users permission for an application to use a key - which is added security https://developer.1password.com/docs/ssh/get-started/#step-4...

And yes, Yubikeys do break - My keychain'd 5Ci is missing a huge chunk of plastic, exposing the PCB, and among the two new C Bio I received last week, one has already fried after just a few days.

link
water-data-dude 1003 days ago
It’s super good!

I love my Yubikey - it’s way less friction to use than other forms of 2fa, and I get to use it for stuff like storing my PGP keys. I don’t feel like it use it to its full potential (mostly signing commits and ssh) but it’s super satisfying seeing that little “Verified” badge next to my signed commits :)

link
wkat4242 1004 days ago
I do generate them on device, I just have multiple Yubikeys. Of course there's a significant cost there, but OpenPGP cards are a good backup and cheaper.
link
bennyp101 1004 days ago
Yep, thats the same guide I used a few years ago as well!

I use it daily for Github/ssh in general - and the 2 slots are used for part of passwords for a couple of other things.

I have a couple that are used daily, one in a safety deposit box (which is the "master" key), and a stack of new ones on my desk in case anything breaks. (I used that Cloudflare offer to get a hefty discount on them).

I also have a paperkey copy that lives elsewhere.

link