There are dozens of tutorials on how to fight GnuPG to use YubiKeys for everything, but my favorite overlooked feature of the YubiKey 4 is "touch to operate", where each cryptographic operation takes a physical touch of the gold surface.
That pairs particularly well with password-store, a PGP backed password manager: when they key resides on the YubiKey, and each decryption takes a physical touch, even compromising the machine won't let an attacker dump all secrets from your store.
The key can't be extracted from the YubiKey, and each use of it must be approved with a touch. Although the touch could be hijacked for a different entry, it will still slow the exfiltration down. You can even set up compartments with extra keys.
Here's the high level of how to set that up, fruit of hours of unnecessary pain. To follow along you'll need the
pass docs, some other tutorials, or the kind of dark experience I don't wish on anyone. This whole ecosystem is not beginner friendly, and I can't help you.
I just wanted a new YubiKey for password-store.— Filippo Valsorda (@FiloSottile) 9 September 2018
I am now 3 hours in and grepping the git history of gnupg for a feature that I can see on tutorials but can’t reach.
Fuck this shit 🔥
ykman mode FIDO+CCID
key-attrwith a recent enough version of GnuPG
ykman openpgp touch
passlevel by encrypting to multiple keys, accept the offer to make a backup of the key, or generate the key (possibly offline) and load it on more than one YubiKey
passto use the YubiKey PGP key
passentry the YubiKey will blink and you'll have to touch it to let it through
pass initto rekey an existing store
passsubfolder to them (and only them) with
pass init -p subfolder
By the way, it's no secret that I hate PGP, and I think you should just never use it to communicate, but alas it's the only ecosystem that easily taps into cheap hardware tokens, which are a concrete step up in security, and at least you can rotate them.