Should I use the same OpenPGP keys in certificates used to provision the YubiKey PIV slots?

I know PIV and OpenPGP are separate standards and independent applications in the YubiKey, but for newcomers like me they look very similar with their signing, encryption and authentication keys, use cases, etc.

After setting up my YubiKey with OpenPGP keys I’m wondering: is it advisable, useful and/or secure to load the PIV slots with certificates issued for the same keys used for OpenPGP?

Which is more secure Yubikey + Keepass using Challenge/Response or Yubikey + Keepass using OTP?

I use a Windows 10 PC and an Android phone with Keepass.

I would like to add a second factor on top of my master password that works with both Windows 10 and my Android phone.

Between the two support methods of authentication, which one is more secure?

  1. Yubikey + Keepass 2 using Challenge/Response
  2. Yubikey + Keepass 2 using OTP

Thanks in advance.

make .ssh/id_rsa read key from yubikey [migrated]

I have my ssh keys within a yubikey, I use gpg-agent.conf with something like this:

pinentry-program /usr/local/bin/pinentry-mac enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 

This helps me to ssh into any host without having the private key in a file like ~/.ssh/id_rsa.

But in some cases, like when using tools like ssh-vault, ansible-vault, etc, they need to read the key on file ~/.ssh/id_rsa therefore wondering if there is a way to call the gpg-agent to retrieve the key when trying to read from the ~/.ss/id_rsa, or other ways to retrieve the private keys.

Is it reasonable to use KeePassXC with YubiKey?

At the moment, I am using KeePassXC with a relatively strong master password. To further improve security, I thought about buying a YubiKey to have 2-Factor-Authentication.

KeePassXC supports the so called “HMAC-SHA1 Challenge Response mode”.

In the KeePassXC FAQ they say:

Does KeePassXC support two-factor authentication (2FA) with YubiKeys?

Yes and no. KeePassXC supports YubiKeys for securing a database, but strictly speaking, it’s not two-factor authentication. KeePassXC generates a challenge and uses the YubiKey’s response to this challenge to enhance the encryption key of your database. So in a sense, it makes your password stronger, but technically it doesn’t qualify as a separate second factor, since the expected response doesn’t change every time you try to decrypt your database. It does, however, change every time you save your database.

Assuming an attacker has access to my KeePassXC database and perhaps even installed a keylogger on my system, the additional YubiKey is useless in this case, am I right here?

So, is it reasonable to use a hardware security key for KeePassXC if you already use a strong master password?

Does password strength matter when using a YubiKey? [duplicate]

This question already has an answer here:

  • Is it safe to use a weak password as long as I have two-factor authentication? 11 answers

I’m considering buying a YubiKey. I already use a password manager which can generate strong passwords, but I wonder if there’s even a point with the YubiKey. I guess it just makes one extra step…but if you can’t log in without my YubiKey then does it matter? I’m not really worried about someone stealing the YubiKey IRL.

Am I missing something?