I know PIV and OpenPGP are separate standards and independent applications in the YubiKey, but for newcomers like me they look very similar with their signing, encryption and authentication keys, use cases, etc.
After setting up my YubiKey with OpenPGP keys I’m wondering: is it advisable, useful and/or secure to load the PIV slots with certificates issued for the same keys used for OpenPGP?
I use a Windows 10 PC and an Android phone with Keepass.
I would like to add a second factor on top of my master password that works with both Windows 10 and my Android phone.
Between the two support methods of authentication, which one is more secure?
- Yubikey + Keepass 2 using Challenge/Response
- Yubikey + Keepass 2 using OTP
Thanks in advance.
I have my ssh keys within a yubikey, I use
gpg-agent.conf with something like this:
pinentry-program /usr/local/bin/pinentry-mac enable-ssh-support default-cache-ttl 60 max-cache-ttl 120
This helps me to
ssh into any host without having the private key in a file like
But in some cases, like when using tools like ssh-vault, ansible-vault, etc, they need to read the key on file
~/.ssh/id_rsa therefore wondering if there is a way to call the
gpg-agent to retrieve the key when trying to read from the
~/.ss/id_rsa, or other ways to retrieve the private keys.
I recently added my Yubikey with OTP as a requirement for loggin into my homeserver via ssh, works great so far.
However I don’t want to insert my Yubikey every time I log in to my server from my local network. I found out that I can use
Match address 192.168.178.0/24 for that, but I don’t know how I can configure it, that I only need to supply my ssh key instead of also inserting the Yubikey.
I appreciate any help, thanks!
At the moment, I am using KeePassXC with a relatively strong master password. To further improve security, I thought about buying a YubiKey to have 2-Factor-Authentication.
KeePassXC supports the so called “HMAC-SHA1 Challenge Response mode”.
In the KeePassXC FAQ they say:
Does KeePassXC support two-factor authentication (2FA) with YubiKeys?
Yes and no. KeePassXC supports YubiKeys for securing a database, but strictly speaking, it’s not two-factor authentication. KeePassXC generates a challenge and uses the YubiKey’s response to this challenge to enhance the encryption key of your database. So in a sense, it makes your password stronger, but technically it doesn’t qualify as a separate second factor, since the expected response doesn’t change every time you try to decrypt your database. It does, however, change every time you save your database.
Assuming an attacker has access to my KeePassXC database and perhaps even installed a keylogger on my system, the additional YubiKey is useless in this case, am I right here?
So, is it reasonable to use a hardware security key for KeePassXC if you already use a strong master password?
This question already has an answer here:
- Is it safe to use a weak password as long as I have two-factor authentication? 11 answers
I’m considering buying a YubiKey. I already use a password manager which can generate strong passwords, but I wonder if there’s even a point with the YubiKey. I guess it just makes one extra step…but if you can’t log in without my YubiKey then does it matter? I’m not really worried about someone stealing the YubiKey IRL.
Am I missing something?