oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
I have upgraded two systems to #Ubuntu 24.04 now and also tried #Thunderbird as snap (which is the default for Ubuntu 24.04) on another machine.
The system upgrades were incredibly smooth. Thunderbird in general also works fine, but it doesn't support #GPG with private keys on a #YubiKey yet (which is my usecase). (Yes,there is a workaround, although clunky.)
So it looks like I'll stay on 23.10 a bit longer on my main machine.
My first troublesome hallucination with a #LLM in a while: #Claude3#Opus (200k context) insisting that I can configure my existing #Yubikey#GPG keys to work with PKINIT with #Kerberos and helping me for a couple of hours to try to do so — before realising that GPG keys aren't supported for this use case. Whoops.
No real bother other than some wasted time, but a bit painful and disappointing.
I’m prepping for my credential rollover and setting up the new @yubico 5C NFC keys they sent me as I’m a yubico ambassador and decided to get the @defcon stickers from Keyport to style the new keys I will be swapping to as I’m deprecating USB A. Also got new Keyport covers for backups and to swap out my current ones for a different style.
I moved to a Thinkpad w541 with coreboot so I needed to set up my email encryption on Thunderbird again.
It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)
@adamsdesk For the fsf europe fellowship card I don't know. I got my card 8 year ago from floss-shop.de. (I live in Europe/Belgium BTW ) You can check with them if they ship to Canada.
But the setup should work with any GPG compatible smartcard. I'm also looking at #nitrokey Not sure if nitrokey is available on your side of the ocean 🙂
"A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator."
Mist, jetzt hatte ich doch Hoffnung und Glaube, dass PassKey unanfälliger ist als Password-Logins. Zugegeben, es ist dessen Hilfsmittel und nicht deren Definition aber trotzdem.
»FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung.
Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte.«
I find it really stupid Coinbase only allowed me to input 5 FIDO/U2F keys. That doesn't even cover half the total FIDO/U2F hardware keys in my arsenal. Not including the capability that Ledger and Trezor have to be a FIDO/U2F key themselves.
Big thank you to @yubico they are sending me two new Yubikey 5C NFC keys as I am no longer needing the Yubikey 5Ci as I no longer use lightning connections since I got an iPhone 15.
Yubico has been my longest running partner since I have been creating content. Thank you for the support over all these years and the many keys you have provided me.
In theory you can gpg-connect-agent 'scd random 16' /bye to get 16 bytes of good randomness from your #YubiKey.
In practice you'll have to cut off the D[space] at the beginning, the [newline]OK[newline] at the end, and then find a way to remove URL-style percent encoding from the result (because some control characters and percent symbols will be encoded) … which is surprisingly hard to do on the command line without installing additional stuff or calling out to Python/Perl/Ruby/etc.
If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.
What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.
If you lose that lock code, you can't change the setting anymore, ever.
If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬
TIL: The #YubiKey 5 supports setting a PIN for additional #U2F security – but only the FIPS models, not the normal ones, and only in FIPS Level 1; in Level 2 U2F is forbidden entirely and only FIDO2 can be used.
This release should fix build issues (the previous version didn't build on mac).
However, we're still exploring how secret storage works on non-Linux platforms. Expect a bumpy ride if you try it.
(If you do delve into debugging on mac or windows, we'd love to hear from you!)
I'm about to buy a new #YubiKey (or maybe even two), and I'm a bit undecided between two models, the 5C (picture 1) and the 5C NFC (picture 2).
Who of you has either of these models, or even both, and can say something about the build quality?
I already own a 5 NFC (picture 3), i.e. with a USB A connector. This thing is rock solid. It's been on my keychain for years and would probably survive another 5 to 10, but picture 4 from a review with "one year on the keyring" made me pause.
Pro:
• stored safely on protected hardware
• secret "cannot" be extracted
• can access TOTP codes from an untrusted device, e.g. if my phone's battery is empty
Con:
• backing up the secrets is "not possible"
• having a second YubiKey for redundancy is recommended, but both need to be present when setting up a new secret (or you need to store a copy of the secret somewhere else)
• only has 32 slots (but I only have 23 TOTPs atm)
Why does #Sharkey / #Misskey need an "authenticator app" registered before you can use a hardware key? That doesn't make sense #security wise.
Yeah I know it's to prevent people from just accidentally getting locked out of their accounts, but there should be an option for #FediAdmins to allow this risk. 🤔