qlyoung's wiki
    Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
password_management [2024/03/01 17:03] – [key management] qlyoungpassword_management [2024/03/01 19:01] (current) – [tldr] qlyoung
Line 5: Line 5:
 ==== tldr ==== ==== tldr ====
  
-{{ :untitled_diagram.drawio_1_.svg |}}+{{ :untitled_diagram.drawio_1_.svg?500| }}
  
 I use [[https://www.passwordstore.org/|pass]]. This is a shell script that provides porcelain over a directory of plain text files encrypted with a gpg keypair. I use [[https://www.passwordstore.org/|pass]]. This is a shell script that provides porcelain over a directory of plain text files encrypted with a gpg keypair.
Line 41: Line 41:
  
 ==== key management ==== ==== key management ====
 +
 +{{ :img_1295.jpg?400|}}
  
 This setup requires my personal GPG keypair to unlock the store. This means that the keypair has to be accessible to every device that needs access to passwords. This setup requires my personal GPG keypair to unlock the store. This means that the keypair has to be accessible to every device that needs access to passwords.
Line 47: Line 49:
  
 However, even though the keypair is itself encrypted, having it stored on disk isn't ideal from a security perspective - particularly on mobile devices, which are very exposed and historically very insecure. It's better if we don't store the key on disk at all. To accomplish this I store my keypair on a [[https://en.wikipedia.org/wiki/OpenPGP_card|OpenPGP smart card]] (a [[https://www.yubico.com/product/yubikey-5c-nfc/|yubikey]]). This small, unobtrusive device lives on my keychain along with my car keys. However, even though the keypair is itself encrypted, having it stored on disk isn't ideal from a security perspective - particularly on mobile devices, which are very exposed and historically very insecure. It's better if we don't store the key on disk at all. To accomplish this I store my keypair on a [[https://en.wikipedia.org/wiki/OpenPGP_card|OpenPGP smart card]] (a [[https://www.yubico.com/product/yubikey-5c-nfc/|yubikey]]). This small, unobtrusive device lives on my keychain along with my car keys.
- 
-{{ :img_1295.jpg?400|}} 
  
 On my desktop and laptop, whenever I need a password, I'm prompted to plug in and unlock my yubikey with a 6 digit pin. The encrypted file containing the password is then sent, over USB, to the embedded processor on the yubikey. The yubikey decrypts it using the GPG private key and sends back the cleartext contents. The flow is the same on my phone, except that communication occurs over NFC so I am prompted to tap my yubikey on the device. On my desktop and laptop, whenever I need a password, I'm prompted to plug in and unlock my yubikey with a 6 digit pin. The encrypted file containing the password is then sent, over USB, to the embedded processor on the yubikey. The yubikey decrypts it using the GPG private key and sends back the cleartext contents. The flow is the same on my phone, except that communication occurs over NFC so I am prompted to tap my yubikey on the device.
Panorama theme by desbest
password_management.1709312587.txt.gz · Last modified: 2024/03/01 17:03 by qlyoung
CC Attribution-Noncommercial-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International