Comment by taeric
7 years ago
I don't understand why the use of Yubikeys for a non-exportable key isn't valid for folks that care about security. I mean, I get that not everyone will use it. The vast majority won't. However, the vast majority don't care about security at this level. So... what is the actual criticism? If you care about security, use the keys, right? That feels no different from "use some other product."
The only thing in this world more complicated than setting up GPG is setting up GPG with Yubikey.
The fact that I have `fix-gpg` script to restart gpg-agent somewhere in $PATH that I run when for some reason it can't find my YubiKey tells me that it's not a viable solution for 99% of people.
PS. Actual command from GPG:
This is more an issue with GnuPG though, not OpenPGP.
Also, you may want to try using an actual OpenPGP Card (https://www.floss-shop.de/en/security-privacy/smartcards/13/...). (You can get a small one inside a USB token too)
On older machines, I agree. On recent installs, it just worked.
Getting it to work with my phone is slightly dumber. But still not super hard.
Sure. We do that for eg SSH. I don’t think it’s a great idea for our standard audience (startups) to implement.
I'm not sure what you mean. :(
I'm suggesting that the Yubikey experience isn't exactly flawless. I use Qubes too, but I don't think everyone should have it as a daily driver. If you want to use Yubikeys for SSH, that's fine. IF you want to use Yubikeys for GPG, you have many of the problems outlined in the post. Does that clarify?
1 reply →