Comment by eptcyka
2 days ago
You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key.
My main issue with pass is that it doesn’t work great on iOS with yubikeys.
2 days ago
You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key.
My main issue with pass is that it doesn’t work great on iOS with yubikeys.
Is the biometrics step (fingerprint reader) on macOS much different from a ubikey? I imagine implementation may have some differences, but in practice it seems I can already protect access to my GPG key using the built-in reader, so what’s the advantage of ubikey in that respect? Genuinely curious.
The TouchID is bound to a device - of course, I could copy my secret into a secure enclave that is only accessible through TouchID. Could even just store my GPG key there. With a Yubikey, I generate the key on an airgapped device and store it on the Yubikey. No other piece of hardware ever needs to see my secret key in plaintext. I could achieve the same with TouchID, generate the secret key inside the enclave, but then I cannot move the secret keys out without some other computer baring witness to that.
I really do not want to give Apple any more leverage over me, I'm looking to minimize it.