The perfect password manager¶
TL;DR: Use a Yubikey 4 with touch-to-sign to store your GPG keys, and use these keys for SSH authentication and storing your secrets with password-store.
The problem¶
For a long time, I’ve been searching for a robust and secure way to store my passwords, and secrets in general (SSH and GPG keys, personal files…)
There is one thing that bothered me in all the solutions I knew about, be it a software like KeePass, or a cloud solution like LastPass: if my computer is compromised at some point in time, it will be possible to extract all of my secrets when I open my vault to access one.
In that regard, a piece of paper in my wallet would be much more secure, as my computer would only know the secrets I copy over when I need them.
The only device solving that problem is the mooltipass, an external device containing all your passwords that can simulate a keyboard and type them when you need them. It’s an interesting device, completely open source, and you should definitely check it out.
But there is an alternative I want to talk about, based on the well-known Yubikey, plus a combination of tools that fit all my needs, not only for storing password but also to connect to remote SSH servers and decrypt/sign PGP messages, while giving me strong security guarantees.
The solution¶
In the true Unix fashion, I use a combination of tools doing a simple job each. Let’s start with the password manager:
GPG for your password manager: password-store¶
As you probably guessed in the title, it all rests on GPG and we’ll see later how we secure these GPG keys.
But for now, let’s introduce a tool called password-store.
It’s a pretty simple wrapper around GPG (a bash script, in fact) that allows you to store each of your secret in a GPG-encrypted file.
The GPG key that you use for storing your password will be required each time that you access a password. Because it’s public key cryptography, it means that you can create new passwords without needing to access your key!
In term of security, well, it’s GPG. Each of your secret is stored in a file in your home directory, so it’s up to you to do backups. But it’s all neat and simple :)
zx2c4@laptop ~ $ pass
Password Store
├── Business
│ ├── some-silly-business-site.com
│ └── another-business-site.net
├── Email
│ ├── donenfeld.com
│ └── zx2c4.com
└── France
├── bank
├── freebox
└── mobilephone
There are even browser extensions (firefox, chrome), to integrate password-store!
GPG for your SSH keys: gpg-agent¶
I also want to do a quick disgression, and tell you that you can use GPG not only to store your password, but to authenticate to remote servers.
Moreover, you can use key forwarding (so that in these servers, you can access the SSH keys from your local machine and connect to other machines in turn) without much risk of the server using them in your back: all the uses will require you to touch your Yubikey!
For example, I connect to my server using my Yubikey, and on that remote server I can copy files to another server, or push code to my git repository by touching my Yubikey too. For all that, I don’t have to type a single password.
For that you need to replace your SSH agent by gpg-agent, it’s all explained in the appendix.
Secure GPG key storage: Yubikey¶
Some of you may already have heard of Yubikeys. The idea is to have a Yubikey storing GPG keys that you generated on an air-gapped computer.
It primarily serve for second-factor authentication, but here we will only focus on its GPG smartcard function.
Once you set it up, GPG will connect to your Yubikey each time it needs to access to your secret key. The Yubikey will do all the cryptographic work, so that your secret key never leaves it. In case your computer is compromised, an attacker can only use your secret key if your Yubikey is connected and unlocked.
This was not satisfying for me yet, because it meant that if I connect and unlock my Yubikey, a compromised computer can tell the Yubikey to decrypt all my secret files, connect to all my servers… without me noticing: pretty bad.
That’s where the last generation of Yubikeys (Yubikey 4) have a feature that went relatively unpublicized: you can have them require the user to touch it everytime an operation on the secret key is requested. This means that it’s impossible to access your secrets without you physically allowing it!
When combined with the tools above you will need to touch your Yubikey every time you want to access one of your password, decrypt or sign a GPG message, or connect to your server. Without you having unlocked, and touching your Yubikey, it becomes impossible to connect to your servers or access your passwords. Even if your computer is fully compromised.
Conclusion¶
I find this solution very secure, and quite easy to use and non-intrusive.
Also, to contradict the title of this article, here are a few security caveats I could think of:
Even though it’s not possible to access your secrets, it’s still possible to replace them, because the public key encryption doesn’t require any secret. This could be fixed by forcing all your secret files to be signed by your secret key.
In case your computer is compromised, it could be possible to ask your Yubikey to do something else than what you intented, but then you would need to touch it twice, and will probably notice it :)
Oh, and sadly, the newer version of the Yubikey (the 4, with touch-to-sign) doesn’t have an open source firmware…
But compared to the other solutions I know, I think these are quite minor, and that there is a much better security overall.
Appendix: let’s do it!¶
Generate your PGP keys¶
Master key¶
For this scheme to be secure, you need to generate your GPG keys on a secure computer, disconnected from the internet. Or at least from a live CD, or something you can trust better than your day-to-day computer.
Once you are on this secure, throwaway system, use gpg to generate a master key (if you don’t have one already).
$ gpg --gen-key
Generate a sign only key (the rest will go into our subkeys).
I suggest that you use all the defaults, but that you set an expiration date in case you would loose your key (a few years into the future).
As long as you are in a secure system and you don’t plan to copy your secret key anywhere (except to an encrypted, offline storage, as explained below), you can leave the password used to protect the key empty.
Sub-keys¶
Now that you have your master key, let’s add three sub-keys: these will go to your Yubikey.
$ gpg --expert --edit-key palkeo
Replace “palkeo” by the name that you provided for your master key, or the key ID
you can see by doing gpg --list-secret-keys.
You should now have GPG prompt: gpg>.
You will use this prompt to create three subkeys.
One for encryption: to decrypt GPG messages you receive, including your secrets in password-store.
One for signature: to sign GPG messages you send.
One for authentication: mainly for SSH authentication.
Let’s see how to create the encryption key, for example:
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Wed Dec 8 22:56:10 2021 UTC
Is this correct? (y/N) y
Really create? (y/N) y
...
pub 2048R/A41164CD created: 2016-12-09 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/D7857578 created: 2016-12-09 expires: 2021-12-08 usage: E
gpg>
You can see that I toggled the capabilities until there is only encryption left:
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
Repeat the process with the addkey command again, but this time leaving
the Sign capability left.
Do it one last time, for the Authenticate capability.
You should now have three sub-keys. These will go to your Yubikey soon.
Backup time¶
Now is backup time, don’t neglect this step!
Export your secret key and subkeys, like that:
$ gpg -a --export-secret-keys A41164CD > key.txt
$ gpg -a --export-secret-subkeys A41164CD > subkeys.txt
Now copy these files to a secure storage. It should be offline, so that your computer can’t access it, and you probably also want to encrypt it. But you should be able to access it in case you lose your Yubikey, and want to export the keys to a new one.
I also recommend that you make a copy of the ~/.gnupg directory that you
used to generate these keys.
Setup your Yubikey¶
Once you have your Yubikey, it’s time to set it up:
Smartcard setup¶
Note
Because you are accessing/copying your secret keys, this is to be done on an offline/secure computer again. I recommend you generate the keys and copy them at once, when you have your Yubikey.
First of all, most of the articles I could find mention the use of ykpersonalize
to enable GPG on the Yubikey. I found out it’s not needed (at least for the
Yubikey 4), as it’s enabled by default (U2F too).
You now need to install the smartcard support in GPG:
$ sudo apt-get install scdaemon pcscd gnupg-agent
Now you can plug your Yubikey, and execute gpg --card-status. You should
see something like:
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006050314690000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 05031469
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Let’s set it up:
$ gpg --card-edit
... (same as above) ...
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
PIN changed.
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? q
gpg/card> quit
You will be asked for the original admin PIN, which is 12345678. Same for the original PIN, which is 123456.
Make sure that your new admin PIN is secret/unguessable. You can store a backup along with your GPG keys. It’s only used to administrate the Yubikey GPG smartcard.
The “normal” PIN is the one you will have to type to unlock your Yubikey, when you connect it to your computer. The goal is to prevent someone stealing your Yubikey to impersonate you.
GPG keys setup¶
Now, let’s move the keys to your Yubikey:
$ gpg --edit-key palkeo
pub 2048R/A41164CD created: 2016-12-09 expires: 2021-12-08 usage: SC
trust: ultimate validity: ultimate
sub 2048R/486B21CF created: 2016-12-09 expires: 2021-12-08 usage: S
sub 2048R/D7857578 created: 2016-12-09 expires: 2021-12-08 usage: E
sub 2048R/DA1E5137 created: 2016-12-09 expires: 2021-12-08 usage: A
[ultimate] (1). palkeo
gpg> toggle
sec 3744R/1C5C4717 created: 2016-12-09 expires: 2021-12-08
ssb 2048R/486B21CF created: 2016-12-09 expires: 2021-12-08
ssb 2048R/A11F46D2 created: 2016-12-09 expires: 2021-12-08
ssb 2048R/DA1E5137 created: 2016-12-09 expires: 2021-12-08
(1) palkeo
gpg> key 1
sec 3744R/1C5C4717 created: 2016-12-09 expires: 2021-12-08
ssb* 2048R/486B21CF created: 2016-12-09 expires: 2021-12-08
ssb 2048R/A11F46D2 created: 2016-12-09 expires: 2021-12-08
ssb 2048R/DA1E5137 created: 2016-12-09 expires: 2021-12-08
(1) palkeo
gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
sec 3744R/1C5C4717 created: 2016-12-09 expires: 2021-12-08
ssb* 2048R/486B21CF created: 2016-12-09 expires: 2012-12-08
card-no: 0060 00000042
ssb 2048R/A11F46D2 created: 2016-12-09 expires: 2012-12-08
ssb 2048R/DA1E5137 created: 2016-12-09 expires: 2012-12-08
(1) palkeo
gpg>
This is an example moving my signature key to my Yubikey. Note that the key is moved (that’s why you need to have done backups before!), and replaced by a stub pointing to unique identifier of the smartcard.
You need to reproduce that process again two times, to move the two other keys
too (use the key command to deselect the key 1, select the key 2…).
Once it’s done, do a gpg --card-status to check that your keys were
sucessfully moved to your Yubikey.
Touch-to-sign setup¶
We also need to enable the functionality forcing you to touch your Yubkey when a cryptographic operation is requested.
It’s quite granular, as this flag is set per key slot. But I recommend that you set it to all your three keys.
This link contains all
the information you need. It points to a yubitouch.sh script that you
have to download and run to enable this feature.
Have your machines use the Yubikey¶
For your machines to use your Yubikey, you need to export your public keys on your offline system:
$ gpg -a --export palkeo > public-key.txt
Move that file (and only this one, not your secret keys!) to your day-to-day machine, and import it like that:
$ gpg --import < public-key.txt
That’s it, you are all set, and you should now be able to transparently use your Yubikey to encrypt/sign GPG messages :)
Setup password-store¶
Once you have GPG set up to use your Yubikey, password-store is trivial to use:
First, you have to initialize it, by passing the ID of your master key:
pass init 1C5C4717
Then, you are free to add new passwords with pass insert. Remember that
it won’t ask you for your Yubikey when you add passwords
(only when you access them).
Note
If you use pass edit to edit your secrets in your preferred text editor,
be aware that they are unencrypted to a temporary directory
and that your text editor may backup the file elsewhere, while it’s unencrypted!
If you use vim, there is a plugin
that you can install to avoid that. There are also other interesting scripts
in the contrib/ directory of password-store.
Use your key for SSH authentication¶
We will use the GPG agent to replace the SSH agent.
First, you have to enable that support in the GPG agent:
echo enable-ssh-support >> $HOME/.gnupg/gpg-agent.conf
Then, start the agent:
eval `gpg-agent --daemon`
This has the side-effect of setting environment variables like SSH_AUTH_SOCK.
You will also have to make sure you start it at the beginning of each session, or at each login if it’s not started already.
You should see your shiny new SSH key by doing ssh-add -l.
Note that using ssh-add -L will give it in a format that’s ready to add
to the authorized_keys file on a remote host.
An important reminder¶
I just wanted to remind you these two things, that are on the basis of all this:
Make sure that the admin PIN of your Yubikey is set up and stored offline with your secret keys: with it, it become possible to disable touch-to-sign.
You need to make sure that you always have an offline backup of the secret key that’s on your Yubikey, so that if you lose it you still have a way to copy that secret key to a new Yubikey, and access your encrypted passwords securely again.