Warning
Initially, I had started this article with the hope of getting it out last year. Out of laziness, it never went out. In wake of the xz backdoor event, I’ve decided to spend some more time on it as it can answer some questions asked by my fellow Debian Developers.
This means that while I spent quite some time double checking what I state here (because as I have an already working environment, I may forget some essential stuff), there might be some issues.
Don’t hesitate to reach out to tell me if so, and I’ll fix the article
ASAP. Also, please, back your PGP secrets up before playing with a
YubiKey!
YubiKeys - what are these?
A YubiKey is a hardware authentication device manufactured by
Yubico. It implements multiple cryptographic security
protocols, such as OpenPGP Secure Card protocol,
FIDO2,
U2F,
TOTP, or
public key cryptographic authentication.
Hardware security devices are generally offering an extra layer of security, by allowing one to store (and/or generate) on them secrets that are virtually impossible to extract anymore. The same way as pin cards do, they allow one to protect these secrets with PIN/PUK codes and a limited amount of trials before being locked down (forcing a reset of the specific application to be able to unlock the key, effectively wiping all data).
YubiKeys have a specific firmware deployed which is not upgradeable, this has
some benefits (no need to handle a secure upgrade protocol, no possibility to
upgrade to a backdoored version) and, of course, some drawbacks (in case of a
flaw/vulnerability, one must buy a new key with a fixed firmware).
The goal here not being to explain all the genesis of the keys, I won’t expand further, and rather will try to dive in the technical workflow aspects.
In order to make things more digestible, I decided to split this article in a series, one per module. They will probably not get out as fast as the first one, but I’ll try to tackle this in a reasonable delay.
Also, they will probably change a lot at the beginning depending on the feedback.