Yubikey All The Things

Dec 6, 2017| Daniel Jones

Paddy Steed is one of the newer members of EngineerBetter, and has a keen eye for all things related to security and cryptography. Soon after joining us he outlined a great way for us to securely use shared machines whilst pairing.

Each team member now has a single Yubikey USB security device that does all of the following:

SSH

After a little setup, an engineer inserts their Yubikey, enters a PIN, and then their SSH key is loaded all the time the device is connected. By generating the RSA key on the device, it never exists on disk anywhere else.

Yubikeys for SSH

2FA

Having to use one’s phone every few minutes to enter a 2FA code for the myriad services we use is a pain. Yubikeys support U2F, which makes 2FA as simple as pressing the button on your Yubikey device. With the help of a Yubico app, you can also use it for old-school time-based one-time-passwords.

Yubikeys for 2FA

Static secrets

The Yubikey can be configured to type in a string when its button is long-pressed. This is a great way to get your (very long, very hard to remember) 1Password secret key when using a shared machine. This means you only have to remember your email address and password to access your password vault, but with all the benefits of an extra secret for higher entropy.

Yubikeys for static secrets

Commit signing

You can use the GPG key created on the Yubikey to sign your Git commits, meaning that you can prove that you really are the author of commits with your name on, and that no-one is masquerading as you.

Yubikeys for signed Git commits