TL;DR: Use a Yubikey 4 with touch-to-sign to store your GPG keys, and use these keys for SSH authentication and storing your secrets with password-store.

The problem¶

For a long time, I’ve been searching for a robust and secure way to store my passwords, and secrets in general (SSH and GPG keys, personal files…)

There is one thing that bothered me in all the solutions I knew about, be it a software like KeePass, or a cloud solution like LastPass: if my computer is compromised at some point in time, it will be possible to extract all of my secrets when I open my vault to access one.

In that regard, a piece of paper in my wallet would be much more secure, as my computer would only know the secrets I copy over when I need them.

The only device solving that problem is the mooltipass, an external device containing all your passwords that can simulate a keyboard and type them when you need them. It’s an interesting device, completely open source, and you should definitely check it out.

But there is an alternative I want to talk about, based on the well-known Yubikey, plus a combination of tools that fit all my needs, not only for storing password but also to connect to remote SSH servers and decrypt/sign PGP messages, while giving me strong security guarantees.