I am considering whether or not to get a Yubikey 5 NFC; whilst I like the idea of having a hardware key such as the Yubikey, I am not sure whether I will get the benefit from it in my use case or not - so putting it out there for people to offer their views and the Yubikey faithfull to convince me!
My primary OS is Manjaro Linux. I never use Windows except for gaming so view the chances of a malware/man in the middle attack as reduced.
My passwords are kept in a Keypass XC database, stored on a separate NAS running Unraid. The drives in that array are encrypted at rest using LUKS. Inside that KeypassXC database, for better or worse, I have my TOTP data and get my TOTP codes direct from KeypassXC. Therefore I won’t benefit from a Yubikey giving me TOTP codes for 2FA.
I have a Nitrokey FIDO2 key, which I have linked to various sites that support FIDO2 and FIDO U2F. Therefore I won’t get that gain from the Yubikey either.
I don’t SSH into many remote hosts. Most of them are on my internal home network, my NAS and Raspberry Pis. I have setup Fail2Ban, changed SSH port numbers and have SSH keys for a couple of the hosts. Maybe I will get a benefit here, although it depends upon how many SSH keys I can store on the Yubikey 5 NFC.
Finally, I make use of Veracrypt and Cryptomator to encrypt multiple files. If I want to encrypt a single file here and there, I do so with GPG using ECC keys. I can see a benefit here, being able to remove the keys from the GPG keyring and putting them on a hardware device.
I like open source where possible and part of me is wondering, given my use case, if I am better off keeping my GPG keys encrypted inside my password manager and then buying a Nitrokey Start, purely for storing the PGP ECC keys?
Would appreciate any views/opinions - maybe @PhaseLockedLoop might have some views as I read the ‘one key to use them all’ mega-thread with interest
Thats awesome. Personally there are two top keys on the market. The google titan key and the yubikey
Its not really reduced in todays era. Linux is just as attackable in numerous other ways. The traditional malware is reduce yeah.
thats great mine are stored in VaultWarden. You know what keeps my mind realizing that this is a false sense of security? Its that you are only as strong as your weakest link. In this case my bitwarden password but I used FIDO2 on the password vault as well so you cannot sign into my vault warden without my yubikey
So my suggestion is to move from keypassXC to VaultWarden (self hosted bitwarden docker, coded in rust). This allows you to protect your vault with your nitrokey
Perspective: I did it for convenience in addition to security. Its nice to have a physical chip that you must insert and type the pin to in order to connect to an SSH session. It secure the SSH session away from a key stored on the system.
I created this thread to show that the YubiKey is the key that can do it all. Not that it is the only solution. My perspective is that if I was in the market for a key today it would be the yubikey that wins. Convenience is often as important as security. However given differences in setup it may not be the best decision for you.
Totally up to you and at the end of the day its only 45 bucks
Thanks. I have ordered a 5 NFC to have a play with
I am very happy with using KeePassXC, no plans to move away from it. But I could configure KeyPassXC to work with a YuibiKey is challenge-response mode. My KeePass XC database is configured with a long password and a keyfile, so it’s reasonably protected and I think I would rather have the YubiKey two slots available for PGP keys and SSH keys.
- maybe @PhaseLockedLoop might have some views as I read the ‘one key to use them all’ mega-thread with interest 