YubiKey for 2FA and GPG

A few years ago Marco Pivetta and I chatted about YubiKeys. He described his setup which was absolutely amazing to me at the time. The most intriguing point was, that he could get the 2-Factor Authentication tokens from whatever phone as long as he had the YubiKey with him.

Recently my phone broke and I had to setup the whole 2-factor authentication thingy again and again. That was the time I remembered that chat again. So I decided to test it out.

As I followed Marcos blogpost and the referenced resources the setup was straigh forward. I did not (yet) set up the login procedure, only the 2FA and the GPG-parts. But so far I’m very happy with it.

The first thing I did was to order a YubiKey 5 with NFC (otherwise it would be hard to be used with the phone) and I still got a YubiKey 4 (no NFC) as backup. The 2-Factor authentication setup is only on the YubiKey5, the GPG-Setup is on both.

Reconnect issues

The only thing that kept annoying me was that every time I removed the key from the USB-Slot and reconnected it, it took some time to get recognized. I therefore followed this blogpost (Sorry, in german – but the code-snippets should be understandable) to set up a refresh of the gpg-agent as soon as I connect the stick. So far this worked out pretty well.

Touch-Protection

As a further security-measure I need to touch the YubiKey whenever I want to do some GPG-action. I followed this tutorial to do so. Why? Well, for convenience reasons the PIN is stored for some time after I enter it. A rather convenient way to be more productive. But that can allow untrusted code to use the now “open” GPG-key without me noticing. Now I have to touch the device every time the key is used. No touching, no usage of the key. That’s one little touch for me instead of entering the same PIN every time. And, Yes: You’re right, I could also remove the Device… 😉

Email

The setup in Thunderbird/Enigmail workes flawlessly for me despite the things I hear from other people (Marco being one of them). And the best part is that the setup also works in K9-Mail/OpenKeychain on my android phone as that uses the YubiKey as GPG-SmartCard via NFC. So I can encrypt and sign emails on my mobile device as well as on my Laptop.

As I have 2 different keys associated with my email-address I specifically define which key I want to use for GPG-Actions in Thunderbird/Enigmail as well as in K9/OpenKeychain. Perhaps that is what makes the difference for my setup.

The only thing that is not yet taken care of is that I have one set of GPG-keys for private usage as well as a set for corporate usage. Sadly there is only space for one set of keys on the YubiKey. So it looks like I will need to do the same thing with a different Device for my corporate GPG-keys…

What are your advantages, disadvantages and experiences of using a YubiKey?