Changes

Page history
document my actual touch policy first authored by anarcat's avatar anarcat 
Onboarding @lelutin (tpo/tpa/team#41599), I realized I was telling him
"oh just follow the later thing" so that means I need to tweak the
guide.
Hide whitespace changes
Inline Side-by-side
howto/yubikey.md
View page @ 08119a4b
......@@ -675,16 +675,35 @@ are marked `sec>` and `ssb>`, not `sec` and `ssb`.
This is optional.
You may want to change the touch policy. This requires you to touch
the YubiKey to consent to cryptographic operation. Here's one policy,
for example:
the YubiKey to consent to cryptographic operation. Here is a full
touch policy:
ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch sig cached
ykman openpgp keys set-touch enc cached
ykman openpgp keys set-touch aut cached
NOTE: the above didn't work before the OpenPGP keys were created, that
is normal.
The above means that touch is required to confirm signature,
encryption and authentication operations, but is cached 15
seconds. The rationale is this:
* `sig on` is absolutely painful if you go through a large rebase and
need to re-sign a lot of commits
* `enc on` is similarly hard if you are decrypting a large thread of
multiple messages
* `aut` is crucial when running batch jobs on multiple servers, as
tapping for every one of those would lead to alert fatigue, and in
fact I sometimes just flip back `aut off` for some batches that
take longer than 15 seconds
Another policy could be:
ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch aut cached
That means:
1. touch is required to confirm signatures
......@@ -692,11 +711,6 @@ That means:
3. touch is required to confirm authentication, but is cached 15
seconds
The latter merits some explanation. I operate a lot of servers, and
sometimes run batch commands on many of them at once. Tapping for
every one of those would lead to alert fatigue and be extremely
annoying. The 15 seconds delay is a good compromise.
You can see the current policies with `ykman openpgp info`, for
example:
......@@ -730,22 +744,7 @@ after a delay, respecting the `default-cache-ttl` and `max-cache-ttl`
settings from `gpg-agent.conf`, but alas this do not currently take
effect.
Ultimately, I ended up setting all to `cached`:
ykman openpgp keys set-touch sig cached
ykman openpgp keys set-touch enc cached
ykman openpgp keys set-touch aut cached
The rationale is this:
* `sig on` is absolutely painful if you go through a large rebase and
need to re-sign a lot of commits
* `enc on` is similarly hard if you are decrypting a large thread of
multiple messages
* `aut` is mentioned above, and in fact I sometimes just flip back
`aut off` for some batches that take longer than 15 seconds
It should be noted that the `cache` setting is a 15 seconds delay
It should also be noted that the `cache` setting is a 15 seconds delay
*total*: it does *not* reset when a new operation is done. This means
that the entirety of the job needs to take less than 15 seconds, which
is why I sometimes completely disable it for larger runs.
......
......