... | ... | @@ -148,6 +148,42 @@ protocol for non-TPO hosts, you may add this at the end of `~./ssh/config`: |
|
|
IdentityAgent /dev/null
|
|
|
IdentityFile ~/.ssh/id_ed25519_sk
|
|
|
|
|
|
## FAQ
|
|
|
|
|
|
### I don't have usb-c in my laptop, would i need an adaptor then?
|
|
|
|
|
|
If you get a USB-A key, yes, but you can get a USB-C key!
|
|
|
|
|
|
### Who should use this?
|
|
|
|
|
|
Everyone! If you're using a service like Nextcloud, the Discourse
|
|
|
forum, GitLab, you should enable 2FA and preferably with a
|
|
|
cryptographic token. That's not yet official policy, but it's probably
|
|
|
going to hit the security policy in some shape or form in the future.
|
|
|
|
|
|
### I do my work from Tails, do I need a Yubikey?
|
|
|
|
|
|
Yes, because Tails doesn't necessarily protect you against phishing attacks.
|
|
|
|
|
|
### Can I use the USB port during my work session, or i need to have the YubiKey plugged all the time?
|
|
|
|
|
|
You don't need to have it plugged in all the time.
|
|
|
|
|
|
One interesting aspect of the YubiKey is that you can unplug it and
|
|
|
decide "nope, authentication doesn't happen here anymore".
|
|
|
|
|
|
It's a clear way to secure that cryptographic material, physically.
|
|
|
|
|
|
### Any reason why we pick a Yubikey and not a tool with a open design like a NitroKey?
|
|
|
|
|
|
anarcat made a [review of the Nitrokey in 2017](https://anarc.at/blog/2017-10-26-comparison-cryptographic-keycards/) and found that
|
|
|
their form factor was less reliable than the YubiKey.
|
|
|
|
|
|
The solokey was also considered but is not quite ready for prime time
|
|
|
yet. Google's Titan key was also an option but only supports 2FA (not
|
|
|
OpenPGP or SSH), see the [other alternatives](#other-alternatives) section for more
|
|
|
details.
|
|
|
|
|
|
## Pager playbook
|
|
|
|
|
|
<!-- information about common errors from the monitoring system and -->
|
... | ... | @@ -328,9 +364,24 @@ the secret key material is available on the backup YubiKey. |
|
|
While we still have to make an all-encompassing security policy
|
|
|
([TPA-RFC-18](policy/tpa-rfc-18-security-policy)), we have decided in April 2023 to train our folks to
|
|
|
use YubiKeys as security keys, see [TPA-RFC-53][] and [discussion
|
|
|
ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083).
|
|
|
ticket](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083). This was done following a survey posted to tor-internal,
|
|
|
the results of which are available in [this GitLab comment](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41083#note_2887000).
|
|
|
|
|
|
## Requirements
|
|
|
|
|
|
The requirements checklist was:
|
|
|
|
|
|
* FIDO2/U2F/whatever this is called now
|
|
|
* physical confirmation button (ideally "touch")
|
|
|
* OpenPGP applet should be available as an option
|
|
|
* USB A or USB-C?
|
|
|
* RSA, and ed5519 or equivalent?
|
|
|
|
|
|
It should cover the following use cases:
|
|
|
|
|
|
## Overview
|
|
|
* SSH (through the SK stuff or gpg-agent + openpgp auth keys)
|
|
|
* OpenPGP
|
|
|
* web browsers (e.g. gitlab, discourse, nextcloud, etc)
|
|
|
|
|
|
## Security and risk assessment
|
|
|
|
... | ... | |