Loading howto/yubikey.md +24 −25 Original line number Diff line number Diff line Loading @@ -675,16 +675,35 @@ are marked `sec>` and `ssb>`, not `sec` and `ssb`. This is optional. You may want to change the touch policy. This requires you to touch the YubiKey to consent to cryptographic operation. Here's one policy, for example: the YubiKey to consent to cryptographic operation. Here is a full touch policy: ykman openpgp keys set-touch sig on ykman openpgp keys set-touch enc on ykman openpgp keys set-touch sig cached ykman openpgp keys set-touch enc cached ykman openpgp keys set-touch aut cached NOTE: the above didn't work before the OpenPGP keys were created, that is normal. The above means that touch is required to confirm signature, encryption and authentication operations, but is cached 15 seconds. The rationale is this: * `sig on` is absolutely painful if you go through a large rebase and need to re-sign a lot of commits * `enc on` is similarly hard if you are decrypting a large thread of multiple messages * `aut` is crucial when running batch jobs on multiple servers, as tapping for every one of those would lead to alert fatigue, and in fact I sometimes just flip back `aut off` for some batches that take longer than 15 seconds Another policy could be: ykman openpgp keys set-touch sig on ykman openpgp keys set-touch enc on ykman openpgp keys set-touch aut cached That means: 1. touch is required to confirm signatures Loading @@ -692,11 +711,6 @@ That means: 3. touch is required to confirm authentication, but is cached 15 seconds The latter merits some explanation. I operate a lot of servers, and sometimes run batch commands on many of them at once. Tapping for every one of those would lead to alert fatigue and be extremely annoying. The 15 seconds delay is a good compromise. You can see the current policies with `ykman openpgp info`, for example: Loading Loading @@ -730,22 +744,7 @@ after a delay, respecting the `default-cache-ttl` and `max-cache-ttl` settings from `gpg-agent.conf`, but alas this do not currently take effect. Ultimately, I ended up setting all to `cached`: ykman openpgp keys set-touch sig cached ykman openpgp keys set-touch enc cached ykman openpgp keys set-touch aut cached The rationale is this: * `sig on` is absolutely painful if you go through a large rebase and need to re-sign a lot of commits * `enc on` is similarly hard if you are decrypting a large thread of multiple messages * `aut` is mentioned above, and in fact I sometimes just flip back `aut off` for some batches that take longer than 15 seconds It should be noted that the `cache` setting is a 15 seconds delay It should also be noted that the `cache` setting is a 15 seconds delay *total*: it does *not* reset when a new operation is done. This means that the entirety of the job needs to take less than 15 seconds, which is why I sometimes completely disable it for larger runs. Loading Loading
howto/yubikey.md +24 −25 Original line number Diff line number Diff line Loading @@ -675,16 +675,35 @@ are marked `sec>` and `ssb>`, not `sec` and `ssb`. This is optional. You may want to change the touch policy. This requires you to touch the YubiKey to consent to cryptographic operation. Here's one policy, for example: the YubiKey to consent to cryptographic operation. Here is a full touch policy: ykman openpgp keys set-touch sig on ykman openpgp keys set-touch enc on ykman openpgp keys set-touch sig cached ykman openpgp keys set-touch enc cached ykman openpgp keys set-touch aut cached NOTE: the above didn't work before the OpenPGP keys were created, that is normal. The above means that touch is required to confirm signature, encryption and authentication operations, but is cached 15 seconds. The rationale is this: * `sig on` is absolutely painful if you go through a large rebase and need to re-sign a lot of commits * `enc on` is similarly hard if you are decrypting a large thread of multiple messages * `aut` is crucial when running batch jobs on multiple servers, as tapping for every one of those would lead to alert fatigue, and in fact I sometimes just flip back `aut off` for some batches that take longer than 15 seconds Another policy could be: ykman openpgp keys set-touch sig on ykman openpgp keys set-touch enc on ykman openpgp keys set-touch aut cached That means: 1. touch is required to confirm signatures Loading @@ -692,11 +711,6 @@ That means: 3. touch is required to confirm authentication, but is cached 15 seconds The latter merits some explanation. I operate a lot of servers, and sometimes run batch commands on many of them at once. Tapping for every one of those would lead to alert fatigue and be extremely annoying. The 15 seconds delay is a good compromise. You can see the current policies with `ykman openpgp info`, for example: Loading Loading @@ -730,22 +744,7 @@ after a delay, respecting the `default-cache-ttl` and `max-cache-ttl` settings from `gpg-agent.conf`, but alas this do not currently take effect. Ultimately, I ended up setting all to `cached`: ykman openpgp keys set-touch sig cached ykman openpgp keys set-touch enc cached ykman openpgp keys set-touch aut cached The rationale is this: * `sig on` is absolutely painful if you go through a large rebase and need to re-sign a lot of commits * `enc on` is similarly hard if you are decrypting a large thread of multiple messages * `aut` is mentioned above, and in fact I sometimes just flip back `aut off` for some batches that take longer than 15 seconds It should be noted that the `cache` setting is a 15 seconds delay It should also be noted that the `cache` setting is a 15 seconds delay *total*: it does *not* reset when a new operation is done. This means that the entirety of the job needs to take less than 15 seconds, which is why I sometimes completely disable it for larger runs. Loading