Personalizing yubikeys for passphrase management

Yubikeys are small hardware tokens supporting 2-factor authentication.

ykpersonalize is a very powerful tool for personalizing yubikeys. However it’s always challenging figuring out how to use it. I just tried the gui tool from and it’s great! I picked “challenge-response mode”, “HMAC-SHA1”, generated (and stored under pasaffe) a secret key, and committed that to slot 2 on two yubikeys Then i did ‘ykchalresp -2 somepassphrase to generate a long random string like:


which i can prepend to hand-typed passphrases.

The things I like about this are that:

* I can re-specify the same secret key later on if I need a new yubikey
* I can store the strings resulting from ‘ykchalresp -2 passphrase’ if I ever want to stop using the yubikeys, without losing access to data protected with those keys
* if I lose the yubikey, nothing should be compromised

I need to think more about whether it’s worth it and whether there are any holes in my reasoning, of course. In the end it’ll only be worth it if it’s really more convenient than alternatives. A little pop-up gui which takes a passphrase without echoing it, feeds it to ykchalresp, and copies the output into xclip -i, and then maybe hangs around waiting for another confirmation after which it wipes it from the clipboard :), might help a lot.

Heck, like this:


# needs dialog, ykchalresp, and xclip
pw=$(dialog –passwordbox “Yubikey challenge” 10 20 –stdout)
output=`ykchalresp -2 $pw`
echo -n $output | xclip -i
echo “hit return to clear the clipboard”
read x
echo | xclip -i

I think I may encrypt some redundant data this way and test this out on
my next trip, as a test.

This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s