Yeah, WKD is a first-class citizen in GnuPG. Creating signatures with "--sender $EMAIL" embeds e-mail in the signature and then gpg --auto-key-retrieve --verify will fetch the key via WKD without the need to touch keyservers.

One variation of this scheme is making Microsoft the CA that issues certs for free with some issuance limits.

For the record Google uses self-signed certs for Android apps.

Comments URL: https://news.ycombinator.com/item?id=23276303

Points: 53

# Comments: 17

The Conversations.im team also leaves in Germany so I wonder why won't they just utilize their own solutions? Or maybe that's being considered...

I don't mind putting my encrypted passwords in a private GitHub repo but I understand the concern.

[0]: https://crypto.stackexchange.com/q/8687

[1]: https://en.wikipedia.org/wiki/Curve25519

[2]: https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063...

[3]: https://en.wikipedia.org/wiki/Curve448

Well, actually you can't. You can backup keys if you create them in software and then just copy then to YubiKeys instead of moving them there. If you do that in an offline computer there is no risk of any malware stealing your keys in mid-process: https://news.ycombinator.com/item?id=21701488

Setting up Yubikey and OpenPGP took me some time reading all resources on the net but once done this is just working without any hiccups.

> I'm not sure about storing the master keychein file in Git, but the workflow sounds interesting (I didn't fully understand the paragraph though).

If it's encrypted there is no much harm to be done here. The only leaking info is that by default pass uses filenames based on domain names so if you have credentials for news.ycombinator.com they'd be in "news.ycombinator.com.gpg" file. For me a private repo for this use case is OK.

Oh, there is a browser extension too: https://github.com/browserpass/browserpass-extension#browser...

> This is next level and not of immediate interest to me. I was looking at something simpler like: https://cryptomator.org/

Yep, I do store external disk passwords in pass too. Udiskie can use a decryption command so when I put something like this in the config: `password_prompt: ["pass", "devices/{id_uuid}"]` it will grab the password from password store. This has an added benefit that I won't forget the password (it's stored alongside all others) and it's always valid (it's checked on each boot by udiskie).

What are you especially interested in? Then I can provide you with details.

Some random links I used:

- https://btrfs.wiki.kernel.org/index.php/Incremental_Backup

- https://blog.eleven-labs.com/en/openpgp-secret-keys-yubikey-...

- enable touch-to-use so even malicious software cannot access your passwords: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_...

- https://www.passwordstore.org/

- https://play.google.com/store/apps/details?id=dev.msfjarvis....

- https://aur.archlinux.org/packages/mkinitcpio-gnupg/ (I'm thinking on replacing this with PKCS#11, more keys to manage but PKCS#11 is supported natively with systemd so one less dependency).

Hmm... maybe I should really document that...

Isn't this just moving the goalpost because what if you forget safe combination?

Most of my security is based on OpenPGP keys stored on a Yubikey. In case the first one is broken/lost I've got another one. If both are lost there is a master copy on an offline computer that can be used to provision more Yubikeys.

The key unlocks access to passwords stored in pass. Because pass is based on git and gpg can be used to access SSH then the same yubikey is used to pull/push changes to pass and read encrypted passwords. On both the laptop and the phone (Password Store).

Data on the computer is LUKS-encrypted, unlocked by the Yubikey. Full backup of my laptop's SSD is done via btrfs send/receive to a raid1 array of 3 disks (raid1c3) on a regular intervals. A small subset if very important data (documents) is also backed up via restic to S3 and Backblaze.

I try to "backup" as much of my work as possible by releasing it as open-source (where it's preserved by the Github etc.) or publishing it on a web-site (where it's preserved by archive.org).

> In a similar vein: what happens to my data after I die? How would my (non-technical) family be able to access my pictures and writings? A digital inheritance would be prevented in my security set if I don't prepare.

I've been thinking about this lately and maybe it's not a popular opinion but... would people really need your data when you die? I get access to photos (my SO has the PIN code) but everything else? Maybe this is just digital junk? Who would enjoy browsing terabytes of my data looking for... what exactly?

(I did migrate my family and friends to self hosted XMPP server as Hangouts doesn't have E2EE)

This quote from the linked post would suggest otherwise.

It was not "someone else". Keybase is directly funded by Stellar (source: https://keybase.io/blog/keybase-stellar) and the crypto offering was just a PR/marketing move to increase adoption for crypto of Stellar not something "in the spirit of the company's focus on cryptography".

Git patch workflow doesn't support signed commits and some kernel devs explore alternative ways of signing [1].

[0]: https://mikegerwitz.com/2012/05/a-git-horror-story-repositor...

[1]: https://people.kernel.org/monsieuricon/introducing-b4-and-pa...

By "keybase providing alternative" do you mean that they have hosted, encrypted git repos?

Why keybase? Reading their crypto page (https://keybase.io/blog/crypto) leaves the impression that they took PGP and embrace-extend-extinguished it...

        switch (true) {
            case cellA > cellB: return 1;
            case cellA < cellB: return -1;
            case cellA === cellB: return 0;
        }

It does, but you need a more recent Yubikey with firmware 5.2.3 or later: https://support.yubico.com/support/solutions/articles/150000...