[Pcsclite-muscle] Directly using RSA key of a smartcard

Michael Conrad mike at nrdvana.net
Fri Jun 23 16:30:25 PDT 2023 

On 6/23/23 17:50, Douglas E Engert wrote:
> If you want to have no PIN required and have use their existing RSA 
> key rather than overwrite it. Some problems:
>
>  * If their Yubikey is lost, stolen or borrowed, it could be used by 
> someone else with access to the computer room.
>  * Each of the users would have to have a file on server with the same 
> AES key encrypted with their RSA pubic key (in the certificate), so 
> script would have to identify the user to match the file
>    they encrypted. Should be easy by using the certificate name.
>  * If the locked up yubikey breaks, you will need a backup copy(s) on 
> another (Yubikey like you propose) or some way to retrieve and use the 
> AES key.
>  * Do you do disaster backups?  Does the backup have the encrypted or 
> unencrypted part of the ZFS in backup? If encrypted, you will need way 
> to get the AES key.

The normal operating state of the server is to have the volume 
unlocked.  If the yubikey is lost or stolen, the only danger is that 
someone steals the server and then has both pieces.  They'd have to pull 
the harddrives out and attach to another computer and then read the 
scripts to figure out how to apply the yubikey to decrypt the volume and 
get the data.  But if the owner knows they lost the yubikey, they can 
tell me and I can revoke it easily, by deleting the encrypted file for 
that key.

I was planning to identify which encrypted file goes with which key just 
by using the key's serial number, but I could even just attempt 
decrypting all files and see if any successfully decrypts.

The AES key would be encrypted multiple ways, including a manual 
password that I could enter while logged into the server over SSH.  In 
fact this is the current status-quo, that I have to log into the server 
after any reboot in order to get things running again by entering a 
password.  The yubikey is just a convenient and relatively safe means of 
giving someone the ability to unlock the secure data without logging 
into the server.  The backups are also encrypted, currently with a 
password.  If we switch to this new idea, we will also make a backup of 
the password-encrypted AES key in a safe place.

It sounds like the biggest obstacle to using a user-provided yubikey is 
that there are a lot of configuration variables that could make it 
unusable for the script, unless maybe I ask them for their pin and store 
that alongside the encrypted file.  Maybe we'll need to provide a 
pre-configured yubikey.  (or maybe I can find something cheaper that 
meets the requirements)

-Mike

More information about the pcsclite-muscle mailing list