Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How SOL are you if you lose one of these? With 2factor QR codes, you can save the picture as a "backup" or generate backup codes through the service.

I haven't carried a thumb drive in a while, but I personally have lost a couple before...



It depends what you use it for, and how you set it up. Aside from the Heads/Librem specific features, this is basically the same as a NitroKey/YubiKey. So:

- For use as a key storage device / GPG smartcard, you should have the usual contingencies in place (e.g. backups of decryption keys, alternative signing/auth keys). Only GPG nerds are likely to use this feature.

- For MFA use, you can list an additional device as another acceptable factor. E.g. a second key, or an authenticatior app on your phone.

The Heads boot validation stuff is non-blocking; you can still boot into a system without verifying the boot partition/BIOS. Alternatively, there’s no reason you couldn’t fall back to TOTP on a phone, though I’m not sure if the interface supports that currently.

Source: I put everything on a YubiKey, then lost it.


You generally do one (or both) of two things with hardware security devices:

* You buy multiple devices and configure your systems to honor both, as a backup plan.

* You back up your keys or their artifacts to paper or a small drive and keep that somewhere safe.

If you do neither of those things, and you lose the hardware key, you are either (a) boned or (b) using an insecure system where the key is just theater.


Isn't the point of this device that it generates the private key onboard and never divulges it? Or does it have a one-way lever you have to pull at the beginning before which it's possible to sync the key to another device or download and print it?


You can literally export the RSA key from some of these keys (for backup purposes), but you can also just enroll multiple keys in whatever system you're using them with (or, you can enroll a software-based key, which you then keep only on a disconnected storage device).


Most devices offer a backup mechanism where the key material is encrypted and can only be imported in a same type device. For HSM'S this is called wrapping a slots key material with a wrap key. With gnupg you are allowed to export the key, or generate is on your computer and transfer it to the device.

Some services allow you to configure multiple separate keys, so different private keys. Lastpass for example.


FYI, if you scan those QR codes (plenty of phone apps for this) you can get the text of the secret and save that somewhere. Much easier to work with than a picture.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: