YubiKey at Datadog

• Summary
• Estimated burden and prerequisites
• U2F
• GPG
• git
• SSH
• Reset
• Troubleshooting
• Optional
• References

Summary

GPG is useful for authenticating yourself over SSH and / or GPG-signing yourgit commits / tags. However, without hardware like theYubiKey, you wouldtypically keep your GPG private subkeys in "plain view" on your machine, evenif encrypted. That is, attackers who personally target[1,2,3,4] youcan compromise your machine can exfiltrate your (encrypted) private key, andyour passphrase, in order to pretend to be you.

Instead, this setup lets you store your private subkeys on your YubiKey.Actually, it gives you much stronger guarantees: you cannot authenticate overSSH and / or sign GPG commits / tags without: (1) your YubiKey plugged in andoperational, (2) your YubiKey PIN, and (3) touching your YubiKey. So, even ifthere is malware trying to get you to sign, encrypt, or authenticate something,you would almost certainly notice, because your YubiKey will flash, asking foryour attention. (There is the "time of check to time ofuse" issue,but that is out of our scope.)

Estimated burden and prerequisites

About 2-3 hours. 15 minutes could save you 15% or more on cybersecurityinsurance.

You will need macOS with Homebrew / Ubuntu / Archlinux, a password manager, and aYubiKey 5.

U2F

STRONGLY recommended: configure U2F forGitHubandGoogle.

GPG

Please read and follow all of the instructions carefully.

$ ./gpg.sh

(Protip: set TEMPDIR=1 when preparing YubiKey for someone else to avoidpolluting your default GPG homedir.)

git

STRONGLY RECOMMENDED: signing your git commits and tags.

You must first set up GPG.

Then, to sign git commits and tags for a particular repository:

$ ./git.sh /path/to/git/repository

Or, to sign git commits and tags for all repositories:

$ ./git.sh

SSH

NOT recommended unless you plan to use your GPG authentication subkey asyour only SSH authentication key.

You must have first set up GPG. Then:

$ ./ssh.sh

## Reset

If you need to reset YubiKeys, you may use the following script. The script looks for every plugged YubiKey,
and shows a menu to reset one specific key, or all of them.
**Please read and follow all of the instructions carefully. YOU WILL NOT BE ABLE TO RETRIEVE KEYS/DATA FROM THE YUBIKEY AFTER COMPLETION.**

```bash
$ ./reset.sh

Troubleshooting

Go here for troubleshooting common issues such as unblocking a blocked card, error when pulling or pushing with git over SSH, and rebasing with git.

Optional

Go here for support on optional bits such as Keybase, VMware Fusion, Docker Content Trust, signing for different git repositories with different keys, and configuring a computer to use an already configured YubiKey.

References

1. YubiKey Handbook

2. A Git Horror Story: Repository Integrity With Signed Commits

3. Welp, there go my Git signatures

4. [Bitcoin-development] PSA: Please sign your git commits