On 04/15/2018 07:43 AM, YunQiang Su wrote: > On Sun, Apr 15, 2018 at 5:09 AM, Thomas Goirand <z...@debian.org> wrote: >> Forgot "Yubikey" in the subject line ... :) > > How many bits does it support?
The keys support storing 3 4096 bits subkeys, for auth, encryption and signing. You're not supposed to store your master key in the Yubikey, instead you'd just save the master key far away in a safe place. The only issue is that then, you can't exchange key signature only using the Yubikey, but I guess that's fine. At Infomaniak, we have a master key without expiration, and the 3 subkeys expire within 365 days, and are renewed every year. You can also use a GPG derived ssh key, which is what we use for the every day auth to servers. Typing "ssh-add -L" shows the private part of the ssh key, and the gpg-agent then takes care of the auth. I also use that ssh key for login into Debian servers (and for the Git in Salsa). Knowing that my laptop doesn't hold any ssh or gpg key is nice. When I leave my desk, I just lock my desktop the normal way, remove the Yubikey and go. The Yubikey is a way smaller to carry than my laptop... :P Cheers, Thomas Goirand (zigo)
