So I'm at the Bitcoin conference, right? Guy next to me has this fancy Yubikey hanging from his lanyard like it's some kind of security holy grail. "Yo, you NEED one of these. Hardware security, can't be hacked, best thing ever."
Cool. I order one. 55€ later, it arrives.
Set it up for PGP. Follow all the tutorials. Move my subkeys onto it. Feel like a proper cypherpunk for about 5 minutes.
Then I try to certify someone's public key.
"Error: Cannot certify with subkey."
Wait, what?
Turns out the stupid thing can't actually certify keys. Only holds 3 subkeys anyway - sign, encrypt, authenticate. That's it. Want to certify someone's identity? Need your master key. Which obviously shouldn't be on the Yubikey because that defeats the entire point of keeping it offline.
So now I have this workflow:
- Boot Tails from USB for anything important (certifying keys, managing web of trust)
- Use Yubikey for... signing emails I guess?
The kicker? Still need to type a PIN every time I use the damn thing. So much for "convenient."
Don't get me wrong - it's not completely useless. Nice for traveling, protects the subkeys, whatever. But all those YouTube tutorials making it sound like the ultimate security solution? Yeah, no.
My airgapped Tails setup still does the heavy lifting. The Yubikey is just an expensive way to avoid typing
gpg --sign with a local key.Hardware can't fix stupid OpSec. Who knew?
Still keeping it though. Looks cool on the keychain. Maybe one day I'll find a proper use case that isn't just security theater.