YubiKey-Guide icon indicating copy to clipboard operation
YubiKey-Guide copied to clipboard
verified publisher icon drduh

What the Harden configuration use for?

Open agent-kimbley opened this issue 3 years ago • 3 comments

agent-kimbley avatar Apr 13 '22 13:04 agent-kimbley

For some people there is the reasonable concern over the security of the private key. The private key can only really be secure if the machine upon which the key was made was secure. If there are ANY vulnerabilities in the machine that can be compromised, then the user cannot be certain that their machine is secure at the time of private key creation.

If the machine can be compromised, then in theory the machine could already be compromised giving the attacker opportunity to steal the private key upon creation together (if locally created and not created on the Yubikey itself) along with the passphrase if the attacker has installed a keylogger.

This is not as big an issue if the keys are created on the Yubikey itself, although there is the possibility of the passphrase being compromised.

For this reason some people feel that they need to secure their creation process further by ensuring the key(s) are created on a system that

  1. has been hardened
  2. has created on a amnesiac operating system like TAILS OS or Whonix
  3. has been created on a machine that is NEVER physically created to the network

My personal choice is TAILS OS

iandstanley avatar Jun 02 '22 21:06 iandstanley

What it exactly mean of a system that has been hardened?

agent-kimbley avatar Aug 02 '22 08:08 agent-kimbley

A system is typically 'hardened' by a combination of the following actions:

  • turn off all un-needed services (the more things that are running, the more code running, more bugs running, more possible ways of attacking the system)
  • restricting user abilities to certain roles and restricting higher privileges with a further restriction (this could mean manually re-authenticating before execution, the use of 2FA before login or execution etc)
  • sometimes includes the use of encrypted drives
  • turn off any default behaviours that are generally considered bad (eg default privileged passwords, superuser logins etc)
  • a security audit of the system

Plus a bunch of other tasks dependant on the system involved

On Tue, 2 Aug 2022 at 09:37, agent-kimbley @.***> wrote:

What it exactly mean of a system that has been hardened?

— Reply to this email directly, view it on GitHub https://github.com/drduh/YubiKey-Guide/issues/316#issuecomment-1202188576, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU6FGPPY3FQFAIMCQ7EGQ3VXDM2ZANCNFSM5TKTU2IQ . You are receiving this because you commented.Message ID: @.***>

--

Ian Stanley

@.***

iandstanley avatar Aug 02 '22 11:08 iandstanley

Thanks for jumping in here @iandstanley I'll add some color on the next update.

drduh avatar Aug 21 '22 18:08 drduh