I’ve been working on improving my day to day OpSec and with the crypto token stuff I’ve been working on, it’s gotten even more important. This is the result of a lot of research and fiddling with hardware tokens. Separate pieces of hardware that work in conjunction with passwords (or password manager) to further secure your digital footprint.
Please do with it what you may.
Each of the hardware tokens described here have been reasearched heavily and/or I’ve had the chance to use. Of these three: you’ll likely want to buy one and put it to proper use adding additional OpSec and security to your digital footprint (life). Please read through the descriptions, there are some trade offs you’ll need to consider prior to purchase.
Ledger Nano S
The Ledger Nano S (product link) is a reasonably small (slightly bigger than keychain sized IMHO) hardware token with a ton of features. It’s designed around being a hardware wallet for crypto tokens but has a lot more practical applications. It’s the first real competitor to the Yubico hardware tokens IMHO. Others exist, yes, but the Ledger Nano S really shines and competes directly with the Yubico offerings. Even if they didn’t mean to, they succeeded
Features / Notes
- NEEDS a USB Cable
- Firmware updatable
- App manager + App configuration
- U2F (details [link])
- OpenPGP Smart Card (details [link])
- PGP+SSH Agent (details [link])
- Windows Hello integration (details [link])
- Rudamentary Password manager
- NO PIV support (yet?)
- Partial Yubico OTP support – NON Yubico cloud support (details [link])
If using crypto token wallets, remove them from the Ledger when no longer in use. It prevents any theft/hackers from knowing which coins you may or may not have used.
The Yubico hardware tokens (product comparison link) are probably the most common and recognized tokens on the market to date. They support a wide array of features, support nearly identical features across the whole product line and are quite small. They are great keychain compainions and do a lot to improve the security of your credentials. If you don’t care and ‘just want a token’, buy one of these.
Features / Notes
- Integrated USB connector
- NFC on NEO models
- NOT firmware updatable
- CANNOT manage apps, only basic setup of apps/applets
- Yubico OTP (Pre-programmed / setup)
- U2F (details [link])
- PGP Smart Card (details [link])
- PIV (details [link])
The Nitrokey hardware tokens (product comparison link) are the primary competitor to the Yubico tokens. I’ve reviewed their online comparison breakdown many times and… I can’t bring myself to buy one. They are larger than the Yubico offerings, have very different features between the models (only partial parity to Yubico offerings per model). Having said that, they do support firmware updates. That’s about the only compelling feature I can find when compared to a Yubico offering.
I really can’t say more or recommend. Unless you see something that pushes you this direction ‘on principle’ I would avoid them.
Features / Notes
- Most above features, none all in a single model
- Encrypted storage feature in the ‘Storage’ model (this is missing from the above)
- Nitrokey Storage and Nitrokey Pro are best options based on comparison table
- Not recommended given Yubico and Ledger Nano S have more comprehensive feature sets
Additional resources (PGP Smart Card)
This article (link) is an informative how to on setting up a Yubikey as an OpenPGP smart card. Even better: it can be abstracted / re-used to a degree with the Ledger Nano S OpenPGP smart card app. Read the docs on the Ledger Nano S OpenPGP smart card implementation before applying anything in this article. Otherwise, it’s a great go-to for getting under way with some of the OpenPGP stuff.
I haven’t gone through the full guide yet. It’s on my to do list once I get my hands on one more hardware token. At that point I’ll be setting up both the Ledger Nano S and a Yubikey 4 as OpenPGP smart cards for signature, encryption and code signing purposes. The guide lays out a lot of great information and I intend on putting the info to practical use.
What Am I Doing?
The Ledger Nano S and a pair of Yubikeys. Sounds a little strange, I know. Hear me out.
Ledger Nano S
My crypto token ‘stuff’ is setup to be wholly separate from my day to day computing (OpSec). I have a dedicated network, hardware and a bunch of other tech in place to ensure that anything I do with crypto tokens is kept separate from my day to day computing environment(s).
I’m going to be using the Ledger Nano S for some wallets (yay light wallets!) as well as U2F and OpenPGP smart card purposes. It’s not a big piece of hardware, I already have dedicated equipment and it’s not extra hassle. I have extra hassle coming out of my ears on other fronts. The Nano S is a drop in the proverbial bucket.
Even better? It’s a separate piece of identity and verification I can use specifically for my crypto token work as well as anything I do related to crypto tokens. Code signing, encrypted e-mail, wallets, signatures, git commits, etc. Heck, I can leverage the OpenPGP smart card stuff as an SSH identification provider simplifying some of my SSH key management.
It’s a great blend of purposes wrapped up into a really nice and easy to use package. On top of that; I can guard it like the precious object it is, no different than my dedicated computer for crypto tokens.
Yes, a pair of Yubikeys. For my personal ‘stuff’ only.
One Yubikey NEO for Yubico OTP. This singular Yubikey will be used to secure LastPass. Period. Nothing more. It has NFC and integrates with LastPass on Android, it’s keychain sized, it has a USB connector. It’s exactly what I want in a 2FA token for LastPass. It’s also dedicated to LastPass. It’s the one thing I have to protect. It’s a required, ney, critical line of defense.
One Yubikey 4 for OpenPGP smart card. I’ll use this for my PGP identity, signing things and encrypting things. Things like my git sources, e-mail, SSH auth and whatever else I can throw PGP at. This is my personal identity. The stuff I do for myself (and others via OSS/OSHW) and nothing more. It’s even small enough to put on my keyring alongside a Yubikey NEO if I need to carry it along for a ride.
Seems odd but I like to keep things segregated in my mind and physically. No accidental signing of an e-mail, no accidental signing of a commit, no doubling down on a single point of failure. I’d be remiss if I couldn’t sign code (once I start) but it’s certainly not going to be the end of the world. It’d be far worse than if I lost a Yubikey protecting LastPass. I like to ensure that I don’t have an indifferent attitude towards the thing keeping my passwords and secrets safe. Hence the separation: one that I guard closely, the other that is important but can be lost at the end of the day.