Skip to content
/ ybdec Public

Ybdec is a simple tool that can be used to encrypt and decrypt payloads using asymmetric PIV keys on your YubiKey.

License

Notifications You must be signed in to change notification settings

G1gg1L3s/ybdec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ybdec

Ybdec is a simple tool that can be used to encrypt and decrypt payloads using asymmetric PIV keys on your YubiKey. It's uses P256 keys for HPKE encryption and decryption. The tool can be used as a building block in more advanced systems, for example, for opening password managers or storing sensitive data.

It can:

  • Generate keys
  • Encrypt data to a public key using HPKE in base mode.
  • Decrypt data in HPKE base mode using one of YubiKey PIV keypairs.
  • Stash and fetch data directly on YubiKey.

For CLI usage see doc/USAGE.md.

Examples

To generate a key:

$ export YUBIKEY_MANAGEMENT_KEY=010203040506070801020304050607080102030405060708
# The 9d is already default slot for ybdec, we just show it here explicitly.
# The touch policy also defaults to `always` which means that we want to
# require touch on each operation.
$ ybdec generate --touch-policy always --slot 9d
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElP5zkkzoOETEPAXSeDoj0OIdYuj3
GXBQ/zee71xXvOb9eyEkbyamFTzw7jw+eJU7bpa0jp4PU8XAPuntL5dA/w==
-----END PUBLIC KEY-----

[!WARN]

This will overwrite your public key so be careful!

YOu can also use other YubiKey tools, for example yubikey-manager.

To export the public key:

$ ybdec pubkey --slot 9d
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElP5zkkzoOETEPAXSeDoj0OIdYuj3
GXBQ/zee71xXvOb9eyEkbyamFTzw7jw+eJU7bpa0jp4PU8XAPuntL5dA/w==
-----END PUBLIC KEY-----

To encrypt something for the key:

$ printf hello | ybdec encrypt --to-self 9d | base64 -w 0
eWJkZWMwBBVMmQhF18wboRANt+jXL9CvCoN9fnX0oZJWeoF2bxDBVOHD5ZNlyIi9tblfcM8zTDSLcALFYpEgEVww8YPmVjYczpcDiyAsQ4p1e+7GhXtx3TEGFxc=⏎

You can stash encrypted data to the YubiKey itself:

$ export YUBIKEY_MANAGEMENT_KEY=010203040506070801020304050607080102030405060708
$ printf hello | ybdec encrypt --to-self 9d | ybdec stash

Then, you can fetch ciphertext and decrypt with YubiKey:

$ export YUBIKEY_PIN=123456
$ ybdec fetch > ciphertext
$ ybdec decrypt --slot 9d -i ciphertext
hello

Limitations

Due to how PC/SC works, it's hard to protect YubiKey from concurrent access, so it's recommended to not execute more than 1 process at a time. Otherwise, you have a chance of getting error like this:

The smart card has been reset, so any shared state information is invalid

About

Ybdec is a simple tool that can be used to encrypt and decrypt payloads using asymmetric PIV keys on your YubiKey.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages