secrets management

Yubikeys for Static Secrets

You can use your Yubikey to remember and type an arbitrary string, as well as using it as a OTP generator and a secure store for your SSH key. We use this so that we don’t have to remember our 1Password secret keys.

We use 1Password as our team secrets-management tool. It’s great, but every user needs to remember not only their username and password, but a 40-character secret key too. Normally this is saved on your machine, which is not ideal when you’re using shared computers.

The following steps show you how to configure a Yubikey to store your 1Password secret key, so that you can type with a simple button-press.

  1. Download and install the Yubikey Personalization Tool
  2. Open the Yubikey Personalization Tool, which looks like this:
  3. Insert your Yubikey, checking that it shows up in the right-hand side of the window:
  4. Click Static Password:
  5. Click Scan Code:
  6. Select “Configuration Slot 2”. If you accidentally use the first slot, you’ll overwrite the configuration that allows your Yubikey to work as an OTP generator. That would be bad.
  7. Choose a keyboard layout:
  8. Log in to 1Password:
  9. Click on your name and then select “My Profile” from the dropdown menu:
  10. Copy your Secret Key from under the “Sign-In Details” section:
  11. Paste your Secret Key into the Password box of the Yubikey Personalization Tool. I’ve obfuscated mine for obvious reasons!
  12. Remove all the dashes, as these are not needed and cause the key to be too long. You should end up with a string of 34 characters.
  13. Double-check that you’ve selected Configuration Slot 2, otherwise you’ll b0rk your OTP functionality.
  14. Click Write Configuration, which commits the changes to the Yubikey:
  15. Save the configuration log somewhere secure - it contains your secret.
  16. Open 1Password in a new incognito browser window.
  17. Give focus to the Secret Key field.
  18. Press and hold the Yubikey button for 3-4 seconds. If you get the wrong string, you probably didn’t hold it for long enough.
  19. Observe your very long and hard-to-remember secret key being typed into the field!

Et voila! You no longer need to remember that very long secret key, leaving you with just your username and password.

Combined with securely storing your SSH key, and reducing the amount of 2FA faff, using a Yubikey makes it drastically easier to practice secure development.

Leave your Comment