3

My current security model (at least for passwords) is to store them encrypted at rest and use GPG (in combination with an Yubikey) to perform encryption / decryption. I'm using pass (https://www.passwordstore.org/) to help automate the process for encryption / decryption. These files are stored 0700 and I plan to synchronize them to either iCloud Drive or a proper git repository (at some point). Right now I'm just backing them up to an Ironkey (D20402A). I am using 4096 bit subkeys for GPG encryption / decryption.

TOTP codes however, I still store on my iPhone (using Google Authenticator). I know there are third party solutions like Authy but I'd like to migrate away from my phone if at all possible.

Ideally I'd like to store my TOTP secret keys in a way that can be retrieved (and adequately backed up) from my computer for easier scripting and automation. There are some services like AWS that require an TOTP code alongside my normal authentication credentials which are motivating this.

Would storing these TOTP secrets alongside my passwords (provided both are encrypted) safe enough or just a bad idea? The way I see it there are basically four items necessary for somebody to unlock my keys:

  • Physical computer (full-disk encryption using APFS) or Ironkey
  • Physical Yubikey (or the backup, or the master key backup)
  • Disk or Ironkey decryption password
  • My Yubikey PIN

There's a tool called https://github.com/tadfisher/pass-otp that I may use for this.

I'm torn on whether this is an acceptable security solution. On one hand, the "second factor" aspect that TOTP brings is subverted by storing all the secrets on a single device.

On the other hand, I am reasonably confident that the device and methods I plan on using around my proposed solution is adequate enough to protect this data. I recognize all of this flies out the window if my machine itself is compromised (but that leaves me screwed in any situation).

Aea
  • 173
  • 3
  • You mention a Yubikey -- is that where you keep the encryption keys used with pass? If that's the case, then you should be okay putting TOTP secret keys into pass as well, since decrypting them requires 2-factor and there is no net loss in security. – mricon Sep 05 '18 at 18:27
  • @mricon yes, the private key is stored on the Yubikey and AFAIK cannot leave the device. – Aea Sep 05 '18 at 18:31

1 Answers1

3

Since you mention that you use smartcard features of your Yubikey to store the PGP encryption key necessary to access the pass database, I would say that it is okay to keep TOTP shared secrets in pass alongside other password data. TOTP is a mechanism to ensure 2-factor authentication, so as long as you require the Yubikey to decrypt them, you are still using 2 factors (yubikey = something you have, the PIN = something you know).

There is an important caveat here, though -- there is a lot more application sandboxing happening on modern Android phones than there is on a modern Linux workstation. Anyone who can execute code on your workstation (as your user) will likely be able to grab those TOTP secrets from RAM or by waiting till you insert the yubikey and decrypting them directly once they know the PIN. On the other hand, the storage and memory belonging to a TOTP application on your phone will be generally better isolated from other applications you're using, so it would require a root-level compromise before an attacker can access the secrets stored in a TOTP app.

If that is an acceptable trade-off for you, then you can put those shared TOTP secrets into pass. If not, then you should stick with keeping them on the smartphone.

mricon
  • 6,238
  • 22
  • 27