2

Using a hardware security token as a second factor is generally considered quite a boost in security. But one of the issues I'm having is how to backup the (digital) keys used in the hardware device (especially in cases when just adding multiple hardware keys is not desired or an option).

I'm currently using an open source hardware device from SoloKeys (https://solokeys.com/). This device also allows interaction via a commandline application (https://github.com/solokeys/solo-python) which would give the possibility to generate a custom digital key to be used on that device (that idea is also used for the DiceKeys, see https://www.crowdsupply.com/dicekeys/dicekeys).

From what I understand this should give the possibility to:

  1. generate a digital key on an airgapped computer e.g. using dd if=/dev/urandom of=KEYFILE bs=256 count=1
  2. backup that file into a password manager
  3. use that file to generate the key on the hardware security device

In case the hardware device gets lost, it should be trivial to 'regenerate' a new one using a new hardware device and the stored keyfile.

Now my questions are:

  1. how can I do that?
  2. is that considered to be a smart thing to do or do I miss something?
n0542344
  • 121
  • 2

2 Answers2

1

Hmm... the point in storing private keys in hardware devices is that the private key cannot be copied outside of the hardware device. That way it becomes a something you have, in the sense that it cannot be owned at the same time by more than one single human being. The rationale behind is that if the key is stolen, the owner should notice it quickly.

As soon as it is possible to generate a copy of the hardware device, it loses its unicity: an attacker could manage to build (and sell or use) a copy of the private key without the official owner to be aware of the fact.

Long story made short: DON'T. Just don't. Best practices recommend instead to be ready to invalidate an existing key (this is the role of Certificate Revocation List for x509 certificates) and generate a new one. You just install the new public key as a replacement for the old one.

Said differently, if you can make a copy of a private key stored in a hardware device, then it is useless to store it in that hardware device. Just register it in your phone or your computer...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • thanks for the reply! But in case you lose your hardware token: how are you able to access your account or data? Do you own multiple hardware tokens and have all of them registered in case you lose one of them? – n0542344 Oct 01 '21 at 13:36
0

For a key from SoloKeys, you can't do it. All the private keys are generated inside.

Since it is open-sourced, if you modify the source and add your own software interface or even special hardware interface, it is quite doable. But be sure to keep the interface and internal supporting logic at a high security level.

minghua
  • 165
  • 10