bron lewis

queer activist, technologist, writer, hacker

Let's talk about security! And travel!

But first, you should read the grugq's Stop Fabricating Travel Security Advice, because what's in that post is true -- and if you wipe your devices, and then get caught by customs with a wiped device, it'll raise suspicion, and you may never see your devices again. And if you're on any kind of visa, it will likely open Pandora's Box. Don't do it. Don't risk it.

I suppose the YubiKey stuff is generally useful, though, and while my original motivation was so that I could wipe my devices when traveling, this actually has very practical uses if your devices end up broken or stolen or lost.

But I'm not going to lie, the impetus for this is the increasingly authoritarian "passwords, please" at the border, and now impending international travel carry-on laptop ban (I really hope that doesn't actually happen, but hey, plan for the worst, hope for the best). And while I could just do a post about YubiKeys, I also wanted to touch on Chromebooks as well -- particularly because my use of both is pretty intertwined.

YubiKey

So, you're pretty good at personal digital security. You use a password manager, and have 2FA turned on everywhere. You've got your 2FA codes and recovery info stashed in a nice, safe place back home. But you're traveling. And you break or lose your phone AND your laptop.

Fuuuuuuuck.

Assuming you're privileged enough (or have amazing insurance or amazing friends or something) to be able to go pickup a new smartphone and/or laptop right then, how are you supposed to access your accounts? Everything is in your password manager, and even for things where you remember your password, you have 2FA enabled (but only with codes, not SMS, because didn't you hear about those bank accounts getting hacked?)... So how the fuck do you bootstrap yourself into your accounts?

Let's talk about YubiKey. They're pretty awesome physical 2FA USB devices that are crush resistant & waterproof. Put it on your keychain, put it on a necklace, put it in your wallet. When you plug it into a computer, it acts like a USB keyboard so that you don't have to worry about drivers. Set-up with standard sites and apps, such as Google and Github, is incredibly easy. And it can also be really powerful and configured in a number of different ways.

I'm not going to touch on setting a YubiKey up with sites like Google, because it is really easy. Also, I run Ubuntu, so while there's a little bit of Linux specific stuff here, you can find Mac and Windows versions of this software on the Yubico website and installation is pretty easy.

I'm also assuming you have a YubiKey NEO that you're working with, so keep that in mind if you want to follow along. If you're using the YubiKey 4, then you can probably skip the NEO related items.

Getting Started

Pretty straightforward...

sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install yubikey-neo-manager
sudo apt-get install yubikey-personalization-gui

Using the NEO Manager, make sure that OTP, U2F, and CCID are enabled. You can also name your YubiKey (local to the machine you're configuring on only), in case you're configuring multiple YubiKeys.

Once that's done, open up the Personalization Tool and select Static Password.

Static Passwords

Generally speaking, you do not want to use static passwords. The only static passwords you should have should be in your password manager. So what do we want with this?

Well, since I use 1Password, I need my Secret Key along with my Master Password to gain access to my account. The Secret Key is long and randomly generated, so it's not something you can really remember. Ideally you have a copy of your Emergency Recovery Kit stashed safely away that you can access when you need it, but in the scenario we're talking about, that's not an option. That's where the Static Password on a YubiKey is a viable option.

To test it, open up a text editor and press the button on your YubiKey for 3-4 seconds... it should type out your Secret Key.

Something to keep in mind... for even better security around your Secret Key, consider leaving off the first or last couple of characters and memorizing those to enter yourself. That way, even if you lose your YubiKey, no one has your full Secret Key. Also, yes, you can regenerate your Secret Key if you think it's been compromised.

SSH

For now, if you want to use SSH on the Chromebook, you'll want to:

But I still want to touch on this, since the YubiKey has many worthwhile strengths, including the ability to support SSH keys. There are two ways to handle SSH keys on a YubiKey, in fact. OpenPGP and PIV for SSH through PKCS11. I'm only going to be touching on the latter option right now since that is what I have experience with using.

PIV for SSH through PKCS1

The PIV for SSH through PKCS11 guide on the Yubico site is pretty good, with a couple of gotchas (yes, I opened an issue on Github for them to fix the docs because I nearly locked myself out during set-up).

Before you get started, you'll want to do this:

sudo apt-get install yubico-piv-tool
sudo apt-get install opensc-pkcs11

Also, the PIV Tool Command Line Guide is really helpful and how I discovered the default values for the PIN (123456) and PUK (12345678) -- both of which you'll want to change for security purposes.

yubico-piv-tool -a change-pin
yubico-piv-tool -a change-puk

Once that's all said and done, and you've finished following the guide, you should be able to add your new public key and use it to SSH as long as you have your YubiKey.

PKCS11 and .ssh/config

YubiKey and SSH kind of sprung up this last week because I had to figure out how to reference a YubiKey SSH key in .ssh/config when dealing with multiple Github accounts. It ended up being dead simple, but it also took a long time to figure it out. For the record, here's an example .ssh/config:

Host bronwynlewis.com
    ForwardAgent yes

Host work-github
    hostname github.com
    PKCS11Provider $OPENSC_LIBS/opensc-pkcs11.so

Host personal-github
    hostname github.com
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes

The above config does assume updates to your remote origins for your Github repos to reflect your custom host reference.

Ready to Go!

So hopefully at this point you...

And should you be traveling, and need to bootstrap access on a new system for some reason, this should provide enough information for you.

Chromebook

If you're not a fan of Google, sorry. I've got my issues with Google, but I'm also aware of what I'm giving them and what they're offering. Deal with the devil? In some ways. But also the devil I know... which is important for what I want a Chromebook for.

Basically, when I travel internationally now, the last thing I want to do is risk my wonderful $3000 laptop. Would I prefer to be using my fancy laptop? Yes. But the potential for losing that laptop (particularly at the border, these days) is what led me here. And the Chromebook, honestly, surprised the hell out of me in a really positive way. Including the fact that with my YubiKey in hand, I could bootstrap myself into a productive state very quickly.

Hardware

Which Chromebook to go with largely depends on what you want to do with it. For me, the following factors were really important:

I ended up with an Acer R11, which seemed to hit the right balance of everything I was looking for... including being available at my local Best Buy for $260, including tax.

Your mileage may vary, but I've been pretty happy with it.

Chrome Apps

ChromeOS's shell (crosh) is pretty useless. This is great for security, but not for people who want to do more than surf the web, write emails, and work on spreadsheets. But thankfully there are some options... at least for getting off the Chromebook to a more robust system.

Tips & Tricks

And here's some random stuff that you might find useful when it comes to using a Chromebook in a similar fashion...

Offline Shell/Dev Environment

You may not have internet access, and might still want shell access. What I ended up doing here was using a USB ethernet dongle to plug into a Raspberry Pi 3 so that I could SSH to it offline. It totally works, and since wifi is built into the Pi 3, you can connect it to a wireless network & the internet later to check in your code.

Powerwash

This is handy if you want to wipe your laptop and remove the current accounts. You can also access Powerwash from settings, but that requires that you're logged in. From the lock screen, you can just press Ctrl + Alt + Shift + R to trigger Powerwash.

Android Apps

With support for the Android Play Store, you can install apps such as Google Play Music (which then allows you to download your music for offline access), 1Password, and even games. This is particularlly useful if you're going to be traveling and internet access will be questionable.

VPN

Don't forget to set-up your VPN on the Chromebook! I recommend making sure all the necessary info for this is in your password manager, so you can quickly set up the VPN on a fresh system.