[PB-33632] As a user I want to reuse the Private key of my YubiKey (instead of passbolt local keyring)

Q1. What is the problem that you are trying to solve?
We manage our logins primarily over YubiKeys. But this is not everywhere possible since some Services require passwords. So I hoped, that we could use passbolt (Pro) to manage these passwords and I tried the demo. But when a new user is registered the browser-plugin asks for his private key. – Which he can’t provide since it is securely stored on the YubiKey… (The hole Idea is that it can’t be extracted from there.)
And it seems that it even tries to save the keys on disk so these keys are burned for ever for using in 2FA.
Since you can’t change them its doesn’t help to change keys.

Q2 - Who is impacted?
Everybody who wants to use its YubiKey for more than passbolt alone.

Q3 - Why is it important and/or urgent?
Since we are required to use 2FA we could not use passbolt if it stays the way that you need private Keys on disk.

Q4 - What is your proposed solution? (optional)
The browser-plugin should only ask about the public key at the registration since it doesn’t require the private key if you are using 2FA.

Q5. Community support
People can vote for this idea to show traction:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)
0 voters

Hello @wanne,

It should be possible to reach the goal you describe, but it would most likely require creating a bridge between passbolt and gnupg, and setup gnupg to use the Yubikey as an OpenPGP Card.

This is possible in practice as demonstrated by Mailvelope project that accept gnupg as a backend (we actually participated to that work). However this is not a trivial task to implement / setup in a way that is user friendly for non expert users.

The team is open to it, but it is a significant challenge which we do not plan to tackle in short term as they are more important and lower hanging fruits.

Can this be achieved via the Passbolt CLI?

1 Like

any news about this for 2024 ? :smiley:
We currently use this with passwordstore.org. The Browser extension does rely on pass command and a “bridge” afaics: GitHub - passff/passff-host: Host app for the WebExtension PassFF.

I understand this isn’t something trivial to add, but that would really add value to passbolt in our setup.

1 Like

I would also like this.
Then I could use a key that generated on the yubikey and is safe as it’s never been on a computer.
But a first step would maybe be to generate the key in the plugin and then add it to the yubikey and remove it from the plugin and have the plugin access it though gpg-agent/openpgp-card. Increases safe portability.

1 Like