Setting up the Unix Password Manager on Android with YubiKey 5 NFC

2 minute read

no-alignment

Introduction

Having used the unix password manager for a while I managed to have a simple, secure and powerful password manager that makes my passwords available on every computer that I use. However, there is still something that’s missing: making my passwords available on my Android phone.

In this post I will address this issue by describing how to utilize the new YubiKey 5 NFC, an Android phone with NFC reader and the apps Openkeychain and Password Store in order to bring the power of the Unix Password Manager into Android. Let’s start!

Setting up the YubiKey

First of all, let me explain why a YubiKey is needed. So if we want to use the Unix password manager on an Android phone, we need to be able to decrypt the files that contain our passwords. Now we can do that by copying the private encryption key into the Android phone but IMHO, putting the private key in an phone is not a very good idea. That’s were YubiKey comes into the picture. Using the new YubiKey 5 NFC or the older YubiKey Neo we can have them store our private key(s), making them available to the phone only when needed, via NFC.

Setting up the YubiKey with OpenPGP is quite easy, following the instructions on Yubico’s website. Assuming that we have an encryption subkey with id 1F077BAE ( have a look on my previous post ):

  1. Create a backup of the encryption key and keep it in a safe location, in case the YubiKey is lost or stolen:

    $ gpg --output 1F077BAE-bak.asc --export-secret-subkeys --armor 1F077BAE!

    Note: This will export only the encryption key, as if it is decoupled from its main key. Don't forget the "!" in the end.

  2. With the YubiKey plugged in:

    $ gpg --edit-key 1F077BAE
$ key 1                     # Depending on the number of subkeys, the number 1 may be different
$ keytocard                 # Key password and YubiKey admin pin are needed for this step

Here’s a asciinema of what’s described above:

Note: I obviously didn't replace my existing key in the YubiKey thus the bad password in the end :smile:

Setting up the phone

We are going to need two apps:

  • Openkeychain, which is a gpg toolchain for Android. This is need so that the encryption key can be loaded from YubiKey.
  • Password Store, which is the Unix Password Manager implemented on Android.

Setting up OpenKeyChain

The setup is really easy here. Having the app installed, we just open it and move the YubiKey near the NFC reader, we ‘re then asked for the YubiKey pin, and the key is imported successfully.

Setting up Password store

For this step, we ‘re going to need our password-store in a git repository (see here how to add one).

We open the Password Store app, go to Settings->Crypto->Select OpenPGP Provider and select OpenKeychain. Then we add the git remote url for the password-store, and as soon as it’s cloned we ‘re good to go!

Conclusion

Utilizing the Unix Password Store in an Android phone is easy and secure using an NFC-enabled YubiKey. The android app for the Password Store is intuitive and easy to use, supports full text searching and adding / updating passwords. And as an extra bonus we can use our YubiKey to add an extra layer of security to our 2-factor-authentication using the Yubico Authenticator App as an alternative to Google Authenticator.

Happy decrypting !

Comments