Security Model

Threat Model

Protected Against

  • Remote system compromise (encrypted at rest)

  • Credential theft (hardware token required)

  • Key extraction (YubiKey resident keys)

  • Quantum computing (post-quantum SSH)

  • Single point of failure (redundant YubiKeys)

Not Protected Against

  • Physical YubiKey theft with PIN knowledge

  • Compromise while vault is mounted

  • Hardware implants / evil maid attacks

  • Rubber hose cryptanalysis

Security Principles

Defense in Depth

Multiple independent layers must be compromised:

  1. Hardware token (YubiKey)

  2. PIN/passphrase knowledge

  3. System access

  4. Vault passphrase (different from SSH)

Least Privilege

  • Hot storage: only frequently needed secrets

  • Warm storage: unmounted by default

  • Cold storage: physically disconnected

Key Separation

Domain Keys Purpose

d000

Personal YubiKey keys

Personal infrastructure

d001

Work YubiKey keys

Work systems

deploy

Automated deploy keys

CI/CD, automation

Hardware Security

YubiKey Configuration

Feature Setting

FIDO2 PIN

Required, 8+ chars

Touch

Always required

Resident keys

Enabled for SSH

PQ support

Hardware-backed where available

Backup YubiKey

  • Secondary YubiKey with identical resident keys

  • Stored separately from primary

  • Tested monthly

Post-Quantum Security

SSH Key Exchange

KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256

  • sntrup761: Post-quantum lattice-based algorithm

  • curve25519: Classical elliptic curve (hybrid)

Future Considerations

  • Age recipients will support post-quantum (age-plugin-kyber)

  • LUKS2 supports Argon2id (memory-hard KDF)

Related Pages