[MOVED] How to use openpgp card to store secret access key?


Hello, I'm trying to find a way to store AWS secret access key in secure "only read" hardware in order to be PCI DSS complaint, for now i tried to store this secret access key in yubikey NEO, but the yubikey supports only 38 characters of "known" password ( all of the types of yubikey ), and the AWS generated secret access key is 40 characters, i tried to find " a way around " : i tried to compress this secret key ( dosnt work because of key complexity ),was thinking of storing this secret access key in yubikey as everyone do with ssh but for that i need to convert this string to pgp format (and i dont know how;P) , i was thinking of dividing this key in 2 parts and store it in different slots of the yubikey, but this sounds as very bad practice implementation. So the questions are : If someone has any other "work around" for this problem? Is it possible to generate 38 character access secret key?

P.S I use AWS CLI mainly , and no access to browser needed is appreciated, so the U2F ( as far as i have read ) is not an option.

2 réponses

You can use a MFA Token with the AWS CLI. We have a Support Article How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? there is also a video showing the process.

répondu il y a 2 ans
  • True, but, im not sure if it will be enough to cover PCI DSS , because we still will need to store somewhere the access keys, and to be full PCI DSS complaint, they cant be stored in PC memory , so or we get rid of access keys ( that, if we use AWS cli is not an option? ) , or we store secret access key in something "secure" like yubikey ( which apparently if the key exceeds 38 characters we cannot ), so any suggestion on how to "get rid" of access keys or shortening them will be appreciated


How about trying pass utility? Pass utility is based on GPG to encrypt their vault. And then, you can use your YubiKey with OpenPGP.

For convenience, try to use aws-vault together. This is integrated with pass utility.

profile picture
répondu il y a 2 ans
  • Looks like a promising utility, but as far as i have tested, i encrypted my secret access key under my PGP key, but.... now what? How i can store this PGP encrypted file in yubikey? so whenever i will need it, i will be able to "pull" it out?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions