[MOVED] How to use openpgp card to store secret access key?


Hello, I'm trying to find a way to store AWS secret access key in secure "only read" hardware in order to be PCI DSS complaint, for now i tried to store this secret access key in yubikey NEO, but the yubikey supports only 38 characters of "known" password ( all of the types of yubikey ), and the AWS generated secret access key is 40 characters, i tried to find " a way around " : i tried to compress this secret key ( dosnt work because of key complexity ),was thinking of storing this secret access key in yubikey as everyone do with ssh but for that i need to convert this string to pgp format (and i dont know how;P) , i was thinking of dividing this key in 2 parts and store it in different slots of the yubikey, but this sounds as very bad practice implementation. So the questions are : If someone has any other "work around" for this problem? Is it possible to generate 38 character access secret key?

P.S I use AWS CLI mainly , and no access to browser needed is appreciated, so the U2F ( as far as i have read ) is not an option.

2개 답변

You can use a MFA Token with the AWS CLI. We have a Support Article How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? there is also a video showing the process.

답변함 2년 전
  • True, but, im not sure if it will be enough to cover PCI DSS , because we still will need to store somewhere the access keys, and to be full PCI DSS complaint, they cant be stored in PC memory , so or we get rid of access keys ( that, if we use AWS cli is not an option? ) , or we store secret access key in something "secure" like yubikey ( which apparently if the key exceeds 38 characters we cannot ), so any suggestion on how to "get rid" of access keys or shortening them will be appreciated


How about trying pass utility? Pass utility is based on GPG to encrypt their vault. And then, you can use your YubiKey with OpenPGP.

For convenience, try to use aws-vault together. This is integrated with pass utility.

profile picture
답변함 2년 전
  • Looks like a promising utility, but as far as i have tested, i encrypted my secret access key under my PGP key, but.... now what? How i can store this PGP encrypted file in yubikey? so whenever i will need it, i will be able to "pull" it out?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠