there is an issue open about this from less than a year ago marked as resolved, strange
The github page for the CLI tool doesn't have issues tracker enabled. Sigh.
Maybe a wrapper script could add interactivity
The strange thing is that their CLI tool requires all the credentials stored in a plaintext on the disk in order to use it, meaning anyone with the access to that computer can do harm.
I cannot see any way inputting credentials interactively so far, which would be much better.
Exploring a recetly aded Contabo API, it looks like it is possible to make snapshots with it. Before, snapshots could only be made via the web UI, which I almost never did. Looks exciting!
Now not only my Yubikeys have KDF enabled, but my OpenPGP smartcard as well. What a ride!
Right now I feel that in order to finish this I would have to understand how to make gnupg 2.3 run on Bullseye, although quick searching shows no promising guides.
Not sure if all this is worth it though, just for my beloved smartcard format.
I can carry the smartcard in my physical wallet and it does not stick out of the computer the same way the Yubikey does. Unless Yubikey is plugged in my docking station it occupies the only USB-A port on the left side of my T470 and I feel like something can be physically broken by accident.
I would not put anything to the right-hand side (where most of the ports are) as it interferes with the mouse movements.
Looks like I found a solution. Install gnupg 2.3.1 and disable-ccid. Sadly Debian and even Arch are still at 2.2.x branch and while it is easy to build gnupg from source, replacing gpg-agent and scdaemon OS-wide is not the most straightforward thing to do. But finally, there is a hope.
If I could at least found out what are the actual risks of not using KDF on GnuPG smartcard.
This thread https://news.ycombinator.com/item?id=21521110 confirms it is for MITM USB attack, but without a source.
Also, in the post I learned about sending files through Magic Wormhole
Feels really easy, would probably work well for sending SSH public keys to obscure servers (provided the OS running has an easy way to install the wormhole in the first place)
In the desperation found a really nice blog post https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
I barely understand half of the acronyms but overall, expanded my knowledge about PGP
Freelance web developer. UNIX and GNU/Linux enthusiast.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.