> Complete overkill requiring the use of a YubiKey for key storage and external RNG source - what problems does solve? For a Yubikey to act as a poor man's HSM you have to store the PIN in plaintext on the disk
You still can't exfiltrate the key material.
> If it's to protect against physical theft of the keys, they'll just put the entire Raspberry Pi in their pocket.
Just because someone has compromised your device doesn't mean they have physical access. That's the point.
> They're generating the private key on disk then importing into the YubiKey. Which defeats having an external key storage device because you have left traces of the key on disk.
The traces don't have to be left behind. Is this excessive 'overkill', or is the 'digital duct taping the windows and doors' insufficient?
> An instance of openssl or xca covers 99.9% of "homelab" use cases
The interesting thing about this article is that it adds a few 9's that are covered, and it's both easy and cheap.
And? What actual problem does this solve or realistic threat does this prevent? They are not decryption keys they are used to digitally sign certificates.
What the DigiNotar hack taught us years ago is if your CA is compromised you are already 0wned doesn't matter if the key is stored in an HSM or not.
All they can do with a stolen key is issue more certificates. Which they can do anyway if they have root access to the CA.
You can put 12 locks on your door but if they're all keyed to the same key you've stored under the plant on the porch, it doesn't really matter.
> The interesting thing about this article is that it adds a few 9's that are covered, and it's both easy and cheap.
Hard to say if those extra 9's need an external RNG for extra entropy.
> Which they can do anyway if they have root access to the CA.
Until you turn it off. If they exfiltrate the keys, it's more complicated.
This goes back to your comment:
> Creates a two-tier PKI... on the same device. This completely defeats the purpose so you can't revoke anything in case of key compromise
But the root key is just created; it doesn't stay on the device and can't be used to sign anything.
> What actual problem does this solve or realistic threat does this prevent?
The problem is exfiltrating the key without physical access. Whether or not that's "realistic" enough to matter isn't a question that can be answered generally.
> Hard to say if those extra 9's need an external RNG for extra entropy.
IMO it's not. In the author's words: Optional, but fire
You still can't exfiltrate the key material.
> If it's to protect against physical theft of the keys, they'll just put the entire Raspberry Pi in their pocket.
Just because someone has compromised your device doesn't mean they have physical access. That's the point.
> They're generating the private key on disk then importing into the YubiKey. Which defeats having an external key storage device because you have left traces of the key on disk.
The traces don't have to be left behind. Is this excessive 'overkill', or is the 'digital duct taping the windows and doors' insufficient?
> An instance of openssl or xca covers 99.9% of "homelab" use cases
The interesting thing about this article is that it adds a few 9's that are covered, and it's both easy and cheap.