Vincent Bernat Turns Three YubiKeys and a Cheap Single-Board Computer Into a Secure Offline PKI
An air-gapped public key infrastructure is going to be a lot harder to hack β and doesn't have to cost the Earth.
Developer Vincent Bernat has demonstrated how to turn three Yubico YubiKey USB two-factor authentication dongles into an offline public key infrastructure (PKI) β using a low-cost single-board computer as an air-gapped host.
"An offline PKI enhances security by physically isolating the certificate authority from network threats," Bernat explains. "A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. It is possible to add more YubiKeys as a backup of the root CA if needed. This is not needed for the intermediate CA as you can generate a new one if the current one gets destroyed."
Public key infrastructure underpins much of modern communication, securing systems with a combination of public and private keys. The hardest part is keeping the private keys private, which is where Bernat's approach comes in β isolating the keys themselves from the network, so that they cannot be compromised without someone physically breaching their location.
Bernat's setup uses a Libre Computer Sweet Potato single-board computer, disconnected from any network, as a host for a tool called offline-pki. This Python package handles the actual public key infrastructure, and uses Yubico's YubiKeys as certificate stores β taking advantage of their secure elements.
"To bring everything together," Bernat concludes, "I am using Nix with a Flake providing: a package for the offline-pki application, with shell completion; a development shell, including an editable version of the offline-pki application; a NixOS module to setup the offline PKI, resetting the system at each boot; a QEMU [emulator] image for testing; and an SD Card image to be used on the Sweet Potato or an[other] ARM64 SBC."
The full write-up is available on Bernat's website.