yb 0.1.0

Secure blob storage on a YubiKey (Rust port in progress)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

<!--
SPDX-FileCopyrightText: 2025 Frederic Ruget <fred@atlant.is> (GitHub: @douzebis)

SPDX-License-Identifier: MIT
-->

[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/douzebis/yb)
[![Crates.io](https://img.shields.io/crates/v/yb.svg)](https://crates.io/crates/yb)

# yb — Secure Blob Storage in Your YubiKey

> **Rust port in progress.**
> The current implementation is in Python. A full rewrite in Rust is underway
> (see [`docs/rust-port-plan.md`](docs/rust-port-plan.md)). The crate name `yb`
> on [crates.io](https://crates.io/crates/yb) is reserved for that release.
> Once the port is complete, `cargo install yb` will be the recommended
> installation method and the Python implementation will be retired.

**yb** is a command-line tool for securely storing, retrieving, and managing
small binary blobs directly within a [YubiKey](https://www.yubico.com/products/)
using its PIV application. It enables encrypted, name-based storage with hybrid
cryptography, leveraging the hardware-backed security of your YubiKey.

**GitHub**: https://github.com/douzebis/yb

---

## Features

- **Store** binary blobs under human-friendly names
- **Encrypt** data using hybrid ECDH + AES-256 encryption with a YubiKey-stored key
- **List**, **fetch**, and **delete** blobs by name
- **Inspect** low-level object storage for debugging (`fsck`)
- Designed for use with custom PIV data objects on the YubiKey

---

## Getting Started

### Installation (Rust — coming soon)

Once the Rust port is complete, the recommended installation will be:

```shell
cargo install yb
```

Runtime tools must also be on your `PATH`: `yubico-piv-tool`, `pkcs11-tool`
(from `opensc`), `openssl`, and `ykman`.

### Installation (NixOS)

Choose one of the following:

```shell
# Option 1: Enter a dev environment with dependencies installed via nix-shell
nix-shell

# Option 2: Use nix develop (installs into a .venv for editing)
nix-shell shell-editable.nix

# Option 3: Build the yb derivation (does not activate environment)
nix-build
```

### Installation (Traditional Python)

```shell
# Create and activate a virtual environment
python3.12 -m venv .venv
source .venv/bin/activate

# Install in editable mode
pip install --editable .
```

---

## Command Overview

```shell
yb format     # Initialize PIV objects and optionally generate key pair
yb store      # Store a named blob in the YubiKey
yb fetch      # Retrieve a blob by name
yb ls         # List stored blobs and metadata
yb rm         # Delete a blob by name
yb fsck       # Inspect and verify object integrity
yb self-test  # Run comprehensive end-to-end tests (destructive)
```

Use `--help` with any command for detailed options.

---

## Cryptographic Model

yb uses a **hybrid encryption scheme**:

- An ephemeral EC P-256 key is generated on each `store` or `fetch` call
- A persistent P-256 key in the YubiKey is used for ECDH
- The derived shared secret feeds into **HKDF-SHA256**, producing an AES-256 key
- Blob data is encrypted using **AES-CBC with PKCS7 padding**
- Encrypted chunks are stored in custom PIV objects

---

## Example Usage

```shell
# Format the store (initialize objects and key)
yb format --generate

# Store a file as a secure blob
yb store --input my-secret.txt my-blob

# Fetch it back
yb fetch --output recovered.txt my-blob
# Please enter User PIN:

# List blobs
yb ls

# Delete a blob
yb rm my-blob
```

---

## Working with Multiple YubiKeys

If you have multiple YubiKeys, use the `--serial` option to select which one to use:

```shell
# Select YubiKey by serial number (printed on device case)
yb --serial 12345678 ls

# Store a blob on a specific YubiKey
yb --serial 12345678 store --input data.txt my-blob
```

**Finding Your Serial Number:**
- Look at your YubiKey case - the serial number is printed on it
- Or let yb tell you when multiple devices are connected

When multiple YubiKeys are connected and you don't specify `--serial`, yb will show you the available serial numbers:

```
Error: Multiple YubiKeys are connected:
  - Serial 12345678 (YubiKey 5.7.1)
  - Serial 87654321 (YubiKey 5.4.3)

Use --serial to select one, for example:
  yb --serial 12345678 <command>
```

**Legacy Option:** The `--reader` option is still supported for PC/SC reader names, but `--serial` is recommended.

---

## Security: Default Credential Detection

For security, yb automatically checks if your YubiKey uses default credentials and refuses to operate if detected:

- **Default PIN**: 123456
- **Default PUK**: 12345678
- **Default Management Key**: 010203040506070801020304050607080102030405060708

If your YubiKey uses any default credentials, yb will display an error like:

```
Error: YubiKey is using default credentials (INSECURE):
  - PIN (default: 123456, 3 attempts remaining)
  - Management Key (default: 010203...)

This is a security risk. Please change your YubiKey credentials:
  - Change PIN: ykman piv access change-pin
  - Change PUK: ykman piv access change-puk
  - Change Management Key (recommended with PIN-protected mode):
    ykman piv access change-management-key --generate --protect

To proceed anyway (NOT RECOMMENDED), use --allow-defaults flag.
```

**Changing Your Credentials:**

```shell
# Change PIN
ykman piv access change-pin

# Change PUK
ykman piv access change-puk

# Change Management Key (recommended with PIN-protected mode)
ykman piv access change-management-key --generate --protect
```

**Note**: This check requires YubiKey firmware 5.3 or later. On older firmware, yb will display a warning but continue.

**For Testing/Development:**
- Use `--allow-defaults` flag to bypass the check (insecure)
- Set `YB_SKIP_DEFAULT_CHECK=1` environment variable to skip the check entirely

---

## PIN-Protected Management Key Mode

For enhanced security and convenience, yb supports **PIN-protected management key mode**. This allows YubiKeys to store the management key on-device, encrypted and protected by your PIN.

**Why use PIN-protected mode?**
- ✓ More secure than default management key
- ✓ More convenient - no need to provide 48-char hex key
- ✓ You only need to remember your PIN
- ✓ Management key never leaves the YubiKey

**One-time setup:**
```shell
ykman piv access change-management-key --generate --protect
```

**Usage:**
yb automatically detects PIN-protected mode - no `--key` flag needed:
```shell
yb store myfile           # Prompts for PIN if needed
yb --pin 123456 store     # Non-interactive
```

See the [User Guide](USER_GUIDE.md) for more details.

---

## License

MIT License. See `LICENSE` for full text.