Threat model aside, I think expecting people to maintain multiple PGP keys, do multi-key encryption, and geographically distribute those keys is probably less practical than writing their pin down.

99% of users are probably better served by Tarsnap and its ilk than attempting to roll this kind of thing themselves.

Eleven years ago I got four yubikeys, two pairs as recommended by Yubico. One pair for personal use and one for work.

I tested the personal key pair first. The primary yubikey I had on my (physical) keyring failed spontaneously after less than three weeks of being carried around in my pocket. That was the end of that.

I am not going back to physical tokens, except for RSA tokens and purely mechanical keys. Those have an adequate track record.

I have four Yubikeys.

One of them is a black one that work gave me for use with the work computer. I’ve had this Yubikey for over 1 year.

Three of them are blue ones I bought from Amazon, that I also added to my SSO profile at work. I’ve had these Yubikeys for several months.

One of them I keep in my wallet most of the time. One of them I keep on my desk and bring in my backpack when I go somewhere. One I keep in a box. One is somewhere in the room.

I rotate between these, and I switch which one I keep in the wallet, which one I keep in a box etc.

It’s worked well for me so far. None of them have failed yet, and when one does fail or get lost I will remain confident that the other ones I have will continue to work long enough that I can order even more Yubikeys to replace which ever ones went bad.

Yeah, if you want to be a charity donating to Yubico, godspeed. Not my cup of tea.

Yubikeys are $50. Ten are $500. Mine protect keys that can decrypt data worth hundreds of millions of dollars.

My $500 worth of Yubikeys has lasted me 5 years and counting, so we're at <$10/month TCO. That's to have 10 of them.

Data worth hundreds of millions of dollars? What’s an example of data that an entity would realistically pay hundreds of millions of dollars for? The only thing that comes to mind would be the database backups of user data of a large company’s software, which is literally irreplaceable if lost (but then infinity is larger than one hundred million…)

I am the co-founder of Keyternal.

https://keytern.al (website painfully out of date)

I estimate the hundreds of thousands of cryptocurrency private keys we safeguard (in conjunction with the keys held in other organizations, via multisig) have at points in time protected somewhere on the order of single digit billions USD.

We're not a wallet provider, just a backup key storage service, so I couldn't get exact figures even if I wanted to: by design we don't have that information about our customers.

The PGP-encrypted keys are held completely offline (cold) in vaults, the set of Yubikeys (in other, different vaults) is used during signing ceremonies to temporarily decrypt them (only in ram, on offline computers without storage) to produce recovery signatures when our customers run out of other options. We're the last resort in a DR plan.

It requires careful coordination with another keyholder (a different organization) to produce valid transactions; neither ours nor theirs alone is sufficient. Transactions need two signatures: one from each. In that sense, neither key is "worth" anything by itself, but together they protect large sums.

What happens when someone that stores their keys with you pass away? Do you have contact details for who in their family to reach out to, to help them recover the money of the deceased person?

I have a lot of yubikeys. The one I still use the most is my first one: the rfid enabled that isn't even on their history pages. It's been on my keys for more than 10 years and I wouldn't say it looks new but not very much unlike the 5s it's next to. Neither has ever failed me.

I have around 4 Yubikeys on my (physical) key ring. I purchased two of them back in 2014. None of my keys have ever had an issue.

For me the track record has been perfect.

You've got the wrong perception of even the most sophisticated end-users out there. 5 GPG keys, deposit boxes / vaults in different states.. I mean what the hell? Even an old beardy maintainers won't be bothered by that. You're talking about government-level threat models here.

Heck, even the idea of having to renew your resident GPG keys is a nightmare, let alone in different states. If you even let your master key expire on the device, you won't ever be able to renew it or it's derived SSH keys, and will have to reset the device. That's not to mention fried keys, stolen keys, etc. Consumer-grade vaults can be picked in minutes, and most large banks do not issue new deposit boxes anymore.

Any paranoid/sophisticated users would be more than happy with having their SSH keys in 1Password & using their agent, or having one key at home w/ home alarm, one key on them.

> You've got the wrong perception of even the most sophisticated end-users out there. 5 GPG keys, deposit boxes / vaults in different states.. I mean what the hell? Even an old beardy maintainers won't be bothered by that. You're talking about government-level threat models here.

You seem to misunderstand me.

They're not in vaults for protection from the government; the state can access them at will. They are in vaults for fire safety.

They are in multiple states for safety against natural disasters. If one bank floods or is destroyed, a copy exists elsewhere.

Each vault has two Yubikeys, to protect against fried keys. Two locations in case one is stolen, etc.

It's not about threat model, it's just about DR.

> Any paranoid/sophisticated users would be more than happy with having their SSH keys in 1Password & using their agent, or having one key at home w/ home alarm, one key on them.

Storing the keys in software makes them vulnerable to software malware, which is ridiculously common. No "paranoid" required.

Most people are at home most of the time. If one key is at home and one key is "on [you]" and your house burns down, you lose all your keys and all your data so protected.

It's not some state-sponsored attacker that requires you to keep an extra key offsite in a fireproof room.

5 Yubikeys? That's fine if you're really serious about this, but to me even one Yubikey is too expensive for personal user.

Most people don't have a vacation home, or a safe deposit box. I didn't even think you could still get those at most banks. Plus, I suspect most security conscious people would not want to leave anything at their office.

You can leave them at friends houses, but that's not exactly always a secure location.

Phone numbers can at least theoretically be recovered, so my unpopular opinion is that SMS is pretty great for personal stuff.

Five whole YubiKeys at the cost of $500+ sounds extortionate when memorizing your Ed25519 private key is a free option.

How do you keep your keys up to date? Or, if you need to onboard a new key because you lost one, how do you know it's been registered with all your services?

I don't know what you mean by "up to date". The keys do not change.

I don't lose keys.

When I get new accounts, I simply enroll each of the keys in each computer, plus my keychain key, in the U2F for the new account. This doesn't happen often due to SSO.

But that means you have to go out of state to enroll the keys you have in storage there. Not exactly practical.

Although I think that for the general (ie not ultra-critical) U2F use-case, not having all the keys enrolled is acceptable, if you're able to log back in without them, say by using codes stored encrypted with the GPG keys of all the others.

Oh, only the computer (and keychain) keys are used for U2F. There is one 24/7 resident in each computer (the C Nano variant) and an extra on my keyring. Each of these also has a PGP key.

The 4 in the vaults are only used for PGP.

I have a script that will PGP encrypt a file to all 10 of the Yubikeys. I keep track of all of the fingerprints and pubkeys in spreadsheet.