I still don't understand the state of hardware tokens. Everyone hates Yubikey, but the closest alternative available is Nitrokey which doesn't even come close to the form factor, or support U2F in their most expensive key option.
Now I learn there's something called GnuK but Google leads me to an obscure doc on building it yourself.
Until there are better options out there, I guess I'll stick to my Yubikey NEO
The Mooltipass is intended for passwords but may support reading and writing small binary blobs, eg. encryption keys. AFAIK (as of August 2016) it wouldn't attempt to protect the private key / implement encryption.
I have a yubikey 4 and a nitrokey and I use the former on a daily basis (and the nitrokey as a backup). The yubikey is faster and feels sturdier without needing a cap.
That being said I think the main objection to the yubikey is that they're using closed source software on the key. I'm not sure I really get the objection to be honest, in the end even if the soft is open source you have to trust them to actually flash that software on the key and not inserting hardware backdoors in the first place.
I highly recommend to every power user out there to get a GnuPG smartcard. It's convenient, secure, you can use it to sign and/or encrypt anything (email, files, passwords, git commits...), you can use it as an SSH key through GPG agent etc... It's well worth the ~50 euros it costs for the peace of mind it provides.
Hopefully it'll make PGP more popular and make it possible to actually send encrypted emails. I can't remember the last time I've received one myself...
Yubikey originally supported an open source applet that ran on a proprietary runtime. A positive for this partially open source approach was that a serious bug was found in the applet (PIN bypass) and they had to do a recall. They have since switched to 100% proprietary.
I think they catch more flack because of the switch than they would have if they had been completely proprietary the entire time! (Even though the original open source applet couldn't be trusted completely since it ran on a proprietary runtime, the same way many do not trust open source Android software on phones due to proprietary cellular hardware.)
You still have to buy your own card reader, and any card readers on the market aren't as small as the Yubikey... but it's a fantastic device and I love mine to death.
Note: the yubikey actually uses the open pgp card inside of it (which the actual implementation from the chip supplier is hardware-closed-source, although the reference architecture is open). The nitrokey too. They technically all have closed source with the BasicCard that runs inside them! With that in mind the secret-sauce of the yubikey is also closed source, where there's no secret sauce around your OpenPGP Card to be closed source.
That's sound advice but I'd like to point out that this Open PGP card appears to only support 2048bit keys while some (but not all!) yubikeys and nitrokeys support 4096bit.
I suppose nowadays 2048bit is more than enough but I like the extra safety and "future-proofness" of a 4096bit key.
That's not the hard part. The hard part is getting keys moved around, expiry updated, subkeys handled—maybe having one key on the Yubikey helps with this, but I think sublet expiration is still going to be a problem.
Yup. By signing releases / commits with a particular key you're committing to maintaining possession and security of the key over the long term. For someone that loses their house key about 3 times a year, this is a big deal!
Now I learn there's something called GnuK but Google leads me to an obscure doc on building it yourself.
Until there are better options out there, I guess I'll stick to my Yubikey NEO