I have a YubiKey and can I use it on LibreOffice?

English
#1

I have a YubiKey that I use on my email, Facebook and I have documents that I want secured incase of hack, is there a way LibreOffice can implement the YubiKey to Help users secure documents?

#2

LibreOffice can use OpenPGP encryption and GPG can use a key (or subkey) on a YubiKey device, so I guess it’s somehow possible…

#3

Quick Answer: No, Probably no smartcard (eg: yubikey) support

I believe the answer is no, you cannot use a smartcard (a Yubikey is the make/model of a particular smartcard manufactored by the company Yubico). At least not as of my testing with libreoffice 7.3.2.2 (version in footnotes).

You can stop reading now if you don’t care about technical details or debugging information (maybe more useful for developers of libreoffice).

Debugging Details

I’d be interested to hear from someone trying this on a gpg key they keep on their smartcard that does not use a pin (passphrase) as mine does. If it’s different for someone testing that, then maybe the existing gpg functionality built into the UI is meant to handle smartcards.

Steps to Reproduce: No evidence of smartcard (eg: yubikey) or even pinentry-* logic

Also in the off-chance I’m wrong and it should work, then perhaps this is a technical-bug or UX-bug. In that case, I imagine a future contributor to libreoffice would be curious as to how OP didn’t know the answer and/or how I personally came up with an answer of “no” (eg: if you’re a UX contributor to libreoffice, or you’re just a developer). So, here’s what I observed with my own key that does use a pin entry:

  1. test-content: make a dummy doc
  2. exercise GPG saving: try utilizing my gpg key (the same one on my smartcard)
    • a. while saving the first time, tick the box “gpg” in the bottom-left corner of the save dialog
    • b. when clicking “save” you’ll get a gpg ring selection dialog
    • c. select the ring corresponding to the key you keep on your ring (the one requiring pinentry, for me).
    • d. notice save occurs without issue
      (this makes sense - even if your smartcard isn’t plugged in - because normally your public key is everywhere and saved on your machine too, not just your smartcard. and your public key is all that’s needed to encrypt the document).
  3. exercise decryption:
    • a. try opening the document
    • b. notice libreoffice opens a “password” dialog that seems to be its own custom UI
    • c. without inserting my smartcard, enter whatever gibberish i want
    • d. (of course failure): notice the failure from (c) isn’t about failure to communicate with a smartcard, but simply that the password failed.
    • e. plug in smartcard (my yubikey)
    • f. back to (a) again and notice no change in steps b-d.

Inferring Lack of Smartcard Support From Steps Above

From my observations like 3.d I’m pretty confident that the existing GPG feature built into libreoffice wasn’t designed with smartcards in mind. Further, from 3.b I think it’s safe to assume it’s really not a generic workflow that leans on the pgp toolchain (eg: I would have expected some standard tool–like pinentry-* packages in my OS–to pop up here instead of the custom dialog by libreoffice).

Like I said, I have a slightly complicated use-case by the fact that my key also requires pinentry, but nevertheless it’d be interesting to have confirmation from someone who has a smartcard-hosted keyring that is not pin-protected.

Version: my version data in the About dialog

This post (and this version info) was produced 2022-05-22 with Manjaro (GNU/Linux distro):

Version: 7.3.2.2 / LibreOffice Community
Build ID: 30(Build:2)
CPU threads: 8; OS: Linux 5.16; UI render: default; VCL: gtk3
Locale: en-US (en_US.UTF-8); UI: en-US
7.3.2-1
Calc: threaded

Impressum (Legal Info) | Datenschutzerklärung (Privacy Policy)   Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.