YubiKey with pass, GPG and SSH integration

YubiKey + Pass + GPG + SSH: One Key to Rule Them All

Here is the payoff before the work: I plug in my YubiKey in the morning, type one PIN, and the rest of the day my authentication just happens. SSH to a server, no password. Sign a git commit, no passphrase. Pull a secret out of pass, just touch the key. One physical thing sits in a USB port and the friction is gone. Getting there cost me about three evenings of swearing at gpg-agent. Now that it runs, going back feels unthinkable. ...

January 13, 2026 · 9 min read · Tom Meurs
pass password manager, gpg, unix, cli, password store

Pass: the Unix password manager that just works

I used KeePass for years. Then 1Password. Then Bitwarden. All decent tools, but every one of them felt like too much. Too much UI, too many features, too much friction to wire into the way I actually work. Every time I reached for a password I was reaching across an app boundary, and that small interruption added up. Then I found pass. It does exactly what the name promises: it stores passwords. I want to walk you through it the way I learned it, starting with the one command that hooked me, then adding layers until you can see my full setup. ...

January 10, 2026 · 8 min read · Tom Meurs
gpg, gnupg, encryption, pgp, public key cryptography

GPG explained: from first key to daily use

GPG is one of those tools everyone keeps meaning to learn and never does. The docs are a wall of text, the terminology is its own dialect, and the error messages are cryptic in both senses of the word. I put it off for years myself. The thing is, you keep bumping into it. GPG sits under pass, under signed git commits, under encrypted email, under verifying that the binary you just downloaded is the one the maintainer actually shipped. If you care about owning your security instead of trusting a vendor to handle it for you, you end up here eventually. ...

January 6, 2026 · 13 min read · Tom Meurs
Kubernetes RBAC access control visualization

Kubernetes RBAC: Least Privilege in Practice

The first cluster I ever ran in anger had exactly one permission model: everything was cluster-admin. My CI pipeline, my monitoring stack, the little webhook receiver I threw together one afternoon. All of it could read every secret, delete every deployment, and touch every namespace. It worked great right up until I started thinking about what happens when one of those pods gets popped. Kubernetes RBAC (Role-Based Access Control) answers a single question: who can do what to which resources? The default answer on most clusters is “everyone can do everything,” and that answer quietly becomes your biggest liability. ...

August 19, 2025 · 12 min read · Tom Meurs
Falco runtime security monitoring visualization

Runtime Security with Falco: Detect Suspicious Behavior in Your Cluster

I scanned my images with Trivy. I enforced policies with Kyverno. My workloads got cryptographic identity through SPIFFE. Three layers of prevention, all green, and for a while that felt like enough. Then I started asking the uncomfortable question. What happens after a pod is running? My scanners checked the image that went in. My admission controller checked the spec at deploy time. Neither of them is watching once the process is actually executing. If a container gets popped by a zero-day at 3am, every one of those controls has already done its job and gone home. ...

August 7, 2025 · 13 min read · Tom Meurs