Yubikey setup on Linux
Trying to use yubikey to its full potential on Linux
A YubiKey is a hardware authentication device that can be used for various one-time password (OTP) and authentication methods. This article explains how I setup my yubikey and operating system (most likely only different GNU/Linux distribution) for it.
The goal is to use the yubikey for:
- GnuPG subkeys for signing and encrypting
- Main SSH key (using
gpg-agent, …) - Dual authentication using OTP (time-based, event-based)
The yubikey manual1 (at least the version that seem to refer the yubikey neo I have) is the base read but there is plenty of useful article on the subject. This is also based on my usage of the yubikey, so it might vary from your usage.
TODO GnuPG
Some assumptions are made in this section:
- You know a tiny bit of GnuPG and the
gpgcommand (at least the basics) - You have a backup of your GnuPG configuration (usually
$HOME/.gnupg) — just in case 👼 - You have an existing GnuPG key (private/public)
We are going to use GnuPG subkeys (for security, as we won’t have the master key anywhere on the machines, only offline). If you are interested in how it works and how to configure it, here is a guide. The following is a mere rip-off of the yubikey developer article : Importing keys.
Let’s first see if our gpg version supports our yubikey.
$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000] 01 00 05 90 00 .....
OK
We need to have our secret key on the machine we are using to setup the yubikey. Once the
setup is done, we will reset the .gnupg so that the machine doesn’t have the main key
(or even the subkey for that matter).
$ gpg --list-secret-keys # […] -------------------------------- sec rsa2048 2013-05-19 [SC] 8C4E8DDA04C18C6B503BD2DBB7E7CF1C634256FA uid [ultimate] Vincent Demeester (vdemeester) <vincent@demeester.fr> uid [ultimate] Vincent Demeester <vincent@sbr.pm> uid [ultimate] Vincent Demeester <vdemeest@redhat.com> uid [ultimate] [jpeg image of size 4711] ssb> rsa2048 2013-05-19 [E] ssb rsa4096 2019-04-07 [S] [expires: 2022-04-06] ssb> rsa2048 2019-07-02 [S] ssb> rsa2048 2019-07-02 [A]
TODO SSH
We are using a GnuPG key as ssh key, and we are storing this into the yubikey (in the
Authentication Key slot).
TODO Dual authentication
TODO Some more automation
References
- https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora
- https://fedoraproject.org/wiki/Infrastructure/Yubikey
- https://fedoramagazine.org/using-the-yubikey4-with-fedora/
- https://developers.yubico.com/PGP/Importing_keys.html
- https://developers.yubico.com/
- https://github.com/fedora-infra/ssh-gpg-smartcard-config/
- https://www.gnupg.org/gph/en/manual/x110.html
- https://github.com/cornelinux/yubikey-luks
- https://rzetterberg.github.io/yubikey-gpg-nixos.html
- https://github.com/drduh/YubiKey-Guide
- https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/
- https://nixos.wiki/wiki/Yubikey_based_Full_Disk_Encryption_(FDE)_on_NixOS
- https://suchsecurity.com/gpg-and-ssh-with-yubikey-on-windows.html
- https://codingnest.com/how-to-use-gpg-with-yubikey-wsl/
- https://metebalci.com/blog/using-u2f-at-linux-login/
- https://0day.work/locking-the-screen-when-removing-a-yubikey/
- https://gist.github.com/jhass/070207e9d22b314d9992
- https://wiki.realmofespionage.xyz/distros:fedora_workstation_gnome