YubiKey
The YubiKey is a hardware security device that can be used to safely store cryptographic keys, OTP tokens, and challenge response seeds which can be used for authentication or encryption.
Modern YubiKeys have an OpenPGP module which can be used to store GPG keys, they also include U2F modules which can be used for authentication.
Hardware
The following tables list all current (2023-04-28) YubiKey devices and their module support as stated on the Yubico website[1][2].
An in-depth table showing the features of current YubiKeys is located on their store
YubiKey 5 FIPS series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey 5C NFC FIPS [3] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 NFC FIPS [4] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5Ci FIPS [5] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5C FIPS [6] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 Nano FIPS [7] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5C Nano FIPS [8] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 BIO series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey Bio - FIDO Edition [9] | Yes | Yes | No | No | No | No |
YubiKey C Bio - FIDO Edition [10] | Yes | Yes | No | No | No | No |
Security Key Series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
Security Key NFC - Enterprise Edition [11] | Yes | Yes | No | No | No | No |
Security Key C NFC - Enterprise Edition [12] | Yes | Yes | No | No | No | No |
Security Key C NFC [13] | Yes | Yes | No | No | No | No |
Security Key by Yubico [14] | Yes | Yes | No | No | No | No |
FIDO U2F Security Key [15] | Yes | Yes | No | No | No | No |
Security Key NFC [16] | Yes | Yes | No | No | No | No |
YubiKey 5 Series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey 5C NFC [17] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 Nano [18] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5C Nano [19] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 NFC [20] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5Ci [21] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5C [22] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey FIPS (4 Series)
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey C Nano FIPS (4 Series) [23] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey FIPS (4 series) [24] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey Nano FIPS (4 series) [25] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey C FIPS (4 series) [26] | No | Yes | Yes | Yes | Yes | Yes |
YubiHSM Series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiHSM 1 [27] | No | No | No | No | No | No |
YubiHSM2 [28] | No | No | No | No | No | No |
Legacy Devices
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey Edge-n [29] | No | Yes | Yes | No | No | No |
YubiKey Edge [30] | No | Yes | Yes | No | No | No |
YubiKey NEO [31] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey NEO-n [32] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey Nano [33] | No | No | Yes | No | No | No |
YubiKey Standard [34] | No | No | Yes | No | No | No |
YubiKey 4 Series
Device | FIDO2 | U2F | OTP | OATH | PIV | OpenPGP |
---|---|---|---|---|---|---|
YubiKey 4 [35] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey 4C Nano [36] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey 4 Nano [37] | No | Yes | Yes | Yes | Yes | Yes |
YubiKey 4C [38] | No | Yes | Yes | Yes | Yes | Yes |
Kernel
Device Drivers ---> HID support ---> -*- HID bus support [*] /dev/hidraw raw HID device support USB HID support ---> [*] /dev/hiddev raw HID device support
Configuration
There are various utilities for the configuration of Yubikeys:
- app-crypt/yubioath-flutter-bin allows interface-configuration and generating TOTP-Codes, it is officially called Yubico-Authenticator. It requires the pcscd-service, which is described below.
- app-crypt/yubikey-manager allows configuration of OTP, FIDO2, PIV, and enabling/disabling different interfaces (e.g. NFC)
- app-crypt/yubikey-manager-qt a GUI for app-crypt/yubikey-manager
- sys-auth/yubico-piv-tool CLI-tool for PIV configuration
- sys-auth/yubikey-personalization-gui allows very low-level and batch configuration of Yubikeys
PIV
To use the PIV (Smart Card) module on a YubiKey, pcscd-service must be running. pcscd-service is part of sys-apps/pcsc-lite, which is a dependency of, and pulled by: sys-auth/yubico-piv-tool, app-crypt/yubikey-manager, and app-crypt/yubikey-manager-gui.
OpenRC
To start the service run:
root #
rc-service pcscd start
To add the pscd-service to the default runlevel, execute:
root #
rc-update add pcscd default
Systemd
To start the pscd-service run:
root #
systemctl start pcscd
To enable the pcscd-service on startup run:
root #
systemctl enable pcscd
OpenPGP
PAM
SSH
See also
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.
- GnuPG
- Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.
External resources
- Yubico Support, Contains many articles on YubiKey configuration
References
- ↑ https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-U2F-YubiKey-with-Linux
- ↑ https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
- ↑ https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443340-YubiKey-5-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443360-YubiKey-5Ci-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021467359-YubiKey-5C-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/4407752687378-YubiKey-C-Bio-FIDO-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/7450466556700-Security-Key-NFC-Enterprise-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/7450467794076-Security-Key-C-NFC-Enterprise-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/4408701728914-Security-Key-C-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013647720-Security-Key-by-Yubico
- ↑ https://support.yubico.com/hc/en-us/articles/360013656800-FIDO-U2F-Security-Key
- ↑ https://support.yubico.com/hc/en-us/articles/360013779399-Security-Key-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013708340-YubiKey-5-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013724699-YubiKey-5C-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360016649339-YubiKey-5C-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013708440-YubiKey-5Ci
- ↑ https://support.yubico.com/hc/en-us/articles/360013724359-YubiKey-5C
- ↑ https://support.yubico.com/hc/en-us/articles/360013761279-YubiKey-C-Nano-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013761699-YubiKey-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013778259-YubiKey-Nano-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013729079--YubiKey-C-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013662860--YubiHSM-1
- ↑ https://support.yubico.com/hc/en-us/articles/360013643200-YubiHSM-2
- ↑ https://support.yubico.com/hc/en-us/articles/360013714659-YubiKey-Edge-n
- ↑ https://support.yubico.com/hc/en-us/articles/360013714619-YubiKey-Edge
- ↑ https://support.yubico.com/hc/en-us/articles/360013714579-YubiKey-NEO
- ↑ https://support.yubico.com/hc/en-us/articles/360013714639-YubiKey-NEO-n
- ↑ https://support.yubico.com/hc/en-us/articles/360013656840-YubiKey-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013656120-YubiKey-Standard
- ↑ https://support.yubico.com/hc/en-us/articles/360013714599-YubiKey-4
- ↑ https://support.yubico.com/hc/en-us/articles/360013647840-YubiKey-4C-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013647780-YubiKey-4-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013647820-YubiKey-4C