YubiKey

The YubiKey is a hardware security device that can be used to safely store cryptographic keys, OTP tokens, and challenge response seeds which can be used for authentication or encryption.

Modern YubiKeys have an OpenPGP module which can be used to store GPG keys, they also include U2F modules which can be used for authentication.

Hardware

The following tables list all current (2023-04-28) YubiKey devices and their module support as stated on the Yubico website^[1][2].

An in-depth table showing the features of current YubiKeys is located on their store

YubiKey 5 FIPS series

YubiKey 5 BIO series

Security Key Series

YubiKey 5 Series

YubiKey FIPS (4 Series)

YubiHSM Series

Legacy Devices

YubiKey 4 Series

Kernel

Device Drivers  --->
  HID support  --->
    -*- HID bus support
    [*]   /dev/hidraw raw HID device support
    USB HID support  --->
      [*] /dev/hiddev raw HID device support

Usage

The different modes of operation of YubiKeys also require different ways for software to interact with them:

• U2F (through generic HID devices)
• FIDO (through generic HID devices)
• Yubico OTP (through libusb)
• Oath TOTP/HOTP (through libusb)
• PIV Smart Card (through PC/SC)
• PGP Smart Card (through a GnuPG-specific PC/SC interface)

U2F & FIDO

To use Yubikey as U2F/FIDO device, generic HID (hidraw) devices may be used.

sys-auth/pam_u2f and net-misc/openssh with the securitykey USE flag depend on dev-libs/libfido2, which is required to make use of the FIDO2 functions of YubiKeys.

This mode of interacting with YubiKeys is used by:

• YubiKey/PAM
• YubiKey/SSH

Yubico OTP & Oath TOTP/HOTP

To use Yubikey in some modes, such as OTP challenge-response, raw USB access may be used. This can be either directly or through a library such as sys-auth/libyubikey.

This mode of interacting with Yubikeys is used by:

• sys-auth/libyubikey
• sys-auth/yubikey-personalization-gui aka ykinfo
• app-admin/keepassxc

PIV Smart Card

To use Yubikey as a PIV Smart Card, it can be accessed according to the PC/SC specification (short for "Personal Computer/Smart Card"). sys-apps/pcsc-lite provides the daemon pcscd-service to interact with smart cards. Instructions for setting up PC/SC can be found at PCSC-Lite.

This mode of interacting with Yubikeys is used by:

• sys-auth/yubico-piv-tool
• app-crypt/yubikey-manager aka ykman
• app-crypt/yubikey-manager-gui

GPG

Some Yubikeys also run a OpenPGP Smart Card applet. Although it's technically PC/SC, GnuGPG is used directly to interact with the Yubikey. This mode of interacting with Yubikeys is used by:

• YubiKey/GPG
• YubiKey/SSH through GPG

Configuration

There are various utilities for the configuration of Yubikeys:

• app-crypt/yubioath-flutter-bin allows interface-configuration and generating TOTP-Codes, it is officially called Yubico-Authenticator. It requires the pcscd-service, which is described below.
• app-crypt/yubikey-manager aka ykman allows configuration of OTP, FIDO2, PIV, and enabling/disabling different interfaces (e.g. NFC)
• app-crypt/yubikey-manager-qt a GUI for app-crypt/yubikey-manager
• sys-auth/yubico-piv-tool CLI-tool for PIV configuration
• sys-auth/yubikey-personalization-gui aka ykinfo allows very low-level and batch configuration of Yubikeys

See also

• PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.
• GnuPG — a free implementation of the OpenPGP standard (RFC 4880).
• Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.

External resources

• Yubico Support, Contains many articles on YubiKey configuration

References