YubiKey

From Gentoo Wiki
Jump to:navigation Jump to:search
Resources

The YubiKey is a hardware security device that can be used to safely store cryptographic keys, OTP tokens, and challenge response seeds which can be used for authentication or encryption.

Modern YubiKeys have an OpenPGP module which can be used to store GPG keys, they also include U2F modules which can be used for authentication.

Hardware

The following tables list all current (2023-04-28) YubiKey devices and their module support as stated on the Yubico website[1][2].

An in-depth table showing the features of current YubiKeys is located on their store

YubiKey 5 FIPS series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey 5C NFC FIPS [3] Yes Yes Yes Yes Yes Yes
YubiKey 5 NFC FIPS [4] Yes Yes Yes Yes Yes Yes
YubiKey 5Ci FIPS [5] Yes Yes Yes Yes Yes Yes
YubiKey 5C FIPS [6] Yes Yes Yes Yes Yes Yes
YubiKey 5 Nano FIPS [7] Yes Yes Yes Yes Yes Yes
YubiKey 5C Nano FIPS [8] Yes Yes Yes Yes Yes Yes

YubiKey 5 BIO series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey Bio - FIDO Edition [9] Yes Yes No No No No
YubiKey C Bio - FIDO Edition [10] Yes Yes No No No No

Security Key Series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
Security Key NFC - Enterprise Edition [11] Yes Yes No No No No
Security Key C NFC - Enterprise Edition [12] Yes Yes No No No No
Security Key C NFC [13] Yes Yes No No No No
Security Key by Yubico [14] Yes Yes No No No No
FIDO U2F Security Key [15] Yes Yes No No No No
Security Key NFC [16] Yes Yes No No No No

YubiKey 5 Series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey 5C NFC [17] Yes Yes Yes Yes Yes Yes
YubiKey 5 Nano [18] Yes Yes Yes Yes Yes Yes
YubiKey 5C Nano [19] Yes Yes Yes Yes Yes Yes
YubiKey 5 NFC [20] Yes Yes Yes Yes Yes Yes
YubiKey 5Ci [21] Yes Yes Yes Yes Yes Yes
YubiKey 5C [22] Yes Yes Yes Yes Yes Yes

YubiKey FIPS (4 Series)

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey C Nano FIPS (4 Series) [23] No Yes Yes Yes Yes Yes
YubiKey FIPS (4 series) [24] No Yes Yes Yes Yes Yes
YubiKey Nano FIPS (4 series) [25] No Yes Yes Yes Yes Yes
YubiKey C FIPS (4 series) [26] No Yes Yes Yes Yes Yes

YubiHSM Series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiHSM 1 [27] No No No No No No
YubiHSM2 [28] No No No No No No

Legacy Devices

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey Edge-n [29] No Yes Yes No No No
YubiKey Edge [30] No Yes Yes No No No
YubiKey NEO [31] No Yes Yes Yes Yes Yes
YubiKey NEO-n [32] No Yes Yes Yes Yes Yes
YubiKey Nano [33] No No Yes No No No
YubiKey Standard [34] No No Yes No No No

YubiKey 4 Series

Device FIDO2 U2F OTP OATH PIV (PC/SC) OpenPGP
YubiKey 4 [35] No Yes Yes Yes Yes Yes
YubiKey 4C Nano [36] No Yes Yes Yes Yes Yes
YubiKey 4 Nano [37] No Yes Yes Yes Yes Yes
YubiKey 4C [38] No Yes Yes Yes Yes Yes

Kernel

KERNEL Enable support for raw HID devices
Device Drivers  --->
  HID support  --->
    -*- HID bus support
    [*]   /dev/hidraw raw HID device support
    USB HID support  --->
      [*] /dev/hiddev raw HID device support

Usage

The different modes of operation of YubiKeys also require different ways for software to interact with them:

  • U2F (through generic HID devices)
  • FIDO (through generic HID devices)
  • Yubico OTP (through libusb)
  • Oath TOTP/HOTP (through libusb)
  • PIV Smart Card (through PC/SC)
  • PGP Smart Card (through a GnuPG-specific PC/SC interface)
Note
dev-libs/libfido2 provide udev rules to allow the plugdev group can access them, and regular users need to be part of 'plugdev' group to access the key. [39]

U2F & FIDO

To use Yubikey as U2F/FIDO device, generic HID (hidraw) devices may be used.

sys-auth/pam_u2f and net-misc/openssh with the securitykey USE flag depend on dev-libs/libfido2, which is required to make use of the FIDO2 functions of YubiKeys.

This mode of interacting with YubiKeys is used by:

Yubico OTP & Oath TOTP/HOTP

To use Yubikey in some modes, such as OTP challenge-response, raw USB access may be used. This can be either directly or through a library such as sys-auth/libyubikey.

This mode of interacting with Yubikeys is used by:

Note
Regular users need to be part of 'usb' group to access USB or will be confronted with unspecific 'access denied' messages.

PIV Smart Card

To use Yubikey as a PIV Smart Card, it can be accessed according to the PC/SC specification (short for "Personal Computer/Smart Card"). sys-apps/pcsc-lite provides the daemon pcscd-service to interact with smart cards. Instructions for setting up PC/SC can be found at PCSC-Lite.

This mode of interacting with Yubikeys is used by:

Note
udev/plugdev need to be configured correctly for the PC/SC daemon to pick-up yubikey plug events.

GPG

Some Yubikeys also run a OpenPGP Smart Card applet. Although it's technically PC/SC, GnuGPG is used directly to interact with the Yubikey. This mode of interacting with Yubikeys is used by:

Note
Generally using any PIV or other PC/SC tools conflicts with GPG working properly.

Configuration

There are various utilities for the configuration of Yubikeys:

See also

  • PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.
  • GnuPG — a free implementation of the OpenPGP standard (RFC 4880).
  • Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.
  • OATH-Toolkit — toolkit for (OTP) One-Time Password authentication using HOTP/TOTP algorithms.

External resources

References

  1. https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-U2F-YubiKey-with-Linux
  2. https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
  3. https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
  4. https://support.yubico.com/hc/en-us/articles/360021443340-YubiKey-5-NFC-FIPS
  5. https://support.yubico.com/hc/en-us/articles/360021443360-YubiKey-5Ci-FIPS
  6. https://support.yubico.com/hc/en-us/articles/360021467359-YubiKey-5C-FIPS
  7. https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
  8. https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
  9. https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
  10. https://support.yubico.com/hc/en-us/articles/4407752687378-YubiKey-C-Bio-FIDO-Edition
  11. https://support.yubico.com/hc/en-us/articles/7450466556700-Security-Key-NFC-Enterprise-Edition
  12. https://support.yubico.com/hc/en-us/articles/7450467794076-Security-Key-C-NFC-Enterprise-Edition
  13. https://support.yubico.com/hc/en-us/articles/4408701728914-Security-Key-C-NFC
  14. https://support.yubico.com/hc/en-us/articles/360013647720-Security-Key-by-Yubico
  15. https://support.yubico.com/hc/en-us/articles/360013656800-FIDO-U2F-Security-Key
  16. https://support.yubico.com/hc/en-us/articles/360013779399-Security-Key-NFC
  17. https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC
  18. https://support.yubico.com/hc/en-us/articles/360013708340-YubiKey-5-Nano
  19. https://support.yubico.com/hc/en-us/articles/360013724699-YubiKey-5C-Nano
  20. https://support.yubico.com/hc/en-us/articles/360016649339-YubiKey-5C-NFC
  21. https://support.yubico.com/hc/en-us/articles/360013708440-YubiKey-5Ci
  22. https://support.yubico.com/hc/en-us/articles/360013724359-YubiKey-5C
  23. https://support.yubico.com/hc/en-us/articles/360013761279-YubiKey-C-Nano-FIPS-4-Series-
  24. https://support.yubico.com/hc/en-us/articles/360013761699-YubiKey-FIPS-4-Series-
  25. https://support.yubico.com/hc/en-us/articles/360013778259-YubiKey-Nano-FIPS-4-Series-
  26. https://support.yubico.com/hc/en-us/articles/360013729079--YubiKey-C-FIPS-4-Series-
  27. https://support.yubico.com/hc/en-us/articles/360013662860--YubiHSM-1
  28. https://support.yubico.com/hc/en-us/articles/360013643200-YubiHSM-2
  29. https://support.yubico.com/hc/en-us/articles/360013714659-YubiKey-Edge-n
  30. https://support.yubico.com/hc/en-us/articles/360013714619-YubiKey-Edge
  31. https://support.yubico.com/hc/en-us/articles/360013714579-YubiKey-NEO
  32. https://support.yubico.com/hc/en-us/articles/360013714639-YubiKey-NEO-n
  33. https://support.yubico.com/hc/en-us/articles/360013656840-YubiKey-Nano
  34. https://support.yubico.com/hc/en-us/articles/360013656120-YubiKey-Standard
  35. https://support.yubico.com/hc/en-us/articles/360013714599-YubiKey-4
  36. https://support.yubico.com/hc/en-us/articles/360013647840-YubiKey-4C-Nano
  37. https://support.yubico.com/hc/en-us/articles/360013647780-YubiKey-4-Nano
  38. https://support.yubico.com/hc/en-us/articles/360013647820-YubiKey-4C
  39. https://forums.gentoo.org/viewtopic-t-1119574-start-0.html