YubiKey
From Gentoo Wiki
The YubiKey is a hardware security device that can be used to safely store cryptographic keys, OTP tokens, and challenge response seeds which can be used for authentication or encryption.
Modern YubiKeys have an OpenPGP module which can be used to store GPG keys, they also include U2F modules which can be used for authentication.
Hardware
The following tables list all current (2023-04-28) YubiKey devices and their module support as stated on the Yubico website[1][2].
An in-depth table showing the features of current YubiKeys is located on their store
YubiKey 5 FIPS series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey 5C NFC FIPS [3] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5 NFC FIPS [4] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5Ci FIPS [5] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5C FIPS [6] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5 Nano FIPS [7] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5C Nano FIPS [8] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey 5 BIO series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey Bio - FIDO Edition [9] | Yes | Yes | No | No | No | No |
| YubiKey C Bio - FIDO Edition [10] | Yes | Yes | No | No | No | No |
Security Key Series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| Security Key NFC - Enterprise Edition [11] | Yes | Yes | No | No | No | No |
| Security Key C NFC - Enterprise Edition [12] | Yes | Yes | No | No | No | No |
| Security Key C NFC [13] | Yes | Yes | No | No | No | No |
| Security Key by Yubico [14] | Yes | Yes | No | No | No | No |
| FIDO U2F Security Key [15] | Yes | Yes | No | No | No | No |
| Security Key NFC [16] | Yes | Yes | No | No | No | No |
YubiKey 5 Series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey 5C NFC [17] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5 Nano [18] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5C Nano [19] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5 NFC [20] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5Ci [21] | Yes | Yes | Yes | Yes | Yes | Yes |
| YubiKey 5C [22] | Yes | Yes | Yes | Yes | Yes | Yes |
YubiKey FIPS (4 Series)
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey C Nano FIPS (4 Series) [23] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey FIPS (4 series) [24] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey Nano FIPS (4 series) [25] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey C FIPS (4 series) [26] | No | Yes | Yes | Yes | Yes | Yes |
YubiHSM Series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiHSM 1 [27] | No | No | No | No | No | No |
| YubiHSM2 [28] | No | No | No | No | No | No |
Legacy Devices
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey Edge-n [29] | No | Yes | Yes | No | No | No |
| YubiKey Edge [30] | No | Yes | Yes | No | No | No |
| YubiKey NEO [31] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey NEO-n [32] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey Nano [33] | No | No | Yes | No | No | No |
| YubiKey Standard [34] | No | No | Yes | No | No | No |
YubiKey 4 Series
| Device | FIDO2 | U2F | OTP | OATH | PIV (PC/SC) | OpenPGP |
|---|---|---|---|---|---|---|
| YubiKey 4 [35] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey 4C Nano [36] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey 4 Nano [37] | No | Yes | Yes | Yes | Yes | Yes |
| YubiKey 4C [38] | No | Yes | Yes | Yes | Yes | Yes |
Kernel
KERNEL Enable support for raw HID devices
Device Drivers --->
HID support --->
-*- HID bus support
[*] /dev/hidraw raw HID device support
USB HID support --->
[*] /dev/hiddev raw HID device support
Usage
The different modes of operation of YubiKeys also require different ways for software to interact with them:
- U2F (through generic HID devices)
- FIDO (through generic HID devices)
- Yubico OTP (through libusb)
- Oath TOTP/HOTP (through libusb)
- PIV Smart Card (through PC/SC)
- PGP Smart Card (through a GnuPG-specific PC/SC interface)
U2F & FIDO
To use Yubikey as U2F/FIDO device, generic HID (hidraw) devices may be used.
sys-auth/pam_u2f and net-misc/openssh with the securitykey USE flag depend on dev-libs/libfido2, which is required to make use of the FIDO2 functions of YubiKeys.
This mode of interacting with YubiKeys is used by:
Yubico OTP & Oath TOTP/HOTP
To use Yubikey in some modes, such as OTP challenge-response, raw USB access may be used. This can be either directly or through a library such as sys-auth/libyubikey.
This mode of interacting with Yubikeys is used by:
Note
Regular users need to be part of 'usb' group to access USB or will be confronted with unspecific 'access denied' messages.
Regular users need to be part of 'usb' group to access USB or will be confronted with unspecific 'access denied' messages.
PIV Smart Card
To use Yubikey as a PIV Smart Card, it can be accessed according to the PC/SC specification (short for "Personal Computer/Smart Card"). sys-apps/pcsc-lite provides the daemon pcscd-service to interact with smart cards. Instructions for setting up PC/SC can be found at PCSC-Lite.
This mode of interacting with Yubikeys is used by:
Note
udev/plugdev need to be configured correctly for the PC/SC daemon to pick-up yubikey plug events.
udev/plugdev need to be configured correctly for the PC/SC daemon to pick-up yubikey plug events.
GPG
Some Yubikeys also run a OpenPGP Smart Card applet. Although it's technically PC/SC, GnuGPG is used directly to interact with the Yubikey. This mode of interacting with Yubikeys is used by:
- YubiKey/GPG
- YubiKey/SSH through GPG
Note
Generally using any PIV or other PC/SC tools conflicts with GPG working properly.
Generally using any PIV or other PC/SC tools conflicts with GPG working properly.
Configuration
There are various utilities for the configuration of Yubikeys:
- app-crypt/yubioath-flutter-bin allows interface-configuration and generating TOTP-Codes, it is officially called Yubico-Authenticator. It requires the pcscd-service, which is described below.
- app-crypt/yubikey-manager aka
ykmanallows configuration of OTP, FIDO2, PIV, and enabling/disabling different interfaces (e.g. NFC) - app-crypt/yubikey-manager-qt a GUI for app-crypt/yubikey-manager
- sys-auth/yubico-piv-tool CLI-tool for PIV configuration
- sys-auth/yubikey-personalization-gui aka
ykinfoallows very low-level and batch configuration of Yubikeys
See also
- PAM — allows (third party) services to provide an authentication module for their service which can then be used on PAM enabled systems.
- GnuPG — a free implementation of the OpenPGP standard (RFC 4880).
- Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.
External resources
- Yubico Support, Contains many articles on YubiKey configuration
References
- ↑ https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-U2F-YubiKey-with-Linux
- ↑ https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
- ↑ https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443340-YubiKey-5-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443360-YubiKey-5Ci-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021467359-YubiKey-5C-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021443380-YubiKey-5C-Nano-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/360021467299-YubiKey-5C-NFC-FIPS
- ↑ https://support.yubico.com/hc/en-us/articles/4407752687378-YubiKey-C-Bio-FIDO-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/7450466556700-Security-Key-NFC-Enterprise-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/7450467794076-Security-Key-C-NFC-Enterprise-Edition
- ↑ https://support.yubico.com/hc/en-us/articles/4408701728914-Security-Key-C-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013647720-Security-Key-by-Yubico
- ↑ https://support.yubico.com/hc/en-us/articles/360013656800-FIDO-U2F-Security-Key
- ↑ https://support.yubico.com/hc/en-us/articles/360013779399-Security-Key-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013656980-YubiKey-5-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013708340-YubiKey-5-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013724699-YubiKey-5C-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360016649339-YubiKey-5C-NFC
- ↑ https://support.yubico.com/hc/en-us/articles/360013708440-YubiKey-5Ci
- ↑ https://support.yubico.com/hc/en-us/articles/360013724359-YubiKey-5C
- ↑ https://support.yubico.com/hc/en-us/articles/360013761279-YubiKey-C-Nano-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013761699-YubiKey-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013778259-YubiKey-Nano-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013729079--YubiKey-C-FIPS-4-Series-
- ↑ https://support.yubico.com/hc/en-us/articles/360013662860--YubiHSM-1
- ↑ https://support.yubico.com/hc/en-us/articles/360013643200-YubiHSM-2
- ↑ https://support.yubico.com/hc/en-us/articles/360013714659-YubiKey-Edge-n
- ↑ https://support.yubico.com/hc/en-us/articles/360013714619-YubiKey-Edge
- ↑ https://support.yubico.com/hc/en-us/articles/360013714579-YubiKey-NEO
- ↑ https://support.yubico.com/hc/en-us/articles/360013714639-YubiKey-NEO-n
- ↑ https://support.yubico.com/hc/en-us/articles/360013656840-YubiKey-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013656120-YubiKey-Standard
- ↑ https://support.yubico.com/hc/en-us/articles/360013714599-YubiKey-4
- ↑ https://support.yubico.com/hc/en-us/articles/360013647840-YubiKey-4C-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013647780-YubiKey-4-Nano
- ↑ https://support.yubico.com/hc/en-us/articles/360013647820-YubiKey-4C