Skip to content

Instantly share code, notes, and snippets.

Last active January 18, 2020 01:26
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Setting up YubiKeys Notes

Setting up YubiKeys Notes


To setup a YubiKey 4 and YubiKey 5 NFC to both authenticate myself for the following services:

  1. U2F for Google Advanced Protection, GitHub, etc.
  2. OpenPGP smart card (using same private key on both devices) for signing, encrypting, and auth (including SSH)
  3. Yubico OTP (for some legacy services, etc)

The YubiKey 5 NFC will be carried around with me on my keychain and will be my daily driver. The YubiKey 4 will be stored in a safe place.

The best manual I can find for securing things is the YubiKey FIPS manual:

Completed Tasks

  1. Lock slot 1 on both cards with a 6 byte password that only I know. This will prevent the Yubico OTP credentials from being changed and should also disallow enabling/disabling of other operations that the card can do.
ykman otp --access-code=<access code> settings 1
  1. Configure Google Advanced Protection to use these two keys, then log in correctly on Chrome/Chromium and on my phone:
  2. Add both YubiKeys' Yubico OTP to Bitwarden.
  3. Setup U2F 2nd factor auth for all providers who support it that I use (ie: github, bitwarden, etc).

Uncompleted Tasks

  1. On live CD running machine, gerenate a long living GnuPG private/public RSA4096 master signing key pair, use password and store in tmpfs.
  2. Print a copy of the private key and store somewhere safe.
  3. Burn master key pair to an archival CD/DVD and store somewhere safe.
  4. Transfer master key pair onto Yubikey 4 OpenPGP applet.
  5. Generate shorter living RSA4096 signing, encryption, and authentication sub keys. Have master key sign all of these as sub keys.
  6. Transfer new sub keys to Yubikey 5.
  7. Delete all keys from tmpfs. Power off laptop and remove battery for an hour.
  8. Now master private key only exists in safe place on paper and CD, and on Yubikey 4. Now subkey private keys only exist on Yubikey 5.
  9. Boot normal Linux machine.
  10. Push master public key to a keyserver. It will show that it has signed my subkeys.
  11. Output SSH key from Yubikey 5 auth subkey and upload to all services which I currently use key based SSH auth for (ie: github, gitlab, servers @work, etc).
  12. Store printed key, archive CD with key, and Yubikey 4 somewhere safe.
  13. Document this stuff!

I should then revoke my old Yubikey NEO public keys with the key server.

When I need to make new subkeys (every year or so) or to sign someone else's key for them, I will use the Yubikey 4. For everything else I'll use just the Yubikey 5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment