# Yubikey - [Yubikey](#yubikey) - [Configuration](#configuration) - [Software](#software) - [GPG](#gpg) - [Saving GPG key to card](#saving-gpg-key-to-card) - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey) - [Factory Reset](#factory-reset) ## Configuration 1. You will likely need the [udev rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux) to use the AppImage configuration tool on linux even if your udev version is above 244. ## Software The [Yubikey Manager](https://www.yubico.com/support/download/yubikey-manager/) is deprecated. Use the [Yubikey Authenticator](https://www.yubico.com/products/yubico-authenticator/) for GUI. ## GPG ### Saving GPG key to card On Fedora you'll need to add the following polkit rules to access your smart card. ```bash export MY_USER=ducoterra echo < /etc/polkit-1/rules.d/10-pcsc-custom.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "${MY_USER}") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' && subject.user == "${MY_USER}") { return polkit.Result.YES; } }); EOF ``` Now you can add your key to your card. ```bash gpg --edit-key 1234ABC # Save both the signature and authentication keys > keytocard # Do not save or your key will be deleted locally > quit ``` Check the keys on the yubikey with ```bash gpg --card-status ``` Once your keys have been loaded, change the pin. ```bash gpg --change-pin ``` ### Using the GPG key on a Yubikey ```bash export GPG_EMAIL='myemail@example.com' # Import the public key. Without this the key won't show up. gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL} # Trust the key gpg --quick-set-ownertrust ${GPG_EMAIL} full # Yubikey should now show up gpg --list-secret-keys ``` ### Factory Reset ```bash gpg --edit-card > admin > factory-reset ```