2.3 KiB
2.3 KiB
Yubikey
Configuration
- You will likely need the udev rules to use the AppImage configuration tool on linux even if your udev version is above 244.
Software
The Yubikey Manager is deprecated.
Use the Yubikey Authenticator for GUI.
GPG
Saving GPG key to card
https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
On Fedora you'll need to add the following polkit rules to access your smart card.
export MY_USER=ducoterra
echo <<EOF > /etc/polkit-1/rules.d/10-pcsc-custom.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "${MY_USER}") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
subject.user == "${MY_USER}") {
return polkit.Result.YES;
}
});
EOF
Now you can add your key to your card.
gpg --edit-key 1234ABC
# Save both the signature and authentication keys
> keytocard
# Do not save or your key will be deleted locally
> quit
Check the keys on the yubikey with
gpg --card-status
Once your keys have been loaded, change the pin.
gpg --change-pin
Using the GPG key on a Yubikey
https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes
export GPG_EMAIL='myemail@example.com'
# Import the public key. Without this the key won't show up.
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL}
# Trust the key
gpg --quick-set-ownertrust ${GPG_EMAIL} full
# Yubikey should now show up
gpg --list-secret-keys
Factory Reset
gpg --edit-card
> admin
> factory-reset