Primary Use Case

This guide is designed for users who want to enhance their identity and access management security by leveraging YubiKey hardware tokens for storing GnuPG and SSH keys securely. It is ideal for developers, security professionals, and privacy-conscious individuals seeking to protect encryption keys with hardware-backed non-exportable credentials and enable secure authentication workflows.

Key Features

Detailed instructions for configuring YubiKey as a smart card for GnuPG and SSH

Guidance on generating, transferring, and managing cryptographic keys on YubiKey

Instructions for requiring physical touch for cryptographic operations to prevent unauthorized use

Steps for backing up keys securely and exporting public keys

Support for SSH agent forwarding and integration with GitHub

Email encryption/signature setup with Thunderbird, Mailvelope, and Mutt

Procedures for key renewal, rotation, and YubiKey reset

Optional hardening tips including entropy improvement and enabling KDF

Insights & Recommendations

Users should generate cryptographic keys in a secure, dedicated environment to reduce risk of compromise. The guide emphasizes the non-exportable nature of keys on YubiKey, enhancing security but requiring careful backup strategies. Physical touch requirement is a recommended security feature to prevent unauthorized use. Compatibility excludes FIDO-only and Bio Series YubiKeys. Users should verify device authenticity to mitigate supply chain attacks.

Installation

Purchase a compatible YubiKey device (excluding FIDO-only Security Key Series and Bio Series)
Prepare a dedicated, secure environment for key generation
Install required software for GnuPG and YubiKey management (specific software not listed but implied)
Configure GnuPG with appropriate settings for YubiKey integration
Set up SSH and GnuPG agents as described in the guide

Usage

Change PIN

Modify the YubiKey PIN to secure access to cryptographic operations

Create Certify key

Generate a primary key used for certifying subkeys and identities

Create Subkeys

Generate encryption, signing, and authentication subkeys to be transferred to the YubiKey

Transfer Subkeys

Move subkeys securely onto the YubiKey hardware

Verify transfer

Confirm that keys have been correctly transferred and are operational on the YubiKey

Configure touch

Set YubiKey to require physical touch for cryptographic operations

SSH agent forwarding

Configure SSH agent forwarding using ssh-agent or gpg-agent for remote authentication

Reset YubiKey

Factory reset the YubiKey to remove all stored keys and configurations

Renew Subkeys

Update subkeys to extend their validity

Rotate Subkeys

Replace subkeys with new ones for enhanced security

Smart Usage Notes

Integrate YubiKey-based authentication into CI/CD pipelines to enforce hardware-backed identity verification for deployment and code signing.Use the guide to train developers and security teams on secure key management and hardware token usage to reduce credential theft risks.Combine with privileged access management (PAM) solutions to enforce multi-factor hardware authentication for sensitive system access.Leverage the touch-to-sign feature to implement physical presence confirmation for high-risk cryptographic operations, reducing automated misuse.Deploy in red team exercises to simulate advanced adversary attempts to bypass hardware-backed authentication and test detection capabilities.

OpenSec Atlas

YubiKey-Guide

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like