Yubikey: Difference between revisions

Revision as of 10:28, 23 January 2019

This article describes how Yubico's YubiKey works and how you can use it.

To access the yubikey as user add the following udev rules to your configuration.nix:

 services.udev.packages = [ pkgs.yubikey-personalization ];

To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:

services.pcscd.enable = true;

In order to manage OTP keys you can install the yubioath-desktop package in your profile. This application will also both the udev rules as well as pcscd enabled.

Offline key generation

It is best practice to create the keys on a system without network connection to avoid leakages. This guide explains in depth the steps needed for that. There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed. The image can be created with the nixos-generator tool and depending on the image copied onto a usb stick or executed directly using kexec

@@ Line 15: / Line 15: @@
 In order to manage OTP keys you can install the <code>yubioath-desktop</code> package in your profile.
 This application will also both the udev rules as well as pcscd enabled.
+== Offline key generation ==
+It is best practice to create the keys on a system without network connection to avoid leakages.
+This [https://github.com/drduh/YubiKey-Guide guide] explains in depth the steps needed for that.
+There is also a [https://github.com/Mic92/dotfiles/blob/6a48eee2c772bd1f52f22fca5f531770958c738f/nixos/images/yubikey-image.nix nix expression] that creates a nixos live image with all necessary dependencies pre-installed.
+The image can be created with the [https://github.com/nix-community/nixos-generators nixos-generator tool]
+and depending on the image copied onto a usb stick or executed directly using <code>kexec</code>