Yubikey: Difference between revisions

This article describes how Yubico's YubiKey works and how you can use it.

To access the yubikey as user add the following udev rules to your configuration.nix:

 services.udev.packages = [ pkgs.yubikey-personalization ];

As the yubikey-personalization tool does not support all yubico products you might want to add the libu2f-host udev rules to your configuration.nix:

 services.udev.packages = [ pkgs.libu2f-host ];

To use the smart card mode (CCID) of Yubikey, you will also need the PCSC-Lite daemon:

services.pcscd.enable = true;

In order to manage OTP keys you can install the yubioath-desktop package in your profile. This application will also both the udev rules as well as pcscd enabled.

Based on a guide by @drduh, the following should be sufficient for a yubikey usable for ssh:

services.pcscd.enable = true;
services.udev.packages = [ pkgs.yubikey-personalization ];


environment.shellInit = ''
  export GPG_TTY="$(tty)"
  gpg-connect-agent /bye
  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';

programs = {
  ssh.startAgent = false;
  gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
};

Offline key generation

It is best practice to create the keys on a system without network connection to avoid leakages. This guide explains in depth the steps needed for that. There is also a nix expression that creates a nixos live image with all necessary dependencies pre-installed. The image can be created with the nixos-generator tool and depending on the image copied onto a usb stick or executed directly using kexec

Multiple Keys

If you want to use multiple keys with GPG you have to do this routine when swapping the key

1. killall gpg-agent
2. rm -r ~/.gnupg/private-keys-v1.d/
3. Plug in the new YubiKey
4. gpg --card-status (optional, to see if key is visibile)