Yubikey setup on Linux

Trying to use yubikey to its full potential on Linux

A YubiKey is a hardware authentication device that can be used for various one-time password (OTP) and authentication methods. This article explains how I setup my yubikey and operating system (most likely only different GNU/Linux distribution) for it.

The goal is to use the yubikey for:

The yubikey manual1 (at least the version that seem to refer the yubikey neo I have) is the base read but there is plenty of useful article on the subject. This is also based on my usage of the yubikey, so it might vary from your usage.


Some assumptions are made in this section:

  • You know a tiny bit of GnuPG and the gpg command (at least the basics)
  • You have a backup of your GnuPG configuration (usually $HOME/.gnupg) — just in case 👼
  • You have an existing GnuPG key (private/public)

We are going to use GnuPG subkeys (for security, as we won’t have the master key anywhere on the machines, only offline). If you are interested in how it works and how to configure it, here is a guide. The following is a mere rip-off of the yubikey developer article : Importing keys.

Let’s first see if our gpg version supports our yubikey.

$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  01 00 05 90 00                                     .....

We need to have our secret key on the machine we are using to setup the yubikey. Once the setup is done, we will reset the .gnupg so that the machine doesn’t have the main key (or even the subkey for that matter).

$ gpg --list-secret-keys
# […]
sec   rsa2048 2013-05-19 [SC]
uid           [ultimate] Vincent Demeester (vdemeester) <vincent@demeester.fr>
uid           [ultimate] Vincent Demeester <vincent@sbr.pm>
uid           [ultimate] Vincent Demeester <vdemeest@redhat.com>
uid           [ultimate] [jpeg image of size 4711]
ssb>  rsa2048 2013-05-19 [E]
ssb   rsa4096 2019-04-07 [S] [expires: 2022-04-06]
ssb>  rsa2048 2019-07-02 [S]
ssb>  rsa2048 2019-07-02 [A]


We are using a GnuPG key as ssh key, and we are storing this into the yubikey (in the Authentication Key slot).

TODO Dual authentication

TODO Some more automation