A YubiKey does far more than two-factor authentication for websites. With proper configuration, it can store GPG keys for email signing and decryption, serve as your SSH authentication key, provide FIDO2 passkeys, and act as a PIV smart card for enterprise authentication. This guide covers the advanced setup that most users miss.
YubiKey Models for Advanced Use
| Model | FIDO2 | OTP | PIV | OpenPGP | SSH via FIDO2 |
|---|---|---|---|---|---|
| Security Key NFC | ✓ | ✗ | ✗ | ✗ | ✓ |
| YubiKey 5 NFC | ✓ | ✓ | ✓ | ✓ | ✓ |
| YubiKey 5C NFC | ✓ | ✓ | ✓ | ✓ | ✓ |
For SSH + GPG + FIDO2, you need a YubiKey 5 series.
Install YubiKey Manager
# Linux
sudo apt install yubikey-manager # ykman CLI
# GUI: download YubiKey Manager from yubico.com/support/download/
# macOS
brew install ykman
# Windows: download installer from yubico.com
Check your key: ykman info
FIDO2 / Passkeys
Modern websites (Google, GitHub, Microsoft, Apple) support FIDO2/WebAuthn passkeys. Your YubiKey stores the private key, which never leaves the device.
Setup is automatic — on any supported site:
- Go to security settings → Security keys or Passkeys
- Click Add security key
- Touch your YubiKey when prompted
- Name it and save
For FIDO2 PIN setup (required by some sites and for resident credentials):
ykman fido access change-pin
The PIN protects the FIDO2 application — after 8 wrong PIN attempts, the YubiKey locks the FIDO2 app (not the whole key).
SSH Authentication via FIDO2 (Recommended)
Modern OpenSSH (8.2+) supports FIDO2-backed SSH keys. The private key requires physical touch to use.
# Generate a FIDO2-backed SSH key
ssh-keygen -t ed25519-sk -C "yubikey-2024"
# Touch your YubiKey when prompted
# Or for resident key (stored on YubiKey, works on any computer)
ssh-keygen -t ed25519-sk -O resident -C "yubikey-2024"
The resulting ~/.ssh/id_ed25519_sk.pub is your public key. Add it to servers normally.
When you SSH into a server, you must physically touch the YubiKey to complete authentication — even with a stolen private key file, an attacker can’t authenticate without the physical device.
For resident keys on a new machine:
# Import key from YubiKey to new machine
ssh-keygen -K
OpenPGP Key Management
The OpenPGP applet on YubiKey 5 stores up to 3 keys: signing, encryption, and authentication.
Initial setup
# Check OpenPGP status
gpg --card-status
# Change default PINs (default: user PIN 123456, admin PIN 12345678)
gpg --card-edit
> passwd
# Change both PINs
> name # set cardholder name
> lang # set language
> sex # set
> quit
Generate keys directly on the card
gpg --card-edit
> admin
> generate
This generates keys on the YubiKey — the private key never exists on your computer. Choose 4096-bit RSA or elliptic curve.
Move existing GPG keys to YubiKey
If you have an existing GPG key:
gpg --list-secret-keys
gpg --edit-key YOUR_KEY_ID
# For each subkey:
gpg> key 1
gpg> keytocard # select signing slot
gpg> key 2
gpg> keytocard # select encryption slot
gpg> save
After moving to card, local copy becomes a stub — operations require the YubiKey.
Using GPG key for SSH
GPG’s authentication subkey can serve as an SSH key:
# Enable GPG agent SSH support
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
echo 'export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)' >> ~/.bashrc
# Get SSH public key from card
gpg --export-ssh-key YOUR_KEY_ID
PIV Smart Card
The PIV applet enables certificate-based authentication for enterprise environments (Windows Active Directory, macOS login, VPN).
# Generate PIV certificates
ykman piv certificates generate -s SUBJECT 9a PUBLIC_KEY.pem
ykman piv keys generate 9a PUBLIC_KEY.pem
# Export certificate
ykman piv certificates export 9a cert.pem
Slots: 9a (authentication), 9c (digital signature), 9d (key management), 9e (card authentication).
YubiKey for Disk Encryption (Linux)
Use YubiKey as a second factor for LUKS full-disk encryption:
# Install yubikey-luks
sudo apt install yubikey-luks
# Add YubiKey as LUKS key factor
sudo yubikey-luks-enroll -d /dev/sda5
# Now LUKS prompts for YubiKey touch on boot
Multiple YubiKeys
Always register two YubiKeys for any account — one primary, one backup stored securely. If you lose your primary key:
- Your backup key grants access
- Use access to register a replacement third key
- De-register the lost key
Yubico’s recommendation: buy keys in pairs, register both everywhere.
Resetting Applications
# Reset FIDO2 (removes all passkeys)
ykman fido reset
# Reset OpenPGP (removes all GPG keys)
gpg --card-edit > factory-reset
# Reset PIV
ykman piv reset
Each application resets independently — resetting FIDO2 doesn’t affect OpenPGP keys.