Privacy Tools #YubiKey#hardware security key#SSH

Advanced YubiKey Setup: SSH, GPG, and FIDO2 Configuration

Configure a YubiKey for SSH authentication, GPG signing, FIDO2 login, and PIV — a complete advanced setup guide beyond basic 2FA.

8 min read

A YubiKey does far more than two-factor authentication for websites. With proper configuration, it can store GPG keys for email signing and decryption, serve as your SSH authentication key, provide FIDO2 passkeys, and act as a PIV smart card for enterprise authentication. This guide covers the advanced setup that most users miss.

YubiKey Models for Advanced Use

ModelFIDO2OTPPIVOpenPGPSSH via FIDO2
Security Key NFC
YubiKey 5 NFC
YubiKey 5C NFC

For SSH + GPG + FIDO2, you need a YubiKey 5 series.

Install YubiKey Manager

# Linux
sudo apt install yubikey-manager  # ykman CLI
# GUI: download YubiKey Manager from yubico.com/support/download/

# macOS
brew install ykman

# Windows: download installer from yubico.com

Check your key: ykman info

FIDO2 / Passkeys

Modern websites (Google, GitHub, Microsoft, Apple) support FIDO2/WebAuthn passkeys. Your YubiKey stores the private key, which never leaves the device.

Setup is automatic — on any supported site:

  1. Go to security settings → Security keys or Passkeys
  2. Click Add security key
  3. Touch your YubiKey when prompted
  4. Name it and save

For FIDO2 PIN setup (required by some sites and for resident credentials):

ykman fido access change-pin

The PIN protects the FIDO2 application — after 8 wrong PIN attempts, the YubiKey locks the FIDO2 app (not the whole key).

Modern OpenSSH (8.2+) supports FIDO2-backed SSH keys. The private key requires physical touch to use.

# Generate a FIDO2-backed SSH key
ssh-keygen -t ed25519-sk -C "yubikey-2024"
# Touch your YubiKey when prompted

# Or for resident key (stored on YubiKey, works on any computer)
ssh-keygen -t ed25519-sk -O resident -C "yubikey-2024"

The resulting ~/.ssh/id_ed25519_sk.pub is your public key. Add it to servers normally.

When you SSH into a server, you must physically touch the YubiKey to complete authentication — even with a stolen private key file, an attacker can’t authenticate without the physical device.

For resident keys on a new machine:

# Import key from YubiKey to new machine
ssh-keygen -K

OpenPGP Key Management

The OpenPGP applet on YubiKey 5 stores up to 3 keys: signing, encryption, and authentication.

Initial setup

# Check OpenPGP status
gpg --card-status

# Change default PINs (default: user PIN 123456, admin PIN 12345678)
gpg --card-edit
> passwd
# Change both PINs

> name         # set cardholder name
> lang         # set language
> sex          # set
> quit

Generate keys directly on the card

gpg --card-edit
> admin
> generate

This generates keys on the YubiKey — the private key never exists on your computer. Choose 4096-bit RSA or elliptic curve.

Move existing GPG keys to YubiKey

If you have an existing GPG key:

gpg --list-secret-keys
gpg --edit-key YOUR_KEY_ID

# For each subkey:
gpg> key 1
gpg> keytocard  # select signing slot
gpg> key 2
gpg> keytocard  # select encryption slot
gpg> save

After moving to card, local copy becomes a stub — operations require the YubiKey.

Using GPG key for SSH

GPG’s authentication subkey can serve as an SSH key:

# Enable GPG agent SSH support
echo 'enable-ssh-support' >> ~/.gnupg/gpg-agent.conf
echo 'export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)' >> ~/.bashrc

# Get SSH public key from card
gpg --export-ssh-key YOUR_KEY_ID

PIV Smart Card

The PIV applet enables certificate-based authentication for enterprise environments (Windows Active Directory, macOS login, VPN).

# Generate PIV certificates
ykman piv certificates generate -s SUBJECT 9a PUBLIC_KEY.pem
ykman piv keys generate 9a PUBLIC_KEY.pem

# Export certificate
ykman piv certificates export 9a cert.pem

Slots: 9a (authentication), 9c (digital signature), 9d (key management), 9e (card authentication).

YubiKey for Disk Encryption (Linux)

Use YubiKey as a second factor for LUKS full-disk encryption:

# Install yubikey-luks
sudo apt install yubikey-luks

# Add YubiKey as LUKS key factor
sudo yubikey-luks-enroll -d /dev/sda5

# Now LUKS prompts for YubiKey touch on boot

Multiple YubiKeys

Always register two YubiKeys for any account — one primary, one backup stored securely. If you lose your primary key:

  1. Your backup key grants access
  2. Use access to register a replacement third key
  3. De-register the lost key

Yubico’s recommendation: buy keys in pairs, register both everywhere.

Resetting Applications

# Reset FIDO2 (removes all passkeys)
ykman fido reset

# Reset OpenPGP (removes all GPG keys)
gpg --card-edit > factory-reset

# Reset PIV
ykman piv reset

Each application resets independently — resetting FIDO2 doesn’t affect OpenPGP keys.

#FIDO2 #SSH #hardware security key #YubiKey