Yubikey
Everything in the GPG section so far has kept private keys on disk, protected by a passphrase. That is a reasonable security model for most threat levels, but it has a fundamental limitation: the key material exists as a file. A file can be copied. A compromised machine, a malicious process with access to your home directory, a poorly secured backup, any of these can result in a private key being exfiltrated silently. You might never know it happened.
A hardware security key changes that relationship entirely. The private key is generated on the device and never leaves it. Cryptographic operations, signing, decryption, authentication, happen inside the hardware. The result is returned to the requesting application. The private key itself is never exposed to the operating system, never written to disk, never accessible to software running on the host machine. An attacker who fully compromises your desktop still cannot steal a key stored on a Yubikey.
The physical presence requirement adds a second layer. Many operations require touching the key to confirm intent. An attacker with remote access to your machine cannot touch your Yubikey. This is the hardware equivalent of two-factor authentication at the key level, not the account level.
Which Yubikey
The source material this series is based on was written for the Yubikey NEO, which is discontinued. The current recommendation is the Yubikey 5 series. The specific model depends on your connectivity requirements:
| Model | Connection | Notes |
|---|---|---|
| Yubikey 5 NFC | USB-A + NFC | Most common, good all-rounder |
| Yubikey 5C NFC | USB-C + NFC | Better for modern laptops |
| Yubikey 5 Nano | USB-A | Low profile, stays in the port |
| Yubikey 5C Nano | USB-C | Low profile USB-C variant |
| Yubikey 5Ci | USB-C + Lightning | iOS compatible |
For a desktop setup, the Yubikey 5 NFC or 5C NFC is the right choice depending on whether your machine has USB-A or USB-C ports. NFC is useful for mobile authentication and is worth having even if you do not use it immediately. Prices are approximately £50-60 from the Yubico store or authorised UK resellers.
Buy two. A backup Yubikey is not optional if you are using hardware keys seriously. Losing your only Yubikey without a backup is a significant recovery problem. The backup configuration is covered at the end of this section.
What the Yubikey does
A Yubikey 5 supports multiple protocols and can perform several distinct functions simultaneously. The ones relevant to this setup are:
OpenPGP smartcard. The Yubikey implements the OpenPGP card specification, allowing your GPG signing, encryption, and authentication subkeys to be moved onto the device. Once there, all GPG operations use the key on the Yubikey rather than a key file on disk.
PIV smartcard. The Personal Identity Verification interface allows the Yubikey to act as a smartcard for X.509 certificate operations. This is used for client certificate authentication and for LUKS disk encryption unlock.
FIDO2 / WebAuthn. The modern standard for hardware-backed two-factor authentication on websites and services. Replaces TOTP codes for supported services with a physical touch, significantly more resistant to phishing.
FIDO U2F. The predecessor to FIDO2, still widely supported. Used for Linux PAM authentication, allowing the Yubikey to be required for desktop login and sudo.
OATH TOTP / HOTP. The Yubikey can store TOTP secrets and generate time-based one-time passwords, replacing authenticator apps for services that do not yet support FIDO2. The Yubico Authenticator app retrieves codes from the key rather than storing secrets on the phone.
HMAC-SHA1 challenge-response. Used for LUKS disk encryption, where the Yubikey responds to a challenge at boot time to contribute to the decryption key. The disk cannot be unlocked without both the passphrase and the physical Yubikey.
OTP. The original Yubikey function: pressing the key emits a one-time password as keyboard input. Less relevant for this setup but present on every Yubikey.
What this section covers
The Yubikey section works through each relevant function in turn, building from the initial setup to the specific integrations used in this network.
- Setup — Installing the required software, verifying the device, and understanding the interfaces
- GnuPG — Moving your GPG subkeys onto the Yubikey and configuring scdaemon
- SSH authentication — Using the GPG authentication subkey on the Yubikey for SSH connections
- PIV / Smartcard — X.509 certificate management via the PIV interface
- Linux login — Requiring Yubikey presence for desktop login and sudo via PAM U2F
- LUKS disk encryption — Using HMAC-SHA1 challenge-response to tie disk unlock to the physical key
- Desktop lock — Automatically locking the KDE session when the Yubikey is removed
- Backup Yubikey — Configuring a second key as a backup and what to do if the primary is lost
A note on KDE and GNOME differences
The source material this series draws on contains several GNOME-specific commands, particularly for disabling smartcard login on the lock screen and for session locking on Yubikey removal. These do not apply to Kubuntu. The KDE equivalents are covered in the relevant sections throughout. The underlying Yubikey functionality is identical regardless of desktop environment: the differences are only in how the desktop responds to the key being inserted and removed.
A Yubikey without a backup is a liability. Before you move any key material to hardware, have the backup plan in place. The backup section is the last one in this chapter for documentation purposes, but read it before you start.