---
publish: true
permalink: /os/yubikey
title: Yubikey
created: 2026-01-29T21:27:17.327-07:00
modified: 2026-02-05T12:18:10.589-07:00
tags:
  - security
  - yubikey
  - 2fa
cssclasses: ""
---

YubiKey hardware security key setup on Arch Linux.

## Installation

```bash
sudo pacman -S \
  yubikey-manager \
  yubico-authenticator \
  pcsclite ccid
```

- `yubikey-manager` — CLI tool (`ykman`)
- `yubico-authenticator` — TOTP/HOTP GUI
- `pcsclite`, `ccid` — Smart card daemon

## Enable Services

```bash
sudo systemctl enable --now pcscd
```

## Basic Usage

### Check YubiKey

```bash
ykman info
```

### List OTP slots

```bash
ykman otp info
```

## TOTP Authenticator

Launch the GUI:
```bash
yubico-authenticator
```

Or use CLI:
```bash
# List accounts
ykman oath accounts list

# Get code
ykman oath accounts code "Account Name"
```

## FIDO2/WebAuthn

Works out of the box with modern browsers for passkeys and 2FA.

### udev rules

If YubiKey isn't detected, add udev rules:
```bash
sudo pacman -S libu2f-host
```

Or manually create `/etc/udev/rules.d/70-u2f.rules`:
```
# YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="users", ATTRS{idVendor}=="1050"
```

Reload:
```bash
sudo udevadm control --reload-rules
sudo udevadm trigger
```

## SSH Authentication

Use YubiKey for SSH keys via FIDO2:

### Generate key

```bash
ssh-keygen -t ed25519-sk -O resident -O verify-required
```

- `-t ed25519-sk` — FIDO2 key type
- `-O resident` — Store on YubiKey (discoverable)
- `-O verify-required` — Require touch + PIN

### Load resident keys

```bash
ssh-add -K  # Load all resident keys from YubiKey
```

## PIV (Smart Card)

For certificate-based auth:

```bash
# Check PIV status
ykman piv info

# Generate key in slot 9a
ykman piv keys generate 9a public.pem
```

## GPG

Use YubiKey as GPG smart card:

```bash
gpg --card-status
gpg --card-edit
```

## Locking Workstation

Lock screen when YubiKey is removed:

```bash
# Install
paru -S yubikey-touch-detector

# Or use udev rule + hyprlock
```

## Resources

- Arch Wiki: https://wiki.archlinux.org/title/Smartcards
- YubiKey docs: https://docs.yubico.com/