2.1 KiB
2.1 KiB
publish, permalink, title, created, modified, tags, cssclasses
| publish | permalink | title | created | modified | tags | cssclasses | |||
|---|---|---|---|---|---|---|---|---|---|
| true | /10-19 LIFE/13 TECH SETUP/13.13 OS SETUP/Yubikey.md | Yubikey | 2026-01-29T21:27:17.327-07:00 | 2026-02-05T09:21:56.856-07:00 |
|
YubiKey hardware security key setup on Arch Linux.
Installation
sudo pacman -S \
yubikey-manager \
yubico-authenticator \
pcsclite ccid
yubikey-manager— CLI tool (ykman)yubico-authenticator— TOTP/HOTP GUIpcsclite,ccid— Smart card daemon
Enable Services
sudo systemctl enable --now pcscd
Basic Usage
Check YubiKey
ykman info
List OTP slots
ykman otp info
TOTP Authenticator
Launch the GUI:
yubico-authenticator
Or use CLI:
# List accounts
ykman oath accounts list
# Get code
ykman oath accounts code "Account Name"
FIDO2/WebAuthn
Works out of the box with modern browsers for passkeys and 2FA.
udev rules
If YubiKey isn't detected, add udev rules:
sudo pacman -S libu2f-host
Or manually create /etc/udev/rules.d/70-u2f.rules:
# YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="users", ATTRS{idVendor}=="1050"
Reload:
sudo udevadm control --reload-rules
sudo udevadm trigger
SSH Authentication
Use YubiKey for SSH keys via FIDO2:
Generate key
ssh-keygen -t ed25519-sk -O resident -O verify-required
-t ed25519-sk— FIDO2 key type-O resident— Store on YubiKey (discoverable)-O verify-required— Require touch + PIN
Load resident keys
ssh-add -K # Load all resident keys from YubiKey
PIV (Smart Card)
For certificate-based auth:
# Check PIV status
ykman piv info
# Generate key in slot 9a
ykman piv keys generate 9a public.pem
GPG
Use YubiKey as GPG smart card:
gpg --card-status
gpg --card-edit
Locking Workstation
Lock screen when YubiKey is removed:
# Install
paru -S yubikey-touch-detector
# Or use udev rule + hyprlock
Resources
- Arch Wiki: https://wiki.archlinux.org/title/Smartcards
- YubiKey docs: https://docs.yubico.com/