Setting up a new YubiKey as a second factor is easy—your browser walks you through the entire process. However, setting up a YubiKey to sign your Git commits and Secure Shell (SSH) authentication is a very different experience. In this post, I’ll walk through configuring a YubiKey and highlight some of the things I’ve learned along the way.
Prerequisites
- GnuPG - Install the gnupg package with Yum, Apt, Brew, etc.
- YubiKey Manager
- A YubiKey from Yubico
# Why Use a YubiKey?
A YubiKey is a hardware-based authentication device that can securely store secret keys. Once a private key is written to your YubiKey, it cannot be recovered. Keeping secrets off your computer is more secure than storing them on your computer’s hard drive—another application could read your SSH keys from the ~/.ssh folder.
Each type of YubiKey supports a variety of different "interfaces," each with different use cases. Many people associate a YubiKey with generating long one-time passwords (OTP) that look like this:
cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut
However, generating one-time passwords is just a small slice of what you can do with a YubiKey. In this post, I’ll be talking about the OpenPGP interface and how you can use it for authentication.
What Is OpenPGP?
OpenPGP is a specification (RFC-4880), which describes a protocol for using public-key cryptography for encryption, signing, and key exchange, based on the original Phil Zimmermann work of Pretty Good Privacy (PGP).
There is often confusion between PGP and Gnu Privacy Guard (GnuPG or GPG), probably because of the inverted acronym. Sometimes these terms are used interchangeably, but GPG is an implementation of the OpenPGP specification (and arguably the most popular one).
You may have seen "Verified" badges on GitHub commits that use OpenPGP to confirm an author’s identity.