YubiKey - Max Fang's Notes

# YubiKey ## Resources - ([GitHub repo](https://github.com/drduh/YubiKey-Guide)) YubiKey Guide for GPG and SSH - [YubiKey Manager (`ykman`) CLI and GUI Guide](https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#os-independent-installation) - YubiKey 5 Series Technical Manual ([web](https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-overview-5.4.html),[pdf](https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/webdocs.pdf)) - YubiKey 5 FIPS Series Technical Manual ([web](https://docs.yubico.com/hardware/yubikey/yk-fips/tech-manual/fips5-introduction.html#why-fips), [pdf](https://docs.yubico.com/hardware/yubikey/yk-fips/tech-manual/webdocs.pdf)) ### Install `ykman` (YubiKey Manager) CLI [Source](https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html#os-independent-installation): `ykman` CLI and GUI guide Using [[Homebrew]]: ```bash brew install ykman ``` Using [[pip]]: ```bash pip3 install --user yubikey-manager ``` ## PINs The [[YubiKey]] PINs are an incredibly confusing part of the process. ### Default (factory-supplied) YubiKey PINs > The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory. - [Source](https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs) - The default PUK code is `12345678`. - The default Admin PIN is `12345678`. ### [Changing an PIN](https://developers.yubico.com/PGP/PGP_PIN_Change_Behavior.html) - The default OpenPGP PIN that comes from the factory is `123456`. - The default Admin PIN is `12345678` - To avoid confusion, might as well ```bash $ gpg --card-edit ``` Change OpenPGP PIN ```bash gpg/card> passwd gpg: OpenPGP card no. <card_number> detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1 # Select 1 to change OpenPGP PIN # Type in existing pin (123456 if never set), then new pin, then confirm new pin gpg: OpenPGP card no. <card_number> detected PIN changed. ``` ```bash gpg/card> passwd gpg: OpenPGP card no. <card_number> detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3 # Select 3 to change Admin PIN # Type in existing pin (12345678 if never set), then new pin, then confirm new pin gpg: OpenPGP card no. <card_number> detected PIN changed. ``` ### Delete all OpenPGP keys on YubiKey and reset OpenPGP application on YubiKey ([Source](https://support.yubico.com/hc/en-us/articles/360013761339-Resetting-the-OpenPGP-Application-on-the-YubiKey)) The main reason you might want to do this is if you have run out of PIN retries and have effectively been locked out. First, ensure you have `ykman` installed. Then: ```bash $ ykman openpgp reset WARNING! This will delete all stored OpenPGP keys and data and restore factory settings. Proceed? [y/N]: y Resetting OpenPGP data, don't remove the YubiKey... Success! All data has been cleared and default PINs are set. PIN: 123456 Reset code: NOT SET Admin PIN: 12345678 ``` ## General ### ([Blog post](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/)) Recovering lost GPG public keys from your YubiKey > Have you ever generated GPG keys, loaded them into your YubiKey, and then thrown away/erased your computer? You’ll discover that when you take your YubiKey to a new computer, GPG refuses to automatically import your key when running `--card-status`. > > The common wisdom on the Internet is that this is because YubiKeys (and Smart Cards in general) don’t store your public keys at all, they only store your private keys, so you must import your public keys from a backup or a public keyserver instead. If you don’t have such a backup, you’re screwed. > > However, I investigated this and found that this common wisdom wasn’t true. I was able to **recover my public keys from my YubiKey 4 even on a brand new, erased computer**. Here’s how you can, too. However, the author also says that it's a "[pain in the ass](https://www.reddit.com/r/yubikey/comments/r0b758/comment/hlu23xx/?utm_source=share&utm_medium=web2x&context=3)" and that he publishes his public key to the GPG keyservers and imports it from there on new computers.