Skip to content

Instantly share code, notes, and snippets.

@dwallraff

dwallraff/yubikey.md

Last active September 5, 2025 22:12
Show Gist options
  • Save dwallraff/08ef797af04e59f3eb0db2e63b681388 to your computer and use it in GitHub Desktop.
Save dwallraff/08ef797af04e59f3eb0db2e63b681388 to your computer and use it in GitHub Desktop.
Download ZIP
Use chromebook to configure your yubikeys
Raw
yubikey.md

Yubikey setup on a Chromebook

First get a secure-ish linux env

  • Get the chromebook recovery app
  • Download the latest xubuntu iso
  • Zip the iso
  • Use the chrome recovery app to create a bootable USB
  • Put chromebook into dev mode (esc+refresh+power)
  • Press Ctrl + D when the warning pops up
  • Press Ctrl + D when asked about OS verification
  • Get the chromeos firmware update instructions
  • Ctrl+Alt+t to open a crosh shell, type shell to get a real shell
  • Paste commands
  • Set RW_LEGACY
  • Reboot, Ctrl+L -> 1 to get boot options, boot from you usb

Prep the linux env

sudo apt update && sudo apt install yubikey-manager scdaemon

Get your GPG key

Create a new GPG key (or skip this if you've already got one)

mkdir gpg; cd gpg
gpg --expert --full-gen-key

gpg> 9 # ECC and ECC
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # This is correct

Fill out your info and enter a password Make sure to get keyid from the output line key <keyid> marked as ultimaltey trusted

echo "<keyid>" > keyid

Next, add some subkeys

gpg --expert --edit-key $(cat keyid)
gpg> addkey
gpg> 11 # ECC (set your own capabilities)
gpg> Q # Only 'Sign' should be selected
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # Yep
gpg> y # One more time

gpg> addkey
gpg> 11 # ECC (set your own capabilities)
gpg> A
gpg> S
gpg> Q # Only 'Authenticate' should be selected
gpg> 1 # Curve 25519
gpg> 0 # Does not expire
gpg> y # Yep
gpg> y # One more time

# Should have 3 subkeys for E, S, A

gpg> save

Export your keys

gpg --armor --export-secret-keys $(cat keyid) > mastersub.key
gpg --armor --export-secret-subkeys $(cat keyid) > sub.key
gpg --armor --export $(cat keyid) > public.key

Make an encrypted backup of this folder

cd ..
tar cz gpg | gpg --batch --cipher-algo AES256 --symmetric --output gpg.tar.gz.enc

Copy over backedup keys (if you've already created them)

Mount your usb drive and copy over the encrypted backup

export TEMPDIR=$(mktemp -d)
cd $TEMPDIR
mkdir -p mount
sudo mount </dev/sdb> mount
cp mount/gpg.tar.gz.enc .
gpg --batch --cipher-algo AES256 --decrypt gpg.tar.gz.enc | tar xz

Add keys to yubikey

You'll want a copy of your keys if you're gonna do this more than once

export GNUPGHOME=$(mktemp -d)
cp -r gpg $GNUPGHOME
cd $GNUPGHOME/gpg

Now we can copy your keys to your yubikey

gpg --import mastersub.key
gpg --edit-key $(KEYID)

gpg> key 1
gpg> 2 # (2) Encryption key
gpg> key 1

gpg> key 2
gpg> 1 # (1) Signature key
gpg> key 2

gpg> key 3
gpg> 3 # (3) Authentication key
gpg> key 3

gpg> save

Finish setting the yubikey

Change card info

gpg --edit-card
gpg/card> name
gpg/card> sex
gpg/card> url
gpg/card> login
gpg/card> lang

Change pins

Default pins are 123456 and 12345678

gpg/card> admin
gpg/card> passwd
Your selection? 3
Your selection? 1
Your selection? q

Turn on touch access

ykman openpgp keys set-touch aut on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch sig on

Add 1password secret key to static password second slot

ykman otp static -f --no-enter -k US 2 <1password secret key>

Delete first slot if you're not using it (it can be annoying sometimes)

ykman otp delete -f 1

Set a FIDO PIN

ykman fido access change-pin --new-pin <pin>

Setup FIDO SSH keys

Follow this guide here

Mostly stolen from:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment