Configuration examples for setting up a Yubikey for OTP+U2F+CCID and storing GPG keys for use with Ubuntu.

70-yubikey-u2f.rules

# Put this file in /etc/udev/rules.d/ and run this command:
#     $ /etc/init.d/udev restart

# This file contains the udev rule for allowing access to a Yubikey for U2F authentication.

ACTION!="add|change", GOTO="yubikey_u2f_end"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
LABEL="yubikey_u2f_end"

70-yubikey-usb.rules

# Put this file in /etc/udev/rules.d/ and run this command:
#     $ /etc/init.d/udev restart

# This file contains udev rules for allowing user access to the USB section of a Yubikey.

# Replace YOUR_USERNAME below with the output from `whoami`.

ACTION!="add|change", GOTO="yubikey_usb_end"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="YOUR_USERNAME"
LABEL="yubikey_usb_end"

gpg-agent.conf

# Options for GnuPG located at ~/.gnupg/gpg-agent.conf

enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
pinentry-program /usr/bin/pinentry-gtk-2

gpg-jail.sh

#!/bin/bash

# gpg-jail.sh

# The DOS label of your USB stick
LABEL="YOUR_LABEL"

# The pathname to the file containing your private keys
# on that stick
KEYFILE="gpg-top-secret.gpg-key"

# Identify the device file corresponding to your USB stick
device="$(/sbin/findfs LABEL=$LABEL)"

if [ -n "$device" ]; then

    # Create temporary GnuPG home directory
    tmpdir="$(mktemp -d gpg.XXXXXX)"

    # Mount the stick
    udisksctl mount --block-device "$device" --options ro
    # Import the private keys
    mntpoint="$(df "$device" | tail -1 | awk '{print $6}')"
    gpg2 --homedir "$tmpdir" --import "${mntpoint}/${KEYFILE}"
    # Unmount the stick
    udisksctl unmount --block-device "$device"

    # Launch GnuPG from the temporary directory, with the default public keyring
    # and with any arguments given to us on the command line
    gpg2 --homedir "$tmpdir" --keyring "${GNUPGHOME:-$HOME/.gnupg}/pubring.gpg" $@

    # Cleaning up
    [ -f "$tmpdir/S.gpg-agent" ] && gpg-connect-agent --homedir "$tmpdir" KILLAGENT /bye
    rm -rf "$tmpdir"
fi

gpg.conf

# Options for GnuPG located at ~/.gnupg/gpg.conf

keyserver hkp://pool.sks-keyservers.net
use-agent
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

sys-setup.sh

#!/bin/bash

# These are the required packages you will need to install for getting full use from your Yubikey.
#     https://www.yubico.com

# Install dependencies for building all of the Yubikey programs
sudo apt-get install -y git autoconf automake libtool asciidoc

# Build and install the low level C library
git clone https://github.com/Yubico/yubico-c.git
cd yubico-c
autoreconf --install
./configure
make check
sudo make install
cd -
sudo rm -r yubico-c/

# We will need the yubikey development libraries along with libusb
sudo apt-get install -y libyubikey-dev libusb-1.0-0-dev
 
# The json library is optional
#sudo apt-get install -y libjson0-dev

# Install the ykpersonalize CLI utility
git clone https://github.com/Yubico/yubikey-personalization.git
cd yubikey-personalization
autoreconf --install
./configure
make check
sudo make install
cd -
sudo rm -r yubikey-personalization

# Now we refresh the shared libraries
sudo ldconfig

yubikey-setup.sh

#!/bin/bash

# Here are a few example configuration commands that you can run after your local
# computer is setup for use with a Yubikey.
#     https://www.yubico.com

# Enable OTP+U2F+CCID
ykpersonalize -m86

# after you confirm the above command, take out and plug back in your
# yubikey - it should show up as 1050:0407 when issuing the `lsusb` command