Avalon Obsidian Vault

Search

Search IconIcon to open search

YubiKey配置

Last updated Apr 16, 2023 Edit Source

# 初始化设置

https://xiaoqiang.blog/yubikey-shiyong/

设置PIV功能的PIN和PUK

设置FIDO2功能的PIN

设置OTP功能

# 操作系统登录

# Mac登陆配置

https://support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS

注意需要在Yubikey Manger的Applications > PIV里,点击setup for macOS

# Enable smartcard only on macOS

开启card only验证后,只有最近使用过验证的yubikey能解锁macOS的启动过程中的登陆

https://support.apple.com/zh-cn/guide/deployment/depfce8de48b/1/web/1.0

# 使用基于机器的执行方案的仅智能卡认证

sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool true

# Linux登陆配置

https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F

# Windows登录配置

https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide

# GPG配置

https://github.com/drduh/YubiKey-Guide

# Configure Smartcard

Enable KDF

Change PIN

Set information

# Transfer keys

# OTP

OTP 功能开箱即用,一次一密,需要联网认证,官方有提供认证服务器,当然也可以自己搭建认证服务器。

每个Yubikey都有两个slot,出厂时默认OTP配置在slot 1,短按操作即可触发OTP认证; slot 2可配置 静态密码 Challenge-Response HOTP 中的一种,长按(2-5s)可触发。

# U2F

YubiKey中该功能开箱即用,无需复杂配置。

只要根据网站提示开启二次验证(2FA)并绑定你的YubiKey, 下次登录账户时,你首先需要像往常一样输入用户名和密码,然后根据提示用你的YubiKey进行二次验证。这样即使你的帐号密码被别人知道了,只要key在你手里,那么你的帐号依然是安全的。

# Apple

# Bitwarden

https://bitwarden.com/help/setup-two-step-login-yubikey/

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication

# Cloudflare

# Google

# Github

# Microsoft

# 变更opengpg email

https://support.apple.com/zh-cn/guide/deployment/depfce8de48b/1/web/1.0

载入主密钥的私钥

gpg --import /path/to/offline/master/key/MASTERKEY.priv.asc

编辑主密钥

1
2
3
4
5
gpg --edit-key MASTERKEY
    adduid # Fill out form
    uid n # where n is the new uid number
    primary # To set the new e-mail as the primary e-mail address for the key
    save

分别导出主密钥的公钥和私钥备份,并妥善保存

1
2
gpg -a --export MASTERKEY > /path/to/offline/master/key/MASTERKEY.pub.asc
gpg -a --export-secret-key MASTERKEY > /path/to/offline/master/key/MASTERKEY.priv.asc

删除主密钥的私钥

1
gpg --delete-secret-key MASTERKEY

上传并导入公钥

1
2
3
4
gpg --send-key $KEYID
gpg --keyserver pgp.mit.edu --send-key $KEYID
gpg --keyserver keys.gnupg.net --send-key $KEYID
gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key $KEYID