Yubikey newbie question

Another Yubikey question - After looking through forum posts here and browsing the web in general, it looks like most folks who are interested in using Yubikey think of it mostly for cloud-account protection (google, mostly) and maybe logins for google accounts.

I’m a little confused at this. Do folks still store username/passwords combinations (say, banking) in web browsers? If so, protecting that stash of passwords is important (browsers can encrypt these combos, but that’s not the same as a Yubikey…). So it seems one would want to protect your browser/email with Yubikey. Probably the OS/harddrives too. What about backups? Can they be protected with Yubikey?

So, with this sort of thing in mind, one might want Yubikey to interface with gpg/luks, browsers, kwallet, and …? (this would require support for ‘duplicate’ Yubikeys, of course)

Try to use it with freshly installed Leap 15.4.
LUKS2 in Leap 15.4 may support it.

You mean you think 15.4 YaST has some option to use the Yubikey instead of a password?

YubiKey is a form of Secure Element (SE). SE is a term for a secured environment to store secrets, like a cryptographic private key. The exact details of secured depends on the SE itself.

I don’t know much about YubiKey, but there should be some kind of middleware that can be used to interface with a YubiKey.

Take a look at YubiKey FIPS at YubiKey FIPS Series | FIPS 140-2 Validated Keys | Yubico, in the technical specifications:


Supported protocols: FIDO2/WebAuthn, FIDO U2F, smart card (PIV), Yubico OTP, OATH-TOTP, OATH-HOTP, OpenPGP, and Challenge Response

PIV smart card compatible, minidriver available on Windows

Support for PKCS#11

These are how you interface with YubiKey and it really needs some middleware.

Take PKCS#11 for example, you need to have a PKCS#11 provider / library specific to YubiKey (presumably provided by yubico) and any application can use YubiKey by using PKCS#11 API programmatically.

5.11.5 Unlocking LUKS volumes with TPM2 or FIDO2

The unlocking of fully-encrypted devices using TPM2 or FIDO2 is now supported.

There are at least 2 common use cases for this:

laptops and similar devices: unlocking encrypted disk only with an external, secure factor
server or edge: automated encryption of server disks at boot, especially in remote locations, that are made unusable if the disk is physically stolen