Discussing software, the web, politics, sexuality and the unending supply of human stupidity.


How to use a YubiKey to secure all the things

For a while I’ve been using YubiKey’s blue FIDO key. It enables you to use FIDO U2F for web services. Currently, the main sites that support Universal 2nd Factor (U2F) login are Google, Facebook, GitHub, Dropbox, Fastmail and the password manager Dashlane. It’d be great to see more sites added to this list, but this is a good start.

I upgraded recently from the blue FIDO key to the black YubiKey 4. The full YubiKey can be used for a few things

  • website 2FA using FIDO U2F
  • login to your computer using PIV
  • GPG
  • SSH

It took a while before I got it setup for each of these things.


This is the easy bit. You go to the relevant websites, you activate the U2F mode and you put the key in as required. This works the same whether you use the blue FIDO U2F-only key or the black YubiKey 4.

Generally, the way to use U2F is in addition to TOTP tokens. U2F is a nicer experience than TOTP on laptops and most desktops. (Really, some USB ports are really poorly designed for actually using a YubiKey with. The USB ports on either side of the old Mac keyboards are bad. The two USB ports on my Das mechanical keyboard are perfect.)

Computer login using PIV

To set your Windows or Mac computer up to login, you can do that using the YubiKey PIV Manager app. You can find instructions on the YubiKey website on how to set up key-based authentication on Linux.

The way I’m using the PIV mode is like this. I have a long password for my computer. I can type this in or I can use the YubiKey with a six-digit PIN. If you’ve got a good 20+ character password, you can always use that. But if you also have the USB key, you can use the PIN instead.


With the YubiKey, you can put a number of GPG keys on to it. As with the PIV logins, these are protected with a PIN. My main use case for GPG at the moment is code signing for GitHub. (Alas, nobody seems too bothered about email signing.)

This blog post by Simon Josefsson explains the process of setting up a YubiKey for GPG. The broad approach is you create a GPG key, then you create three subkeys—one for encryption, one for signing, one for authorisation. The private key for each is stored on the YubiKey: once you’ve pushed the private key to the YubiKey, there’s no way to get it back out again. (So, it’s sensible to make a backup of the keys and store them offline on, say, a USB key in a safe.)

If you’ve already got your public key on GitHub, you’ll need to export a new public key containing the subkeys you’ve stored on the YubiKey and paste that up on GitHub. (If you use GitLab, this whole approach doesn’t work… because of this bug I’ve reported.)

Once you’ve got it all set up, when you commit some new code to a Git repository, it’ll ask you for your YubiKey’s six-digit PIN. That is cached for a bit, so it should only interrupt you occasionally. If you remove the YubiKey, you’ll obviously have to put it back in and re-enter the PIN to commit new code.


Now the fiddly bit. The way you use SSH with the YubiKey is to convert your GPG key into an SSH public key. There’s a utility called gpgkey2ssh that does just this for you: you point it to your GPG public key and it’ll turn that into an SSH public key (remember, other than an offline—and hopefully encrypted—backup, you don’t have the private key: it’s stowed away inside the YubiKey).

The problem occurs with the version of GPG. You need to ensure you are running GPG 2.1. You can now get it from Homebrew on the Mac, so do that. You may need to ensure that symlinks are going to GPG 2.1 if you’ve got multiple installs.

This tutorial is the best one for getting gpg-agent setup for doing SSH. I found that it’s a bit of a faff keeping track of which keys are doing what during the process, so I ended up noting them down on a bit of paper.

So, what to do?

If you are an ordinary user and you don’t mind the tradeoffs of having to occasionally plonk a USB key in the side of your computer, get a blue YubiKey FIDO U2F. They’re fantastic.

There are issues: on desktop Macs, you need to ensure you have a USB socket that’s actually available and not a faff to use (i.e. not on the back of a Mac Mini, or tucked away under the edge of a keyboard so you can put the key in… but can’t actually push the button). You may need to get a little bit of USB extension cable to give you somewhere to press, or you might consider getting the YubiKey Nano.

If you are a geek and write software (or software-adjacent products including documentation), and you don’t mind jumping through quite a few more hoops to get the GPG and SSH stuff set up, you should do that too. If you don’t use GPG or SSH, you probably don’t need the black YubiKey and can stick to the blue FIDO U2F device.

You can buy the YubiKey 4 from Amazon UK, or if you prefer, you can get the YubiKey FIDO U2F ‘blue’ key.

Further reading

Most people don't give a damn about surveillance

The Snowden revelations keep dripping away and revealing the nearly absurd levels of surveillance that the United States government and the ‘Five Eyes’ countries engage in—bulk, indiscriminate collection of a data to a level that should shock the conscience.

It should shock the conscience, but it doesn’t. That big technology companies like Google and Yahoo! have been deputised in programmes like PRISM and Tempora was already known in outline by most technically informed observers—Snowden merely filled in the details with evidence.

That government spooks could read your email via the big Internet companies is something any savvy journalist could have learned off-the-record by simply pouring beer into engineers who work at said big companies. I know, I’ve done it, and I’m just a guy with a blog, for fucks sake.

Everyone in the business knew it was happening already: Snowden lifted the cover on the collective doublethink about it. We already knew it was happening, but having nice PowerPoint slides up on the Guardian website short-circuited our internal plausible deniability. It made solid what was already in the air.

Except, here’s the really depressing bit: most people don’t care and won’t care. The issues are suitably abstract enough and technical enough for them to not care. People say they care but their actions belie their words.

It takes twenty minutes for a technically competent user to set up GPG. A small amount of Googling and you can get your email client set up to send 2048-bit encrypted email. I have had GPG set up for years and less than 1% of email I get is signed or encrypted.

And I work with developers, software people, people who would have no trouble getting GPG set up with their mail client. If even technology geeks can’t be fucked to send encrypted email despite military strength encryption protocols like PGP/GPG being available for 20+ years, expecting ordinary people to do so is a fools errand.

That’s not because of user experience. We could let a whole room full of top designers make the process of using something broadly like GPG into a much less awful experience, but people aren’t motivated to get it set up because it doesn’t solve something they actually in their heart of hearts think is a problem.

And there are now simple smartphone apps: TextSecure, RedPhone, Telegram. No complex key signing protocols or any of that: just free apps that are basically WhatsApp or Facebook Messages but with the nice benefit of the NSA and GCHQ not listening. These apps are riding high on the App Store and Google Play charts because of the clear user demand for surveillance-free communication, right?

My hypothesis is simple: people don’t care about privacy, they care about looking like they care about privacy. There are people I know who spend hours and hours posting links to the latest Snowden revelation, the latest stupid thing a politician said about privacy, hell, they consider themselves privacy activists—and then I click through to their website and the GPG key is… nowhere to be seen. Hell, sometimes I can’t even find an email address, so I end up sending them a Twitter DM. And that’s privacy activists.

In the time it would take for people to have all these extended conversations about privacy and surveillance on Reddit, Hacker News, Twitter and the comments section of newspaper websites, people could easily set up a secure chat app or start encrypting their email and actually make it so that the spying agencies have to try.

People scoff at “if you have nothing to hide, you have nothing to fear” as a glib political slogan without grasping that based on people’s actions, that is actually how people think about surveillance. The threat posed to individual people by the NSA and GCHQ feels pretty empty. At a certain point, it fades into the background.

When I first started commuting to London, I felt offended by CCTV cameras. I counted the number of cameras on my commute into London and across London on the tube (or I tried—I lost count after about 150). Now they are invisible—the only time they have even come to mind was when I got mugged for my iPhone in a side-street that Camden council had neglected to put CCTV on. What once felt like an Orwellian intrusion by an overbearing state is something I only notice when its absence allows a gang of thugs on motorbikes to pilfer my phone.

I don’t expect a political fix for surveillance. Politicians are surprisingly adept at grabbing on to public sentiment and squeezing votes out of it. The issue of mass internet surveillance is one that some political party would grab on to for votes. I watched the UK election coverage and I can’t recall seeing any politician of any party mentioning surveillance in the mainstream media. No votes to grab on opposing Big Brother, evidently.

Whether you think technology or politics or law is ultimately the way we fight the surveillance state, both need people. That mass of people giving a damn is missing. This is a dispiriting message for anyone who thinks these issues matter, but the first step to fixing the problem is acknowledging the reality—that most people don’t give a shit.