Overview

I've had my YubiKey Neo since 2015 and there is still nothing wrong with it.
I carry it around everyday and use it many times per day.
However there have been some improvements and added features in the YubiKey 5.
Given the YubiKey Neo was released in 2012 that should not come as a much of a surprise.

This guide aims to be similar as the guide I wrote in 2015 but just updated for the YubiKey 5 and with a few enhancements.
I use Tails to provide me with a secure environment.
How to create the Tails media is not covered in this guide. Take a look at their setup guide.

Requirements

• YubiKey 5, any model
• YubiKey Manager
• Tails
• Extra USB stick for Debian packages

Preparation steps

This guide will make use of the CLI version of the YubiKey Manager, however you can achieve the same outcome via the GUI.
I use Tails as a secure operating system to do the initial setup and lock-down.

Download the YubiKey tools

Since we will use Tails in off-line mode in the later stage we need to download some packages first.
The most simple and quickest way to do that is to boot up Tails, and set a administration password before you login.

Once logged in and connected to the Internet run the following commands with elevated privileges. The following commands will only download the packages and save them to the directory specified.

apt-get update

apt-get -d -o=dir::cache=/tmp/yk-packages install yubikey-manager

Where /tmp/yk-packages is the directory you want to save the packages under.
Copy the .deb packages from /tmp/yk-packages/archives to the USB sick and shutdown Tails.

You could also download the packages from a mirror or another Debian install.

Sadly there is no simple way to verify downloaded packages as Debian do not sign there packages. We thus need to verify and trust the mirror we are using.
At install time dpkg will check the md5sum of the package as well.

On-line stage

On-line Tails boot stage

Boot the tails media.
At the Additional Settings section ensure you set a Administrator Password.
No other settings are needed at this state, continue to log into Tails.

Wait for TOR to become ready before moving on. You should also use the TOR browser to verify you are connected. Use the Tor check button on the Tails Home page after launching the TOR browser.

Verifying the YubiKey, stage one on-line

YubiKey's come in tamper evident packaging to help ensure nothing is tampered with.
However we still should verify as much as we can.

This first step requires us to disable an app amour rule. This is not a good idea for general use However we just want to verify the YubiKey once, so its an okay trade off.
Their is a patch to fix the AppAmour profile.
However since this is a one time operation, we will just disable the profile.

With elevated privileges run the following command in a terminal :

apparmor_parser -R /etc/apparmor.d/torbrowser.Browser.firefox

We also then need to configure Tor Browser to enable webauthn.
Open Tor Browser, in a new tab enter about:config.
Now search for security.webauth.webauthn, set this to true. Close down the Tor Browser and re-open it.
Insert your YubiKey and browse to the Yubico verification site.

Click Verify Device, click Proceed when prompted. You then need to touch the YubiKey button on the device.
Once done you should be presented a page that tells you Verification Complete.
We now have a higher level of confidence the YubiKey is trustworthy.

After this, reboot into a fresh boot of tails.

Off-line stage

From now on this is the recommend way to setup and configure your YubiKey.

Verifying the YubKey, stage two off-line

Boot into a fresh Tails environment.

At the Additional Settings section ensure you set the following :

• Administrator Password
• Network Connection, set to Disable all networking

No other settings are needed at this state, continue to log into Tails.

Package installation

Once logged in, plug-in the USB stick from the above step and install the packages.
Using the command in the directory where the packages are located, run the following with elevated privileges :

dpkg -i *.deb

YubiKey Serial verification

Then note down the serial on the bottom of the physical key.
Plug in your YubiKey.
Then use the following command to check the serial is correct :

ykman list --serials

This should print the serial number of the YubiKey, ensure its the same as the one you noted down.

Next we ensure the CCIDChip Card Interface Description) interface also presents the correct serial number. To do that we need to use gpg.
Run the following command :

gpg --card-status

This should print some information, right now we just want to check the serial number.
The serial number can be found in the Serial number line and also embedded in the Application ID string.

Set available interfaces USB/NFC

The YubiKey has many different interfaces that can be enabled for USB or NFC. NFC can also be completed disabled.
To see what is currently enabled use the following command :

ykman info

This should output something similar to this :

Device type: YubiKey 5 NFC
Serial number: 123456789
Firmware version: 5.2.6
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID
NFC interface is enabled.

Applications	USB    	NFC
OTP     	Enabled	Enabled
FIDO U2F	Enabled	Enabled
OpenPGP 	Enabled	Enabled
PIV     	Enabled	Enabled
OATH    	Enabled	Enabled
FIDO2   	Enabled	Enabled

As you can see all Applications are enabled for USB and NFC by default.
Running the command ykman config will give you help on how to enable or disable applications or to turn off NFC.

I want all applications available on both USB and NFC. This allows me to use the YubiKey with my phone via NFC.

Set lock code

The lock code ensures no unauthorized changes to the enabled/disabled applications on the YubiKey.
This ensures only the person with the lock code key can make changes.
I will make use of the generate function to make a lock code.

Run the following command to generate and set a lock code :

ykman config set-lock-code --generate

Note this down somewhere secure, like your password manager.

Set CCID/OpenPGP admin and user pin

Next we will set the PIN's on the CCID / OpenPGP slot.
The admin PIN is needed to reset the user PIN. The user PIN is used for day to day operations. If you lock out the admin PIN you will need to reset the slot/applet, this will wipe all sorted information and keys.
If you lock out the user pin, you can unlock it with the admin PIN.
It would be wise to set these even if you do not plan to use this functionality, as this prevents anyone tampering with the slot.

Show supported PIN lengths :

gpg --card-status

You are after the line that looks like this :

Max. PIN lengths .: 127 127 127

The first field is the user PIN length, the second field is not used(see ISO-7816) the third field is the admin PIN length.

Next set a PIN, PIN's on the Yubkey can be up to 127 characters long. The PIN's format is UTF-8 and must be a minimum of 8 characters long.
See chapter 4.2 in the OpenPGP card functional specification manual for more details.

Now you can set a PIN via :

gpg --change-pin

Select the option 3 - change Admin PIN you will now be prompted to enter the existing PIN, the default PIN is 12345678.
Next enter you new pin, if this operation is successfully you will be taken back to the main menu.
Now set the user pin, select option 1 - change PIN, you will now be prompted to enter the existing PIN, the default PIN is 123456. As above enter your new PIN. Next select Q - quit to exit out of the PIN menu.
The default PIN's can be found in the YubiKey technical manual.

Thats all for now, in upcoming posts I will describe how to setup and use the various functions on the YubiKey.

References

• YubiKey on-line verification
• YubiKey 5 technical manual
• Reset GPG slot/Applet
• OpenPGP card functional specification
• GPG card status
• OpenGPG Smartcard manual, PIN section(Chapter 3)
• ISO 7816
• Tails verify image
• Tor Browser AppAmour u2f rules