notes/Yubikey.md

# Yubikey

A list of sites that my yubikey's are registerd with.

| Site                 | Primary Key Registered | Backup Key Registered |
| -------------------- | :--------------------: | :-------------------: |
| Facebook             |           ✅           |                       |
| first-financial-bank |           ✅           |                       |
| github               |           ✅           |                       |
| gitea                |           ✅           |                       |
| go-daddy             |           ✅           |                       |
| M4-Mac-Mini          |           ✅           |                       |
| Macbook-Pro          |           ✅           |                       |
| Proton               |           ✅           |                       |

## Initial Setup

[Yubikey-Instructions](https://support.yubico.com/hc/en-us/articles/360016649059-Using-your-YubiKey-as-a-smart-card-in-macOS)

I followed the above instructions to setup certificates that allows the yubikey to be used for the
login screen. I opted not to require it at login as there are warnings about if a key is lost (and
you use FileVault) then you will not be able to unlock the file system. This does allow the computer
to be unlocked with a simple passcode though.

There are several PIN / passwords that need setup beyond the above instructions. This seemed easier
on my iPhone. On the iPhone tap the menu at top right and choose configuration. There you can setup
the OATH password and FIDO pin (take note to read the [First Financial](#first-financial-bank)
notes)

## Moving GPG keys onto Yubikey

[helpful-youtube-video](https://www.youtube.com/watch?v=xGsixSh6sC4)

The `GPG-Suite` application needs to be installed on macOS in order to interact with the yubikey.
This then gives you access to use the `gpg --card-edit` command that allows you to add gpg-keys to
the yubikey itself.

### Default PIN's for yubikey (need changed below).

1. User: 123456
1. Admin: 12345678

### Sequence (from memory, may be off / need checked).

1. `gpg --card-edit`
1. `admin`

## Setting up macOS to use gpg-agent for ssh

The following lines need added to `~/.gnupg/gpg-agent.conf`, `enable-ssh-support`.

```bash
echo enable-ssh-support > ~/.gnupg/gpg-agent.conf
```

The following lines were added to `.zshrc` to enable the usage of the gpg-agent for ssh (should need
to be done again, as long as dotfiles are installed and linked correctly).

```bash
gpgconf --launch gpg-agent
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
```

## Setting Up at First Financial Bank {#first-financial-bank}

When setting up I could only use my phone it wouldn't allow me on my computer. Once you tab the
device to the phone it prompts for a PIN, this is referring to the FIDO PIN that needs setup prior.
This took me a while to figure out and had to factory reset the FIDO application on the yubikey
after too many failed attempts where I used the primary PIN to try and unlock the yubikey.