YubiKey hardware security key setup on Arch Linux.
Installation
sudo pacman -S \
yubikey-manager \
yubico-authenticator \
pcsclite ccidyubikey-manager— CLI tool (ykman)yubico-authenticator— TOTP/HOTP GUIpcsclite,ccid— Smart card daemon
Enable Services
sudo systemctl enable --now pcscdBasic Usage
Check YubiKey
ykman infoList OTP slots
ykman otp infoTOTP Authenticator
Launch the GUI:
yubico-authenticatorOr use CLI:
# List accounts
ykman oath accounts list
# Get code
ykman oath accounts code "Account Name"FIDO2/WebAuthn
Works out of the box with modern browsers for passkeys and 2FA.
udev rules
If YubiKey isn’t detected, add udev rules:
sudo pacman -S libu2f-hostOr manually create /etc/udev/rules.d/70-u2f.rules:
# YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="users", ATTRS{idVendor}=="1050"
Reload:
sudo udevadm control --reload-rules
sudo udevadm triggerSSH Authentication
Use YubiKey for SSH keys via FIDO2:
Generate key
ssh-keygen -t ed25519-sk -O resident -O verify-required-t ed25519-sk— FIDO2 key type-O resident— Store on YubiKey (discoverable)-O verify-required— Require touch + PIN
Load resident keys
ssh-add -K # Load all resident keys from YubiKeyPIV (Smart Card)
For certificate-based auth:
# Check PIV status
ykman piv info
# Generate key in slot 9a
ykman piv keys generate 9a public.pemGPG
Use YubiKey as GPG smart card:
gpg --card-status
gpg --card-editLocking Workstation
Lock screen when YubiKey is removed:
# Install
paru -S yubikey-touch-detector
# Or use udev rule + hyprlockResources
- Arch Wiki: https://wiki.archlinux.org/title/Smartcards
- YubiKey docs: https://docs.yubico.com/