Articles

learn more about encryption

What Is Yubikey

Yubikey by Yubico is a hardware USB device that can be used for encryption or authorization. Yubikey looks like a USB flash stick; when inserted, it generates a secure HMAC code, which can be used as an encryption key.

Yubikey

Yubikey is third party hardware; we don't have any connection to Yubico. If you have any problem with your Yubikey, please contact the manufacturer directly.

As you may probably know, Kryptel and Silver Key support so-called binary keys. Binary key is a small file that can be stored on an external device (for instance, on a USB stick), and like Yubikey, can be used as an encryption key. Unlike Yubikey, it will cost you nothing. So the logical question is: Is it really worth to pay $25 for a specialized device, which does the same thing? Well, it may.

The main Yubikey advantage is better resistance to security breaches. In case of lost or stolen Yubikey, the security leak will be very limited. If the data have been encrypted using the "Yubikey + Password" scheme, there will be no leak at all.

Another important advantage is better manageability. Several different Yubikeys may be used to access the same encrypted file. If one of them gets compromised, only the compromised key must be replaced. The other users' Yubikeys remain unaffected and need not to be revoked.

To better illustrate this, here is a comparison of binary key and Yubikey in different security incident scenarios.

The opponent gets brief access to the key device

Binary Key Yubikey Only Yubikey + Password
A binary key can easily be copied. Copying the key provides full access to all files encrypted with that key. Yubikey can’t be copied. The opponent will gain nothing from sneaky access to the key. No security threat.

The opponent gets prolonged access, enough to decrypt a file and learn the actual encryption key

Binary Key Yubikey Only Yubikey + Password
Like above - the key, and all files encrypted with it, get compromised. Yubikey generates a unique key for every encryption operation. Obtaining one key will not help to get access to other encrypted files. The Yubikey itself is not compromised and remains safe to use. Decryption is not possible, no security threat.

The opponent obtains full access (the key device is lost or stolen)

Binary Key Yubikey Only Yubikey + Password
Like above - the key, and all files encrypted with it, get compromised. The opponent gets access to all files encrypted with that Yubikey. The other users, who have access to compromised files, are not affected and can use their Yubikeys without limitation. Decryption is not possible, no security leak. The only loss is the cost of a replacement Yubikey.

How to Obtain and Use Yubikey

First, you need to obtain a Yubikey device from the manufacturer's product page. Currently produced models that support usage as an encryption key are "Basic Standard", "Basic Nano", "Premium Neo", and "Premium Neo-N". If you prefer another model, consult the producer if that model supports HMAC-SHA1 Challenge-Response mode.

The next step is programming your new Yubikey. You can find a detailed step-by-step how-to in our article "Setting Up Your Yubikey".

Now your Yubikey is ready for use. Our article "Using Yubikey" shows how.

If you are an organization and your encrypted files are to be accessed by groups of users, please check our article "Managing Yubikey Lists". That article discusses creating and using lists of Yubikeys. Each list defines a set of Yubikeys that have full or read-only access to an encrypted file.