Articles

learn more about encryption

Setting Up Your Yubikey

A factory-fresh Yubikey is initialized as 'one-time pad' key to be used for Web authorization. In order to use it as an encryption key you need to reprogram it to 'HMAC-SHA1 Challenge-Response' mode.

Step One: Installing the Tool

You will need Yubikey Personalization Tool for preparing your Yubikey. Download the distribution file and run it to install.

Step Two: Programming Yubikey

Insert your Yubikey and run 'Start / All Programs / Yubico / Yubikey Personalization Tool'. In the program's window select HMAC-SHA1 Challenge-Response mode.

Yubikey has two independent configuration slots. It is recommended to reprogram the second slot, leaving the first slot factory-initialized for Web authorization.

Generating a random secret key and writing it into the Yubikey finishes the setup.

When you press "Write Configuration" button, the program will offer you to save the setup log into a .csv file. Don't press Cancel - you will need that file to decrypt your data if your Yubikey is lost, or to replace it if it is broken. Encrypt the .csv file with a good long password and store it to a safe place (don't use the same Yubikey device as the encryption key for the setup log file).

Step Three: Enabling Yubikey

The last step is enabling Yubikeys as an encryption key. Open Crypto Settings panel ('Start / All Programs / Kryptel (Silver Key) / Crypto Settings') and select 'Passwords and Keys' page. Check the box marked "Enable hardware Yubikeys".

Replacing a Faulty Yubikey

If you have saved the setup log during Yubikey initialization, you can make a duplicate Yubikey to replace a faulty one. Initialize the replacement Yubikey as described above with only exception: instead of generating a random secret key paste one from the setup log.

Setup log .csv file is a text file containing comma-separated values. If you open one with a text editor, you will see

LOGGING START,3/9/2015 3:38 PM
Challenge-Response: HMAC-SHA1,3/9/2015 3:38 PM,2,,,7fb21c407f0693ab30259664680a047f8c462ccb,,,0,0,0,0,0,0,0,0,0,0

The number immediately after the timestamp is the configuration slot (usually 2). A long string of hexadecimal digits three commas further is the secret key (the same key we generated in the example above).

The secret key is what you need to duplicate your Yubikey. Select the key with your mouse. The selection must include the complete key from comma to comma, in our example it is "7fb21c407f0693ab30259664680a047f8c462ccb". Now copy the selected string and paste it into the "Secret Key" field in Yubikey Personalization Tool. Press the "Write Configuration" button and press Cancel when the program offers to save the log (you already have one). Your replacement Yubikey is ready.

See Also