Securing NixOS with Yubikey

Posted on 2020-12-14

In this blog post I will go over some things I have configured with NixOS and a yubikey to improve the security of my system. I will not go into detail on how to setup a GPG keypair, there are already plenty of great tutorials. 1


To use GPG with a yubikey, we first need to install some packages, put the following in your configuration.nix

  services.pcscd.enable = true;

  environment.systemPackages = with pkgs; [

  services.udev.packages = with pkgs; [

We will export the subkeys to our yubikey so we can use it when signing and decrypting mail, but first plug in the yubikey and run

$ gpg --card-status

Then run gpg --card-edit and you should see a prompt like this.


Type admin and then passwd to change the user and the admin pin. The user pin will be used for day-to-day things like signing and decrypting files, the admin pin will only be used for operations concerning the configuration of the yubikey, eg. adding subkeys. The default user pin is 123456 and the default admin pin is 12345678.

Now it’s time to export the keys, beware that this process will remove the keys from your computer, so make sure your keys are backed up on an external drive.

gpg --edit-key <keyid>

Secret subkeys are available.

pub  rsa4096/33947BA1AA8847FF
     created: 2020-12-13  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/D1B318ACDABCAEE6
     created: 2020-12-13  expires: 2021-12-13  usage: S   
     card-no: 0006 14257444
ssb  rsa4096/38E09A208656B970
     created: 2020-12-13  expires: 2021-12-13  usage: E   
     card-no: 0006 14257444
ssb  rsa4096/18ED52D1A730A8CA
     created: 2020-12-13  expires: 2021-12-13  usage: A   
     card-no: 0006 14257444
[ultimate] (1). yoctocell <>


Mark the signing subkey with key 1 and run keytocard to export it to your yubikey. When it has been exported you have to unmark the signing key by running key 1 again, you will see that the * next to the key disappears. Repeat the same process for key 2 and key 3, then type quit to exit.

Run gpg -K and you should see something like this

sec#  rsa4096/33947BA1AA8847FF 2020-12-13 [C]
      Key fingerprint = 4217 475C B91A 4C94 3FCE  C870 3394 7BA1 AA88 47FF
uid                 [ultimate] yoctocell <>
ssb>  rsa4096/D1B318ACDABCAEE6 2020-12-13 [S] [expires: 2021-12-13]
ssb>  rsa4096/38E09A208656B970 2020-12-13 [E] [expires: 2021-12-13]
ssb>  rsa4096/18ED52D1A730A8CA 2020-12-13 [A] [expires: 2021-12-13]

The > next to ssb means that it is a pointer to the subkey on your yubikey.

If you are currently running a live OS like Tails, you have to export your subkeys to an external drive.

gpg --armor --output=/path/to/external/drive --export-secret-subkeys <keyid>

You can import the subkeys on your main computer by running

gpg --import /path/to/external/drive

To test if everything is working, encrypt a file and then decrypt it with your private key

echo 'test' > test.txt
gpg -o test.gpg -e -r <keyid>
gpg --decrypt test.gpg

This should prompt you for the user pin you created for your yubikey.


There is a PAM modules that allows us to use the yubikey to authenticate when logging in.

security.pam.yubico = { 
  enable = true;
  debug = true;
  mode = "challenge-response"; 
  control = "required";

You then need to run the following commands.

nix-shell -p yubico-pam -p yubikey-personalization
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
ykpamcfg -2 -v

You now need your yubikey and your password to login to your machine, if don’t want to enter the password just remove the control = "required"; line.

  1. See here, here and here.↩︎

Articles from blogs I follow...

Generated by openring

Outreachy 'guix git log' internship wrap-up

Magali Lemes joined Guix in December for a three-month internship with Outreachy . Magali implemented a guix git log command to browse the history of packaging changes, with mentoring from Simon Tournier and Gábor Boskovits. In this blog post, Magali…

via GNU Guix — Blog April 8, 2021

What should the next chat app look like?

As you’re surely aware, Signal has officially jumped the shark with the introduction of cryptocurrency to their chat app. Back in 2018, I wrote about my concerns with Signal, and those concerns were unfortunately validated by this week’s announcement. Moxie’…

via Drew DeVault's blog April 7, 2021

Uphold Marxism-Leninism-Maoism-Stallmanism!

Chairman Stallman has been under fire lately from the reactionary forces that have gathered mainly on the American propaganda machine called Twitter. Parties interested in the demise of the ideological advances of Free Software want to sabotage the movement,…

via brown121407 March 25, 2021