YubiKey for Everything: SSH, GPG, FIDO2, and the Paperweight Drawer

I own four YubiKeys. Two are in active use; two live in what I’ve come to call the paperweight drawer, retired because I changed my mind about how to use them. That drawer is the honest part of this post. Hardware security keys are genuinely excellent, but the path to using them well is littered with dead ends, and the marketing won’t tell you which features are worth the bother. Here’s what actually earns its keep on a self-hoster’s keychain.

1 FIDO2: the one everyone should use first

If you do nothing else, register a YubiKey as a FIDO2/WebAuthn key on your email, your password manager, and your GitHub account. This is phishing-resistant second-factor authentication — the key cryptographically binds to the site’s origin, so a fake login page simply can’t relay the challenge. No app, no codes, no shared secret on a server somewhere waiting to leak. You tap the key, it proves presence, done.

The catch is the same as it always was: register two keys everywhere, a primary and a backup, and store the backup somewhere physically separate. A single FIDO2 key with no backup is a self-inflicted lockout waiting to happen. Every service worth using lets you enrol multiple keys; use that.

2 SSH the modern way: FIDO2-backed keys, not GPG

For years the clever-clogs move was using a YubiKey’s PIV or OpenPGP applet to hold an SSH key. Since OpenSSH 8.2 there’s a much simpler path: native FIDO2 SSH keys, where the private key never leaves the hardware and a touch is required per authentication.

# generate a resident-capable ed25519 key backed by the YubiKey
$ ssh-keygen -t ed25519-sk -O resident -O verify-required \
    -C "smarc@workstation" -f ~/.ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Your identification has been saved in ~/.ssh/id_ed25519_sk

The -O resident flag stores a handle on the key itself, so you can recover the private-key stub on a fresh machine with ssh-keygen -K. The -O verify-required flag forces PIN and touch. Copy the .pub to your servers as usual, and every ssh now demands a physical tap — no malware can quietly use your key while you’re away from the desk.

$ ssh server.example.net
Confirm user presence for key ED25519-SK SHA256:9c4f...
# (YubiKey blinks; you touch it)
smarc@server:~$

This is strictly better than the GPG-agent-as-SSH-agent dance for most people: fewer moving parts, no keyring to corrupt, and the touch requirement is built in.

3 GPG: powerful, fiddly, and where my paperweights came from

The OpenPGP applet stores real GPG private keys on-card for signing commits and encrypting files. It works, and git commit signing backed by hardware is a lovely thing. But moving subkeys onto the card is a finicky one-way operation, the gpg-agent integration is fragile across OS updates, and recovering from a mistake usually means starting over. That’s how two of my keys ended up retired — I’d provisioned them for an over-engineered GPG setup I abandoned.

$ gpg --card-status
Reader ...........: Yubico YubiKey FIDO CCID
Signature key ....: 4F2A 9C1D 88B0 ...  ed25519
Encryption key ...: 7E1C 3A55 90DF ...  cv25519
PIN retry counter : 3 0 3

If you sign a lot of commits or run a serious email-encryption workflow, GPG on-card is worth learning. If you don’t, skip it — it’s the feature most likely to land a key in your own paperweight drawer.

4 Practical setup notes

A few things I wish someone had told me:

• Set the PINs immediately. A new key ships with default PINs; change the user PIN and the admin PIN before you provision anything, or you’ve added a shiny new attack surface.
• Disable applets you won’t use with the YubiKey Manager. Fewer enabled interfaces means a smaller footprint.
• Label your keys physically. Once you have more than two, you will not remember which is the backup. A label maker saved me.
• Test the recovery path before you rely on it. Lock yourself out deliberately on a throwaway account and recover with the backup key. Better to find the gap now than during a real lockout.

5 The verdict

Worth it? For FIDO2 second factor and FIDO2-backed SSH, unreservedly yes — those two alone justify the £50 and have measurably improved my security with almost no daily friction beyond a tap. GPG on-card is for a narrower audience: commit signers and encryption diehards who don’t mind a fiddly setup. This is for anyone who manages servers or guards an email account that controls everything else. Just buy two, register both, and resist the urge to provision every applet on day one — that’s how the paperweight drawer fills up.