Set it up in Settings -> Security tokens and Volume tools -> Add. Step 16: rename VeraCrypt encrypted. 1a. If it reads fingerprints before sending the password, then I'd consider it. Q&A for information security professionals. AES needs 10 rounds for 128-bit keys, but 14 rounds for 256-bit keys. If you’d like to use the Authenticator App, we recommend our YubiKey 5 Series keys. 3. If you utilize a 3rd party backup service to manage backing up your. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. dll 喜欢这篇文章的可以点. Basically, you take a thumb drive and create a big file that acts like another disk drive to your PC. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not. YubiKey Bio. Biometric. BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. So it has to be a full exact-looking replica of Yubikey, thus raising the bar even more. Right now I'm connecting on my Windows with my Yubikey with Yubikey Login. You are now in admin mode for GPG and should see the following: 1 - change PIN. Free and open source. What will be the best opensource software to use with Ubuntu 20. It would be great if'd be possible to add another secutiry layer to VC using security dongles like ie the YubiKey 5 NFC. Hi, I see that the yubikey 5 enable 2fa login to windows 10 local account, but it is possible to start windows in safemode and bypass this. When creating a new encrypted drive, you will need to generate a keyfile that you will use to unlock your drive. Store this random value in YubiKey Long-Press slot. Con. websites and apps) you want to protect with your YubiKey. It supports EFI boot drives and volumes, has new encryption algorithms, better compatibility with Windows, and new security features. Professional Services. Run keytocard to store the encryption key in the encryption slot. 9a), and <filename> refers to the name of your certificate file (e. New Win10 and Old YubiKey4; trying to configure GPG Sign. Now we begin specifying how we’ll be creating our container. You can encrypt the entire drive---including the free space---or just encrypt the used disk files to speed up the process. Releases are signed using the keys listed here. Built on Python, ykman was designed to provide a central and standardized platform for the automated initialization of YubiKeys, as well as the loading of cryptographic secrets onto the various supported functions. ykman piv generate-key -a RSA2048 9d pubkey. Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Anschließend klickt auf Keyfiles. Password input automatically. Single Boot, chose encryption algorithm, yadda yadda yadda, everything works so far. But to me having all my eggs in one basket isnt the best idea. e. g. Two-step Login. It's already enough. Navigation to Certificates - Current User -> Personal -> Certificates. Two-step Login. Watch the video. wireshark. With it you may generate keys on the device, importing keys and certificates, and create certificate requests, and other operations. The YubiKey then enters the password into the text editor. g. hello, i tried to use my Yubikey 5C NFC key with a SHA2048 Key in slot 9a or 0x5fc108 or 0x5fc108 but veracrypt detects none of my certificate if it is in slot 0x5fc108 and 0x5fc103 however when it is in slot 9a it detects everything fin. The remedy is to switch the slots back again using YubiKey Manager or reconfigure the YubiKey for use as second factor authentication for the same user account. Stream Do PKCS 11 Keyfiles On A Yubikey Actually Improve Security For Veracrypt !NEW! by Nikki on desktop and mobile. Veracrypt is for disk encryption, needs root access, low level libraries, and uses a mode not made for file encryption. Note: Yubico Login for Windows perceives a. Windows is starting. networking. 1. This in turn allows the application to find libykcs. To select the encryption key, type key 1. One of the coolest features of the Yubikey is authenticating SSH sessions via PKCS#11. Thus when one of these fails there are still two others that will protect your files. BitLocker seems to be the most performant for large external SSDs, but it doesn't work on Mac/Linux, which kill the portability of the disk. This is made possible by the new Tensor G3 CPU and is one of the greatest security features in years, which hardly any other device offers. Yubikey #2 -> personal bitwarden -> store TOTPs in Yubikey. Yes, they are agents with callback that I need to automatically log in to the queues, I will check using this script, thanks. Think of your keyfile as being a locked cabinet, the data on the keyfile as the stuff inside the locked cabinet, and the smart card as the key to that cabinet. ago. Yubikey might be a solution here. Make sure the service has support for security keys. Besides the common remote login, all connections that use SSH, such as remote git server (e. It is a successor of TrueCrypt. 369. The Truth About. SSH + PuTTY-CAC. Learn how to create a keyfile on the Yubikey token and use it with a PIN and a passphrase to access your Vera Crypt container. The Yubico Authenticator app for iOS allows users to interact with X. Storage Encryption on GNU+Linux with EncFS. To select the authentication key, run key 2. Note that VeraCrypt enforces a minimal allowed PIM value depending on the password strength and the hash algorithm used for key derivation,. The YubiKey Manager, also referred to as ykman, is a general purpose tool for the configuration of all of the functions of the YubiKey. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. An der Stelle, wo ihr das Passwort vergeben müsst, wählt nun zusätzlich die Option Use keyfiles. Does anyone have a solution for using the Yubikey Security Key as a second factor for file-based crypto containers like VeraCrypt or something else? I know the Security Key doesn't allow PGP, but now I don't have another key. . smartcard; openpgp; yubikey; juanii. Second, Veracrypt is very good at what it does, but the encryption process is about 3 times the rate as bitlocker. ago. VeraCrypt is an excellent tool for keeping your sensitive files safe. YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV. 1 vote. If this does. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. I understand PTK is derived from = PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. I am wondering if veracrypt encrypted containers if they are safe enough. Repeat this step with the password confirmation/reentry field. Besides the common remote login, all connections that use SSH, such as remote git server (e. p12). Feature requests. com. 2. For more information. Get your own Yubikey using my af. Signal is free and open source software, enabling anyone to verify its security by auditing the code. But just observe that anyone else that gains access to your USB also gains access to the Veracrypt volume. Next to the menu item "Use two-factor authentication," click Edit. This is because pkcs11-tool --test-ec assumes that the same user can both generate a keypair and sign data. I learned this lesson the hard way. 2. Firmware is released by Yubico, which provides security improvements, as well as support for new features. To review, open the file in an editor that reveals hidden Unicode characters. Although small in terms of scope — VeraCrypt. Do things like import x509 certificates / keypairs to your Yubikey. Launch Powershell, Command Prompt, or Terminal. The data is encrypted with the public RSA key, and this is the key that can be exported and shared. YubiKey Manager. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication. Mounting this drive has various types of security which include requiring a Yubikey, a passphrase, and even a custom specified PEM. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. YubiKey 4 for Disk Encryption as part of Your Password with VeraCrypt or BitLocker. Bitwarden Pricing Chart. The new NitroPhone 4 and NitroPhone 4 Pro offer significantly improved protection against remote exploitation via hardware memory tagging. Security risks when using an encrypted container to share messages. How to prevent hackers from identity theft and keep your privacy. 3. The private key is never retrieved from the Yubikey; it is operated upon inside the Yubikey. I’m going to take the default of the encrypted file container and click the Next button. (EFI partition) The LVM partition contains both the swap and the root filesystem. 131; asked Dec 8, 2020 at 22:50. Should you opt to install and use YubiKey Manager on this platform, please. Summary Files Reviews Support Source Code. in the settings) it uses X. Configure Yubikey and generate PKCS #11 keys Raw. Under "Security Keys," you’ll find the option called "Add Key. This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type. Once the dialog box opens, on the left side select Security. 喜欢这篇文章的可以点个赞!YubiKey Bio: Yubico announced they are working on a FIDO2 security key with an integrated fingerprint reader. Cross-platform application for configuring any YubiKey over all USB interfaces. Type certmgr. Passkeys / Resident keys are different from normal 2 factor. Using. I’m going to show you step by step how to configure your Yubikey to get the most out of it and set. Some time ago I installed Windows Hello and set it up to use my Yubikey 5 NFC for added security when logging in to my local accounts. Templates that can be imported into OpenSSL and be used with your Yubikey. Also super easy. encryption. installed 2 x USB stick with VeraCrypt vault (one 1 take while travelling with emergency phone). The password of VeraCrypt folder is shared in a sealed envelope at some family with details of locations of where USB sticks and Yubikey is. veracrypt; yubikey; Firsh - justifiedgrid. Battle. Join. fr ). This works wonderfully. I'm happy to report that it still works. In "smart card" mode yubikey can securely hold a certificate that's used for authentication. The TrueCrpyt encryption key derivation function runs SHA-512 on the password a thousand times so for 970,200 combination I would need to run SHA-512 ~1 billion times which would take ~10 seconds to do on a current generation GPU. • 2 yr. This is a tutorial showing the usage of the YubiKey PIV Tool to create a certificate and then demonstrate setting up your Windows 10 account to make use of t. Yesterday I got a Yubikey 5 NFC. You may also be able to connect a remote USB device through a VM. see that's the thing, the only difference i can see between a keyfile and a yubikey is that a yubikey is easier to lose and harder to copy, so if if's just a keyfile that's. 9. I am setting up a new Windows10 machine and want to use the same signing key from. The biggest difference between VeraCrypt and Bitlocker is the most obvious one: Who can actually use it. 1 Encrypting File System”. So, before setting up BitLocker or VeraCrypt, here how to set up your YubiKey to store the end of your password: Get a YubiKey. In order to use smart card to their full extent, the best approach would be to modify VeraCrypt encryption format in order to support Public Key Cryptography mechanism based on RSA or Elliptic Curve key. I encrypted the drive using veracrypt and a password since day one, no keyfiles. If this does. Sign documents with programs like Adobe Acrobat. In this video I will show you how to use a Yubikey for 1 or 2 static passwordsWhenever I open the VeraCrypt Volume Creation Wizard and choose either option "Encrypt a non-system partition/drive" or "Encrypt the system partition or entire system drive", the UI hangs immediately and completely ("Not responding"), without even getting to the very first step of the process. VeraCrypt (formerly TrueCrypt) Hard Disk Encryption on GNU+Linux with LUKS/dm-crypt. But it would be great if I could upload keyfiles to my Yubikey (or better yet - generate. Select the password and copy it to the clipboard. Instead of passwords, FIDO authentication uses registered devices / security keys to. 目前很难看到一个. Once an app or service is verified, it can stay trusted. Then you will need to import that keyfile onto your Yubikey. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Want to know what happen to: Bitlocker partition Veracrypt partition Veracrypt container If there's bad sector appear in the encryption area. Their "touch-policy=always" feature ensures that in addition to entering the PIN, the. Although the YubiKey 4 can. Click Next -> select Yes, export the private key -> click Next again. Third, Bitlocker can store keys to AD. Step Four: Encrypt and Unlock the Drive. Look, you need to manage backups for your password manager anyway. 0 answers. Select the password and copy it to the clipboard. Don’t want to lose your key and then be locked out of accounts. Download VeraCrypt, install and run it, then click ‘Create Volume’ on the main screen. ksnyder23. The steam secret key is the key you are given that is used by the mobile authenticator in order to generate a OTP every 30 seconds. Once VeraCrypt is installed, open your Start menu and launch the "VeraCrypt" shortcut. 4. keep good backups and dont have to worry about files being currupted ;) atoponce • 4 yr. Below is a list of all available downloads ordered by version, starting with the most recent version. Unmount partitions. Any help with this would be appreciated. 4 was released in May of 2021 with reports of v5. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. (works like a charm), and figured out how to use Veracrypt to store it in a file on a hard drive. This Yubikey contains all of my TOTP (to be used with Yubico Authenticator). g. 0. veracrypt; yubikey; Firsh - justifiedgrid. The usage attributes on the certificate do not allow for smart card logon. Recompiling VeraCrypt is a massive PITA, however It is also possible to patch the offending instructions out of the "VeraCrypt-x64. Veracrypt will then read your Yubikey's imported keyfile, match that with what is stored on the system and then unlock your drive. ssh <user>@<remote_host> As long as the remote host has the fingerprint corresponding to the YubiKey's certificate in its ~/. Hidden OSes will be a massive headache for update already, though. dll's dependencies in the current working directory (ideal if using VeraCrypt portable & want to use yubikey with it). g. PROTECT ONLINE ACCOUNTS – A hardware password manager, two-factor security key, and file encryption token in one, OnlyKey can keep your accounts safe even if your computer or a website is compromised. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. Go to: Applications -> PIV -> Configure Certificates -> Card Authentication. For example if there's a trojan on the computer where you open a kdbx file protected with a master password and a keyfile, it needs to collect three things: 1. dll is dynamically linked to the libyubihsm*. Now, about time, you should select and extremely high PIM to get the key derivation time you want. Let's say I have your Yubikey and USB stick but don't know the combination and want to brute force the combination. Open settings, update and security, device encryption. This is why ciphers require more rounds with larger keys. 0 is primarily in the PKCS#11 module (YKCS11). Pull the SSD out the old laptop and stick it inside the new laptop. You can even see them in the Yubico Authenticator app. VeraCrypt main features: Creates a virtual encrypted disk within a file and mounts it as a real disk. In questo video creiamo un sistema e una infrastruttura per rendere molto sicuro il vostro wallet electrum installato su un computer desktop o laptop, indipe. The encryption and decryption of data is completely transparent to authorized authenticated users, which makes the solution simple to use. For all forms of One Time Password that the YubiKey is capable of (Time based, Counter based (HOTP), YubiOTP), the seed value for any of these will always be stored on the YubiKey. A lot of other encrypting programs can utilize this, too, like VeraCrypt. . 509 certificate. Q&A for information security professionals. 131; asked Dec 8, 2020 at 22:50. Complete setup and guide to encrypting your files, folders, operating systems, and drives with Veracrypt, a free and open source encryption software. Out of those, only the second one ("Printed. VeraCrypt的最大特点是 跨平台 ,Windows、Linux、MacOS都有对应的版本,甚至一些小众的系统,比如FreeBSD上,都有支持,并且衍生了一些非GPL的版本(tcplay),可以说商业上使用也很方便。. Buy Yubikeys Here (Affiliate Link):you thought you knew about 2fa hardware keys is WRONG. You can also use the tool to check the type and firmware of a YubiKey, or to perform batch programming of a large number of YubiKeys. Introduction. Free and open source. Which makes them better than SHA-512 for password hashing because S-Boxes are slow on GPUs. Locate your imported certificate and double-click. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Read about this and join our forum: Link Coming Soonveracrypt algorithms? Best veracrypt algorithms for sensitive files? AES is enough unless you're in super paranoia mode in which case AES (Twofish (Serpent)) is the best choice. I think I may have found the solution: the PIV app creates information on the Yubikey that corresponds to 3 keyfiles: "Cardholder Fingerprints", "Printed Information", "Cardholder Facial Image". I fire up Chrome or Safari. In "Manage Bitlocker" - add this pin to system drive. FIDO only. This leaves only 2 usable slots displayed in the Veracrypt dialog. . The individual memory cells work like tiny capacitors that must be constantly refreshed, and extreme cold slows the drain down. The new functionality in PIV Tool 2. The OID will look something similar to “Application [0] = 1. 5. The main bitwarden will store accounts from websites like Steam, Dropbox, Gmail, Epic Games, etc. Since Veracrypt is the latter, there's no reason to expand the key space. ago. to bring high quality YubiKey accessories to Yubico. PIV-PKCS. In "YubiKey Manager" go to PIV -> certificates -> import the new certificate. to recover my veracrypt containers?? i would love to know the process on a windows 11. Provides instructions on setting up SSH authentication with your Yubikey. 49k views. g. AES-serpent-twofish) and not just one (e. veracrypt; yubikey; Firsh - justifiedgrid. 0 answers. Q&A for information security professionals. You can also follow the steps written below for how the setup process usually looks when you want to directly add your YubiKey to a service. Every time you attempt to mount your encrypted drive, you will choose the keyfile option and then select your Yubikey as an authentication method. That being said, it is advised to create a dedicated keyfile using VeraCrypt keyfile generator and then import it into your Yubikey in order to use a keyfile. Under normal circumstances, the dimms are blanked after power is removed. 40 of the PKCS#11 (Cryptoki) specifications. Veracrypt. With a Yubikey 5 NFC, I'm able to put keyfiles in Fingerprints and Facial Image. Tails USB flash drive or SD card with VeraCrypt installed ; YubiKey with OpenPGP support (firmware version 5. Initialization. Step 15: mount VeraCrypt encrypted volume. Changing the PINs for GPG are a bit different. Select and copy (CTRL + C) the Thumbprint. Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Type certmgr. i recently brought a yubikey 5 and i want to use it for login into my laptop i have added it in ways to login but it defaults to pin login or password with pin removed i am using a microsoft account so the windows login program that does challenge-responce from the yubikey website. FIDO2 and U2F are completely separate from the two "slots", and usually don't store any configuration on the YubiKey. Writting an object is an action that requires authentication, which is done by providing the management key. Visit Stack ExchangeKey files and YubiKey. To enhance security, EgoSecure’s full disk. ”. • 2 yr. Any file works, like a photo or document. 0 answers. When using your YubiKey as a smart card, the Yubico Authenticator app is an. Veracrypt can read Yubikey data via OpenSC. -Veracrypt might be an. It should then load your Yubikey:r/yubikey • My YubiKey broke off my keychain as I got into my car in a parking lot, was presumably run over by one or more cars that bent the keyring, and was found several weeks later when the snow thawed. You should see the text Admin commands are allowed, and then finally, type: passwd. Use the YubiKey Manager to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems. This doc includes guides on setting up your Yubikey with Bitlocker, EFS, Code Signing, Veracrypt, Github commit signing, KeePassXC, SSH/PuTTY and a large variety of other software and technologies. This will allow you to encrypt your entire drive instead of just a portion of it. Performs RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common. If it reads fingerprints before sending the password, then I'd consider it. About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright. Support Services. Put another way, Yubikey, Solokeys and others based on those standard should be equally compatible with gmail, SSH, VeraCrypt, sudo etc. If your getting one, get at least 2. It is the. veracrypt; yubikey; Firsh - justifiedgrid. Buy $80 Mooltipass, which can store multiple static. Multi-protocol security key, eliminate account takeovers with strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign. Turn off. Fourth, Bitlocker takes considerably less time to boot a computer from a restart than veracrypt. Click -> Run. VeraCrypt and YubiKey 5 NFC. We're not talking about multiple programs trying to simultaneously operate in protected mode, here. 1 vote. The data is decrypted with the private RSA key, and this key never leaves the YubiKey. Generate and save keyfile. Für die Einrichtung der PKCS#11-Bibliothek in VeraCrypt verweise ich mal auf meinen Beitrag VeraCrypt: Schlüsseldatei (Keyfile) mit YubiKey verwenden. VeraCrypt: Free Disk Encryption Software, a fork of TrueCrypt. Password verification fails with system partition installed in BIOS/MBR. New Win10 and Old YubiKey4; trying to configure GPG Sign for existing key. the webapp supports FIDO2 but the mobile app does not). Defaults PIN: 123456 PUK: 12345678. certificate. Right-click on Bitlocker certificate and select All Tasks -> Export. 99 votes. If possible, please help me figure it out. Yubikey and Veracrypt Bootloader bug. Locate your imported certificate and double-click. When. First, use the menu "Tools -> Keyfile generator" to create a random keyfile and store it on disk (ideally it should be stored in a mounted VeraCrypt. pem. The VeraCrypt key has to be backed up as well. GameStop Moderna Pfizer Johnson & Johnson AstraZeneca Walgreens Best Buy Novavax SpaceX Tesla. The setup may work on gpg 2. Usually with Bitlocker, you unlock your drive once with your Yubikey / smart card and the drive stays unlocked until you lock it again or restart your computer. The Yubikey allows you to save 25 passkeys onto the Yubikey itself. Done. Wpa PTK and GTK in detail. Keep one in your person and one somewhere safe at home as a back up. 1. 131; asked Dec 8, 2020 at 22:50. VeraCrypt can work with them over PKCS #11. Using Yubikey with Veracrypt. In "Manage Bitlocker" - you can now choose "Add Smart Card" for non-system drives. VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. 2. Visit Stack ExchangeThe RSA public and private keys at the YubiKey PIV are static and do not change. Downloads. Yubikey as a storage for Veracrypt keyfile. Possibly the plugged in state could help facilitate login to password managers. 67. Click Import and browse to and select the bitlocker-certificate. Stack Exchange network consists of 182 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Run “certutil -scinfo” from a command prompt and locate the certificate that you want to use (look at the issuer). 9a), and <filename> refers to the name of your certificate file (e. I'm not sure if KeePassX can. To select the authentication key, run key 2. # SPDX-License-Identifier: MIT-0 # Destroy any old key on the Yubikey (careful!) ykman piv reset # Generate a new private/public key pair on the device, store the public key in # 'pubkey. 840. 복구 디스크 화면에서 '복구 옵션' > '키. Every time you attempt to mount your encrypted drive, you will choose the keyfile option and then select your Yubikey as an authentication method. r/linux4noobs. 04 to encrypt 100% of my disk?Windows起動前にVeraCryptのパスワード入力を求められるため、「Windows起動時サインインに2段階認証を設定」でパスワード2回入力となってしまう。 なので、普通に指紋認証か顔認証をWindows Helloの方で設定し、YubiKeyを使わなくても良. Solving for y, we find the 128/256 bit equivalence for all 94 keyboard characters comes to 20 and 40, respectively. 1 vote. It's the only private messenger that uses open source, peer-reviewed cryptographic protocols to keep your messages safe. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not. Encrypts an entire partition or storage device such as USB flash drive or hard. Elluminated • 3 mo. 1 yubico-piv-tool-2. does not work short or long I must have the numbers and characters otherwise the static is useless. The user input is hashed, and the result is. Yes you can use just a keyfile without a password. 3 releasing to the public in July of 2021. It is included on ALL models of Yubikey. g. Usage. d. Every time you unlock your drive with Bitlocker, you must launch Veracrypt and select your Veracrypt encrypted file on your USB thumb drive. Can I still mount/open the encryption to save non-. VeraCrypt). certificate. ", I would recommend a couple solutions: 1. VeraCrypt (formerly TrueCrypt) # VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU+Linux. The only user interaction occurs during authentication phase. “Installing malware” on legitimate Yubikeys btw is impossible because their firmware cannot be upgraded for this very reason. Particularly regarding VeraCrypt developers being open (or not) to the idea of supporting cryptographic tokens (like Yubikey) to wrap volume master key using PIV applet keys (or OpenPGP keys)? Using fingerprint or facial image stored on a PIV token as one of the keyfiles is a fine idea, IMHO. Use the YubiKey Personalization Tool to configure the two slots on your YubiKey on Windows, macOS, and Linux operating systems. It is a small usb device that can act like a keyboard. I´m pretty happy with the regular use cases like adding security to my password manager and my google account, but now I´m wondering if the yubikey might be usable for my encrypted container as well. Type the password you. Having your private keys on your Yubi isn't a necessary step for encrypting with gpg but is a really cool use case that allows.