| Actually, in PIV mode it's my understanding that you can have the Yubikey generate the private key if you want it to. Note that the key is intended to be difficult to extract from the device and there is not intended to be an interface for doing so. If you are using it with RSA key, you need to decide if you trust that it is generating the key properly. Keep in mind Yubikeys are built on GlobalPlatform/JavaCard which is an extremely high value target. There would definitely be the economic incentive for a well-funded adversary to backdoor the RNG system. If you are using a Yubikey with EC cryptography, the security analysis gets even more complicated. The curve used need to be a safe one. And, if the RNG has been tampered with or incorrectly designed, EC signatures can actually leak the private key. Which is to say that if there is a flaw in the Yubikey, JavaCard, GlobalPlatform, or the specific chips they are using, and you are either (A) having it generate the private RSA keys, or (B) using it with elliptic curves, then there is the potential that the device is not at all secure. Note that backdooring crypto-specific chips is a thing. TPM and other special-purpose crypto chips have been discovered to have been both backdoored and vulnerable to implementation issues. Which is completely unacceptable - "you had one job". |