[talkingtab]

"with a Yubikey" is probably a better title. The yubikey thingy costs more than the PI (and there is a helpful link if you want to buy one).

Very little of this has to do with a PI, it seems like almost any kind of home server would work (especially linux). And it is unclear to me what value is added by the yubikey? And would any FIDO device work, or is this yubikey brand only?

[aaronmdjones]

> And it is unclear to me what value is added by the yubikey? And would any FIDO device work, or is this yubikey brand only?

As my sibling comment says, this doesn't use FIDO, it uses PIV. The YubiKey pretends to be a USB CCID-class smartcard reader [1], with a PIV-capable smartcard inserted. You could use any other PIV-capable smartcard, but then you would also probably have to buy a smartcard reader. I do have a Dell keyboard with a built-in smartcard reader [2], but I don't use it. This would also be much bulkier.

Edit: Smartcard vendors also vary wildly in terms of their support for "Things that aren't Microsoft Windows".

[1] among other things, such as a USB HID keyboard for the OTP functionality

[2] https://m.media-amazon.com/images/I/51m7Fuu3nWL.jpg

[tashian]

Good point.

Primarily, the YubiKey is there to lock away the private key while making it available to the running CA. Certificate signing happens inside the YubiKey, and the CA private key is not exportable.

This uses the YubiKey PIV application, not FIDO.

As an aside, step-ca supports several approaches for key protection, but the YubiKey is relatively inexpensive.

Another fun approach is to use systemd-creds to help encrypt the CA's private key password inside a TPM 2.0 module and tie it to PCR values, similar to what LUKS or BitLocker can do for auto disk unlocking based on system integrity. The Raspberry Pi doesn't have TPM 2.0 but there are HATs available.