Ybdec is a simple tool that can be used to encrypt and decrypt payloads using asymmetric PIV keys on your YubiKey. It's uses P256 keys for HPKE encryption and decryption. The tool can be used as a building block in more advanced systems, for example, for opening password managers or storing sensitive data.
It can:
- Generate keys
- Encrypt data to a public key using HPKE in base mode.
- Decrypt data in HPKE base mode using one of YubiKey PIV keypairs.
- Stash and fetch data directly on YubiKey.
For CLI usage see doc/USAGE.md.
To generate a key:
$ export YUBIKEY_MANAGEMENT_KEY=010203040506070801020304050607080102030405060708
# The 9d is already default slot for ybdec, we just show it here explicitly.
# The touch policy also defaults to `always` which means that we want to
# require touch on each operation.
$ ybdec generate --touch-policy always --slot 9d
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElP5zkkzoOETEPAXSeDoj0OIdYuj3
GXBQ/zee71xXvOb9eyEkbyamFTzw7jw+eJU7bpa0jp4PU8XAPuntL5dA/w==
-----END PUBLIC KEY-----
[!WARN]
This will overwrite your public key so be careful!
YOu can also use other YubiKey tools, for example yubikey-manager.
To export the public key:
$ ybdec pubkey --slot 9d
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElP5zkkzoOETEPAXSeDoj0OIdYuj3
GXBQ/zee71xXvOb9eyEkbyamFTzw7jw+eJU7bpa0jp4PU8XAPuntL5dA/w==
-----END PUBLIC KEY-----
To encrypt something for the key:
$ printf hello | ybdec encrypt --to-self 9d | base64 -w 0
eWJkZWMwBBVMmQhF18wboRANt+jXL9CvCoN9fnX0oZJWeoF2bxDBVOHD5ZNlyIi9tblfcM8zTDSLcALFYpEgEVww8YPmVjYczpcDiyAsQ4p1e+7GhXtx3TEGFxc=⏎
You can stash encrypted data to the YubiKey itself:
$ export YUBIKEY_MANAGEMENT_KEY=010203040506070801020304050607080102030405060708
$ printf hello | ybdec encrypt --to-self 9d | ybdec stash
Then, you can fetch ciphertext and decrypt with YubiKey:
$ export YUBIKEY_PIN=123456
$ ybdec fetch > ciphertext
$ ybdec decrypt --slot 9d -i ciphertext
hello
Due to how PC/SC works, it's hard to protect YubiKey from concurrent access, so it's recommended to not execute more than 1 process at a time. Otherwise, you have a chance of getting error like this:
The smart card has been reset, so any shared state information is invalid