infrastructure/yubikey-helpers
infrastructure/yubikey-helpers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tools to help manage yubikey tokens
3 commits 1 branch 0 tags 35 KiB
  • Shell 100%
Find a file
Exact
Michael Griffith 8b11a31941
 .
2026-01-12 20:47:13 -05:00
nixos-change-password.sh . 2026-01-12 20:47:13 -05:00
README.md added script to change the user's password 2026-01-07 15:15:57 -05:00
yubikey-change-openpgp-pin.zsh initial commit 2026-01-07 12:53:26 -05:00
yubikey-update-subkeys.zsh initial commit 2026-01-07 12:53:26 -05:00

README.md

some tools to help manage yubikey tokens

yubikey-change-openpgp-pin.zsh

shows a list of random pins to pick from to ensure you can pick something memorable while also ensuring randomness. accepts no arguments.

usage:

zsh yubikey-change-openpgp-pin.zsh

yubikey-update-subkeys.zsh

walks you through the process of rotating out your subkeys, designed to be used when your primary subkeys are about to expire. exercise caution if you have created additional subkeys, this script will likely try to rotate them instead!

dry run:

zsh yubikey-update-subkeys.zsh --keyid 7F47B726CA6B3135EFD35F8C9A164D591B680ED2 --serials 859,606 --master-serial 313

doing it for real:

zsh yubikey-update-subkeys.zsh --keyid 7F47B726CA6B3135EFD35F8C9A164D591B680ED2 --serials 859,606 --master-serial 313 --force

  • keyid: your pgp key fingerprint (preferred) or email address.
  • serials: a comma separated list of the last 3 digits of the subkey-containing yubikeys' serial number.
  • master-serial: the last 3 digits of the master key's serial number.
  • force: this must be given for the script to write to the cards, otherwise it does a dry run by default.

if you run in to a problem, it's safe to remove or overwrite the output file on a subsequent run, do not send it to a keyserver! after a successful run it will contain your new pubkey and should be shared widely and stored safely.