My YubiKey

Using YubiKey to Protect Email With MFA

Electronic mail has been around for over 40 years, and we still have not managed to properly secure it. The emails we receive are often not digitally signed, and where we cannot really tell if the email has been read by anyone else and where we can’t prove the sender. So let’s look at MFA (Multi-factor Authentication) for secure email, and only let it be accessible with a YubiKey that stores the private key for a given user, and for the YubiKey to perform the decryption.

First, we will generate your key pair for a fake user (Yubi123) and which will secure emails that are sent to him:

% gpg --generate-key
gpg (GnuPG/MacGPG2) 2.2.34; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Yubi123
Email address: Yube123@home
You selected this USER-ID:
    "Yubi123 <Yube123@home>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random…