Which yubikey models work with Qubes after following the procedure described in the documentation?

Can you guys help me understand which yubikeys work with qubes? For instance, I tried yubikey 5 nano unsuccessfully, because cpu in sys-usb shoots up (it’s an open bug, kwork).

i use the 5 nano as a daily driver first as GPG ssh agent and now with ed25519-sk fido2 ssh key, also that Yubikey otp works well? what functions are not working for you?

what does this mean?

I have this problem: sys-usb kworker events CPU consumption · Issue #5823 · QubesOS/qubes-issues · GitHub

ah you’re using the key to unlock the screen and then you find yourself in linked issue?

What template is sys-usb running? is the template up to date? could you clone the template, apply all testing updates use the testing template an try again?

fedora-dvm, up to date. I returned the key today for other reasons, and my original post is about deciding whether to get the “security key” or the “series 5”. In fact, for now I only need to use the yubikey for logging in and unlocking the screen (and locking the screen when I remove it). And I will use it for LUKS unlock when booting once the procedure will be documented…

If you need or want challenge-response functionally with your YubiKey then you should not buy the “Security Key” models. They do not support this capability. You can refer to Yubico’s compare devices page; look for the “OATH – HOTP (Event)” capability.

Most MFA setups for screen and LUKS rely on challenge-response. I believe this is the case for the examples in Qubes OS documentation.

However, you can configure screen unlock for FIDO and newer versions of systemd are building in support for FIDO with LUKS. I have set up FIDO MFA user unlock for my work laptop that runs Ubuntu. I do not have experience with FIDO+LUKS.

1 Like

Thanks, I am promoting your post to solution because it answers my question. In fact, the documentation is based on challenge-response and only the series 5 provides this, as per your comment.