Yubikeys are small hardware tokens supporting 2-factor authentication.
ykpersonalize is a very powerful tool for personalizing yubikeys. However it’s always challenging figuring out how to use it. I just tried the gui tool from http://yubico.com/personalization-tool and it’s great! I picked “challenge-response mode”, “HMAC-SHA1″, generated (and stored under pasaffe) a secret key, and committed that to slot 2 on two yubikeys Then i did ‘ykchalresp -2 somepassphrase to generate a long random string like:
c7257ac92b313c98e0e77e30d02822c8a0035163
which i can prepend to hand-typed passphrases.
The things I like about this are that:
* I can re-specify the same secret key later on if I need a new yubikey
* I can store the strings resulting from ‘ykchalresp -2 passphrase’ if I ever want to stop using the yubikeys, without losing access to data protected with those keys
* if I lose the yubikey, nothing should be compromised
I need to think more about whether it’s worth it and whether there are any holes in my reasoning, of course. In the end it’ll only be worth it if it’s really more convenient than alternatives. A little pop-up gui which takes a passphrase without echoing it, feeds it to ykchalresp, and copies the output into xclip -i, and then maybe hangs around waiting for another confirmation after which it wipes it from the clipboard 
, might help a lot.
Heck, like this:
{{{
#!/bin/bash
# needs dialog, ykchalresp, and xclip
pw=$(dialog –passwordbox “Yubikey challenge” 10 20 –stdout)
output=`ykchalresp -2 $pw`
echo -n $output | xclip -i
echo “hit return to clear the clipboard”
read x
echo | xclip -i
}}}
I think I may encrypt some redundant data this way and test this out on
my next trip, as a test.
