Second, Veracrypt is very good at what it does, but the encryption process is about 3 times the rate as bitlocker. OpenPGP stands for Open-source PGP. 1a. gz (2023-02-07) yubico. If it reads fingerprints before sending the password, then I'd consider it. Navigation to Certificates - Current User -> Personal -> Certificates. Open settings, update and security, device encryption. The private key is stored on the Yubikey and whenever it is accessed, Yubikey can require a touch action. Installation / Update Download the latest release HERE. Then you will need to import that keyfile onto your Yubikey. I have the Yubikey 5C NFC with FIPS. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. ssh <user>@<remote_host> As long as the remote host has the fingerprint corresponding to the YubiKey's certificate in its ~/. 2. Special capabilities: Dual connector key with USB-C and Lightning support. This, however, is not allowed by the YubiKey, which implements separation of duty more strictly. An der Stelle, wo ihr das Passwort vergeben müsst, wählt nun zusätzlich die Option Use keyfiles. From favorites select "mount on startup" From veracrypt options, select start veracrypt on startup. Launch Powershell, Command Prompt, or Terminal. PIV enables you to perform RSA or ECC sign/decrypt operations using a private key stored on the smartcard, through common interfaces like PKCS#11. However I don't see any option to save my password on my personal computer. Introduction. Step 15: mount VeraCrypt encrypted volume. It's just a recount of my nerve-wracking first encounter with Yubikey with lessons that I took away for myself. See cryptsetup (8) for possible. I see some people online saying you can use both but I can't find any guides on how to set that up. Note: Yubico Series (Playlist) - Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features NFL Sunday Ticket Press Copyright. 9a), and <filename> refers to the name of your certificate file (e. Für die Einrichtung der PKCS#11-Bibliothek in VeraCrypt verweise ich mal auf meinen Beitrag VeraCrypt: Schlüsseldatei (Keyfile) mit YubiKey verwenden. 67. 3 releasing to the public in July of 2021. First, use the menu "Tools -> Keyfile generator" to create a random keyfile and store it on disk (ideally it should be stored in a mounted VeraCrypt. pfx -> click Next, and finally Finish. The VeraCrypt key has to be backed up as well. encryption; bitlocker; veracrypt. d. pfx -> click Next, and finally Finish. I think I may have found the solution: the PIV app creates information on the Yubikey that corresponds to 3 keyfiles: "Cardholder Fingerprints", "Printed Information", "Cardholder Facial Image". 目前很难看到一个. Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. Buy $80 Mooltipass, which can store. It generates one time passwords (OTPs), stores private keys and in general implements different authentication protocols. Use a. It should then load your Yubikey:r/yubikey • My YubiKey broke off my keychain as I got into my car in a parking lot, was presumably run over by one or more cars that bent the keyring, and was found several weeks later when the snow thawed. PIV-PKCS. Yubico Authenticator for iOS is an authenticator app that adds a layer of security for mobile and desktop users. -Veracrypt might be an. Once the YubiKey is coupled and unlocked with a PIN, it can then be used in CBA flows to connect to AAD protected resources. Yes, they are agents with callback that I need to automatically log in to the queues, I will check using this script, thanks. If possible, please help me figure it out. Visit Stack ExchangeSecurity Key C NFC by Yubico. I'm looking to store sensitive documents on a USB Type C (USB C) Flash Drive for secure, mobile access. 喜欢这篇文章的可以点个赞!YubiKey Bio: Yubico announced they are working on a FIDO2 security key with an integrated fingerprint reader. Any help with this would be appreciated. Once an app or service is verified, it can stay trusted. Should I keep using SMS or email as recovery options for my accounts, even if they're able to use TOTP/Yubikey? No. Use password manager like KeePass and use its Autotype function. Below is a Linux example. If this does. PKCS#11/MiniDriver/Tokend - GitHub - OpenSC/OpenSC: Open source smart card tools and middleware. Password input automatically. Battle. Near Field Communication (NFC) Please note this key does not work with our Authenticator App as these keys only support FIDO protocols. Once you've verified all the above, run the following, with a YubiKey that has a certificate enrolled inserted. . Yubikey, veracrypt, and pop os : r/System76. We’re excited to share an exclusive collaboration with Keyport Inc. 3. Members Online. Im sich öffnenden Dialog klickt auf Add Token Files. Here is a primer on the TPM basics. No one has an account on my systems other than me. Visit Stack ExchangeDownload Yubico Login for Windows 10 (32 bit) Yubico Login for Windows Configuration Guide. i recently brought a yubikey 5 and i want to use it for login into my laptop i have added it in ways to login but it defaults to pin login or password with pin removed i am using a microsoft account so the windows login program that does challenge-responce from the yubikey website. Usage. 16. . the master password, 3. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. The data is encrypted with the public RSA key, and this is the key that can be exported and shared. 509 certificates stored in a YubiKey’s PIV module over a Lightning connector or NFC. Years in operation: 2020-present. I have setup Fail2Ban, changed SSH port numbers and have SSH keys for a couple of the hosts. This reduces the compatibility issues because it avoids. This option is only relevant for LUKS and TrueCrypt/VeraCrypt devices. There's more than one type of yubikey, and the more advanced ones can be used in several ways. What I'm looking to accomplish: -Encrypt the drive with software that is both multi-platform for Windows and Android. Yubikeys can only be considered as a keyfile, if the static password mode is used, as it is already possible for TrueCrypt and VeraCrypt. This is a tutorial showing the usage of the YubiKey PIV Tool to create a certificate and then demonstrate setting up your Windows 10 account to make use of t. 1. pem'. Authenticate using programs such as Microsoft Authenticator or AuthyBitwarden documentation. sh This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. g. The Yubikey allows you to save 25 passkeys onto the Yubikey itself. Again, multiple copies in multiple locations. 文件夹内有两个dll,随便选了一个,测试可行,注意:!!!!x64 的版本问题 openSC 用那个版本 veracrypt就要哪个版本!!! C:Program FilesOpenSC ProjectOpenSCpkcs11opensc-pkcs11. It adds enhanced security to the algorithms used for system and partitions encryption making it immune to new. From favorites select "mount on startup" From veracrypt options, select start veracrypt on startup. Third, Bitlocker can store keys to AD. In this. I'm happy to report that it still works. in the settings) it uses X. ^ This YubiKeys support adding static passwords to its slots, thought I'm not entirely sure if VeraCrypt can read it on boot. Not perfect, but better than nothing. It makes me exponentially more secure and at the same time makes it easier for me to stay secure. You can also follow the steps written below for how the setup process usually looks when you want to directly add your YubiKey to a service. It was created by one of the original PGP developers, Phil Zimmermann, as a way to employ encryption algorithms without the patent issues PGP had. Professional Services. Contact support. ⭕. What I tried: Set up Bitlocker on Windows system drive, created a USB key and password. Recompiling VeraCrypt is a massive PITA, however It is also possible to patch the offending instructions out of the "VeraCrypt-x64. 5. Buy Yubikeys Here (Affiliate Link):you thought you knew about 2fa hardware keys is WRONG. Trying to use a YubiKey 5 NFC static password with Veracrypt encrypted bootloader and the Yubikey is not inputting all the characters of the password. Set it up in Settings -> Security tokens and Volume tools -> Add. Can anyone recommend a PKCS#11 dll library that works? Once you have identified an appropriate empty slot, navigate to the folder containing your smart card certificate. VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. Set path to OpenSC library . The remedy is to switch the slots back again using YubiKey Manager or reconfigure the YubiKey for use as second factor authentication for the same user account. YubiKey Bioシリーズはセキュアでシームレスなパスワードレスログインのために、指紋を利用した生体認証をサポートします。. YubiKey products work in tandem with KeePass to backup their password manager with strong, hardware-backed 2-factor authentication. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve. PIV enables RSA or ECC sign/encrypt operations using a private key stored on a smart card, through common interfaces such as PKCS#11. The steps to achieve this are easy. tar. Can I still mount/open the encryption to save non-. Edit: and Yubikey seems. wireless-networking. I use VeraCrypt and I use KeePassX. Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. $95 USD. I have a yubikey 5 NFC and I am wanting to use it with my veracrypt containers I dont know how or where the PKCS #11 Library is and when I do figure it out and I have to reset my PC for any reason Can I get the same Library config. If instead of a keyfile you use a YubiKey, this trojan needs to collect its response instead (a. First, type your memorized prefix. For each service you set up, have your spare YubiKey ready and add it right after the first one before moving to the next. 文件夹内有两个dll,随便选了一个,测试可行,注意:!!!!x64 的版本问题 openSC 用那个版本 veracrypt就要哪个版本!!! C:Program FilesOpenSC ProjectOpenSCpkcs11opensc-pkcs11. Unmount partitions. Perform batch programming of YubiKeys, extended settings, such as fast triggering, which prevents the accidental triggering of the nano-sized YubiKeys when only slot 1 is configured. Nobody will ever think to look there. In the program Yubikey Authenticator, enable a password by clicking and selecting Manaage Password. I would like to add that there's one important step omitted here if one want to automount without any PROMPT (and ofc if you dont want to use system favourite). Note: Yubico Login for Windows perceives a. If your getting one, get at least 2. r/yubikey • In plain 2023, the state of security keys is. Make sure that ‘Standard VeraCrypt volume’ is selected and click ‘Next’. In order to use smart card to their full extent, the best approach would be to modify VeraCrypt encryption format in order to support Public Key Cryptography mechanism based on RSA or Elliptic Curve key. Checkout securely with. You are now in admin mode for GPG and should see the following: 1 - change PIN. It needs to be able to extract the public-key from the smartcard, and to do that through the X. Q&A for information security professionals. Storage Encryption on GNU+Linux with EncFS. So, by default, it will limit the character set to ModHex. Navigation to Certificates - Current User -> Personal -> Certificates. See below for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security token. Downloads. <slot> refers to the slot number (e. I. In order to sign code, you need to know the thumbprint for the certificate you've created. This has always been part of long term objective for VeraCrypt but it has not been implemented yet because of the amount of. Click “Applications”, then “Utilities”, then “Unlock VeraCrypt Volumes”, then “Add”, select “tails” file on backup volume, click “Open”, enter password and, finally, click “Unlock”. And a full range of form factors allows users to secure online accounts on all of the. I would like to add that there's one important step omitted here if one want to automount without any PROMPT (and ofc if you dont want to use system favourite). by mario rossi. What will be the best opensource software to use with Ubuntu 20. Free and open source. (2)生成bitlocker验证所需的证书 (密钥) (3)把这个证书塞进YubiKey. VeraCrypt and YubiKey 5 NFC. GitHub), may trigger this behavior if desired. Download VeraCrypt, install and run it, then click ‘Create Volume’ on the main screen. Make sure the service has support for security keys. Think of your keyfile as being a locked cabinet, the data on the keyfile as the stuff inside the locked cabinet, and the smart card as the key to that cabinet. yubikey; veracrypt; pkcs11; Walter. GUIDES. Wpa PTK and GTK in detail. Usage. Be warned. YubiKeys are physical authentication devices from Yubico! Unofficial subreddit to discuss all things…Re: I've gone security bananas - just ordered a Yubikey 5NFC. Instead of passwords, FIDO authentication uses registered devices / security keys to. This is a clean, secure setup that allows a good. exe" binary directly. Fourth, Bitlocker takes considerably less time to boot a computer from a restart than veracrypt. dll's dependencies in the current working directory (ideal if using VeraCrypt portable & want to use yubikey with it). 1; modified Apr 8. Focuses on Yubikey GPG interface and explains how GPG works. If you want added security, use cascading encryption algorithms (e. My GPG key is stored on the yubikey with a backup on an SD card that remains in a safe. It is worth noting that it is probably necessary to patch each of the x64 binaries individually, as while they all utilise the same codebase, each library is statically linked, meaning each binary has. Tails USB flash drive or SD card with VeraCrypt installed ; YubiKey with OpenPGP support (firmware version 5. Downloads > YubiCloud OTP verification. com. For more information. Key files do not work with FDE in Veracrypt. Tap Add to complete the creation of your Virtual Hardware Key. I just don't know how the hell to get a passkey ON the Yubikey. 04 to encrypt 100% of my disk?Windows起動前にVeraCryptのパスワード入力を求められるため、「Windows起動時サインインに2段階認証を設定」でパスワード2回入力となってしまう。 なので、普通に指紋認証か顔認証をWindows Helloの方で設定し、YubiKeyを使わなくても良. Q&A for information security professionals. Just for some clarification what do you meant formatted with veracrypt , do you mean you throw the. This procedure and script is for managing an encrypted veracrypt filesystem with a yubikey NFC 5 device. Buy $80 Mooltipass, which can store multiple static. YubiKey 5C NFC. Hey all! I have a grubx64. The new NitroPhone 4 and NitroPhone 4 Pro offer significantly improved protection against remote exploitation via hardware memory tagging. Although small in terms of scope — VeraCrypt. VeraCrypt main features: Creates a virtual encrypted disk within a file and mounts it as a real disk. In order to protect your KeePass database using a YubiKey, follow these steps: Start a text editor (like Notepad). The setup may work on gpg 2. Authenticate using programs such as Microsoft Authenticator or. I see some people online saying you can use both but I can't find any guides on how to set that up. BitLocker seems to be the most performant for large external SSDs, but it doesn't work on Mac/Linux, which kill the portability of the disk. These are going to be more expensive than the cloud encryptions, but like everything else in life, you get what you pay for. Steve's Truecrypt page points to VeraCrypt, but both TrueCrypt and VeraCrypt have performance issues with large external SSDs. p12). The encryption and decryption of data is completely transparent to authorized authenticated users, which makes the solution simple to use. Hold 3 seconds for long touch. With a Yubikey 5 NFC, I'm able to put keyfiles in Fingerprints and Facial Image. It will then fill in the password it stores. I don't know why, but it's true for. ”. First, type your prefix, then tap your YubiKey to insert its stored password. Select and copy (CTRL + C) the Thumbprint. Q&A for information security professionals. 其实没那么复杂, 简单来说,我们需要的操作即: 满足条件的yubikey + 满足条件的windows配置 + 对磁盘开启bitlocker. Then you will need to import that keyfile onto your Yubikey. Storage Encryption on GNU+Linux with ECryptFS. As far as I know, veracrypt can either require both keys, or only recognize one of them. Sign into a server you own with SSH (even passwordless if you want). The lack of a central server for authentication or built-in support for cloud storage could make VeraCrypt a challenge to use. Keep one in your person and one somewhere safe at home as a back up. g. This will open up the VeraCrypt Volume Creation Wizard. This code is best described as only being useful if you are setting up a Yubikey for someone as the administrator, and then handing the Yubikey over to another person. I fire up Chrome or Safari. To have your Yubikey unlock your Veracrypt drive, you will need to have your Yubikey plugged into your computer with a keyfile imported into a particular PIV slot. Business, Economics, and Finance. Once the file is selected, pick from one of the available drives in the box above. I think I may have found the solution: the PIV app creates information on the Yubikey that corresponds to 3 keyfiles: "Cardholder Fingerprints", "Printed Information", "Cardholder Facial Image". Now I use Authy for all sites that support 2FA. Stream Do PKCS 11 Keyfiles On A Yubikey Actually Improve Security For Veracrypt !NEW! by Nikki on desktop and mobile. Hi there, someone knows how to use a Yubikey 5 NFC to login to a full encrypted HD (windows 10)? Any help. 拔掉Yubikey 证书还在,密钥当然还在Yubikey上. d. I have been checking Pairwise and Group Transient keys in a network for security. Password verification fails with system partition installed in BIOS/MBR. If it reads fingerprints before sending the password, then I'd consider it. Want to know what happen to: Bitlocker partition Veracrypt partition Veracrypt container If there's bad sector appear in the encryption area. In Normal Mode it assumes we have no container. 拔掉Yubikey 证书还在,密钥当然还在Yubikey上. Primary Functions: Secure Static Passwords, Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Smart Card. (EFI partition) The LVM partition contains both the swap and the root filesystem. Visit Stack ExchangeQ&A for information security professionals. 131; asked Dec 8, 2020 at 22:50. Type certmgr. The YubiKey stores data on a tamper-resistant solid-state chip which is impossible to access non-destructively without an expensive process and a forensics laboratory. Once AAD has been pre-configured with a trusted smart card issuer certificate authority (CA) chain, it is able to check the Certificate Revocation List(s) (CRLs) to ensure certificates are still valid. 1. More posts you may like. The data is decrypted with the private RSA key, and this key never leaves the YubiKey. net OTP. 2. A question and answer about the security implications of using a PKCS #11 keyfile on a YubiKey for Veracrypt volumes. My drives are all fully system encrypted via VeraCrypt with a PIM in place. The question is that; Can I encrypt everything, then store the keys of encrypted drives in "encrypted USB"?Si VeraCrypt permet de chiffrer et de cacher des fichiers et autres clefs USB, on peut aller bien plus loin. In this scenario you'd be encrypting a file with your public key and only your private key could decrypt it. I’m going to show you step by step how to configure your Yubikey to get the most out of it and set. Cross-platform application for configuring any YubiKey over all USB interfaces. However, once you obtain your steam secret; you can use that secret to add your Steam account to any authenticator,. A program similar to Google Authenticator, Authy, etc. RyzenRaider • 1 yr. The private key is never retrieved from the Yubikey; it is operated upon inside the Yubikey. I'd like to be able to write keyfiles onto my Yubikey. Unfortunately, bitlocker doesn't currently have any way to store the encryption key on a yubikey instead of a built-in TPM, so a yubikey can't be used with bitlocker to encrypt the drive. And, by definition, you do not need recovery keys on a regular basis. The password of VeraCrypt folder is shared in a sealed envelope at some family with details of locations of where USB sticks and Yubikey is. msc. We're not talking about multiple programs trying to simultaneously operate in protected mode, here. 👍. Receive an attestation certificate for keys stored on the YubiKey PIV interface using standard PKCS#11 function calls. Also super easy. This module is based on version 2. . In order to sign code, you need to know the thumbprint for the certificate you've created. 拔掉Yubikey 证书还在,密钥当然还在Yubikey上. Do things like import x509 certificates / keypairs to your Yubikey. With this, I still use my Windows username and password but the Yubikey must be inserted to complete the authentication. Something like a Yubikey Bio, which can only be activated after scanning your fingerprint, would be a great option here. But just observe that anyone else that gains access to your USB also gains access to the Veracrypt volume. Introduction. Changing the PINs for GPG are a bit different. Technical Topics. 131; asked Dec 8, 2020 at 22:50. The biggest difference between VeraCrypt and Bitlocker is the most obvious one: Who can actually use it. veracrypt; yubikey; Firsh - justifiedgrid. Click Next -> select Browse… -> save the file as bitlocker-certificate. This doc includes guides on setting up your Yubikey with Bitlocker, EFS, Code Signing, Veracrypt, Github commit signing, KeePassXC, SSH/PuTTY and a large variety of other software and technologies. You. " Now the moment of truth: the actual inserting of the key. Add them in favorites. YubiKey Manager. Select the password and copy it to the clipboard. OnlyKey is open source, verified, and trustworthy. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. 21K subscribers in the yubikey community. 满足条件的windows配置:. Run keytocard to store the encryption key in the encryption slot. 96. Maybe I will get a benefit here, although it depends upon how many SSH keys I can store on the Yubikey 5 NFC. . And I don't necessarily wish to tap a YubiKey or enter a password daily. Below is a list of all available downloads ordered by version, starting with the most recent version. I encrypted the drive using veracrypt and a password since day one, no keyfiles. 4. Almost entirely useless and a bad idea. then the Titan gives you 250 passkey slots, vs Yubikey's cheaper security key offering 25 slots for resident keys. g. Any file can be used, but it should be high entropy. Is it possible to use a security key like Yubikey 5 NFC to encrypt 100% of my SSD /boot with VeraCrypt then Login dual-boot with that security key? I would like to dual-boot and Login my full encrypted disk only one time then, to choose what I want to run between Windows 10 or Ubuntu 20. Defaults PIN: 123456 PUK: 12345678. So it has to be a full exact-looking replica of Yubikey, thus raising the bar even more. New Win10 and Old YubiKey4; trying to configure GPG Sign. I have setup Fail2Ban, changed SSH port numbers and have SSH keys for a couple of the hosts. dll is dynamically linked to the libyubihsm*. Visit Stack ExchangeYubiOTP is primarily for enterprise use. Yubikey #2 -> personal bitwarden -> store TOTPs in Yubikey. com. pfx file. Step 16: rename VeraCrypt encrypted. Free and open source. 1a. Templates that can be imported into OpenSSL and be used with your Yubikey. Setup. Thus when one of these fails there are still two others that will protect your files. e. Login to the service (i. <slot> refers to the slot number (e. Generate random 20 digit value. 5 answers. The OID will look something similar to “Application [0] = 1. So, before setting up BitLocker or VeraCrypt, here how to set up your YubiKey to store the end of your password: Get a YubiKey. In the mean time, and as explained above, users can use Yubikey as a way for enter secure password in VeraCrypt. July 25, 2021 Olexandr Siroklyn. g. (Which is why I’m comfortable with no PIN to unlock BW on my system). Bitlocker may be operating in a lower ring, but VeraCrypt handles data like any other application, and which it's time to safe the mounted volume, it merely updates the file. One of the coolest features of the Yubikey is authenticating SSH sessions via PKCS#11. In the bag was an SSD that contains a Veracrypt container, secured by a 50 character randomly generated passphrase. Back in the Hardware Key Configuration screen, tap your newly added Virtual Hardware Key. Another post! Yubikey, veracrypt, and pop os. If you utilize a 3rd party backup service to manage backing up your. Right now I'm connecting on my Windows with my Yubikey with Yubikey Login. The tool works with any YubiKey (except the Security Key). Particularly regarding VeraCrypt developers being open (or not) to the idea of supporting cryptographic tokens (like Yubikey) to wrap volume master key using PIV applet keys (or OpenPGP keys)? Using fingerprint or facial image stored on a PIV token as one of the keyfiles is a fine idea, IMHO. The YubiKey supports the Personal Identity Verification (PIV) card interface specified in NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". An der Stelle, wo ihr das Passwort vergeben müsst, wählt nun zusätzlich die Option Use keyfiles. FIDO only. The User Certificate Manager is a feature in Windows which allows you to manage all the certificates related to your computer. Two-step Login. veracrypt; yubikey; Firsh - justifiedgrid. 101. You can access this manager by clicking -> Run ->. The Normal option encrypts the system partition or drive normally. Q&A for information security professionals. In KeePass' dialog for specifying/changing the master key (displayed when. Visit Stack ExchangeVeraCrypt Forums Open source disk encryption with strong security for the Paranoid Brought to you by: idrassi. The YubiKey 4 and the YubiKey 5 support not only RSA keys, but also Elliptic Curve Digital Signature Algorithm (ECDSA) keys. Because we're extraordinarily sneaky, our file is in D:mysecretfiles. Q&A for information security professionals. It is a standard which enables you to log into applications without using passwords on both desktop and mobile environments. Q&A for information security professionals. 3 or higher) ; Computer running macOS Catalina or Big Sur Caveats ; When copy/pasting commands that start with $, strip out $ as this character is not part of the command YubiKey personalization tools. Also, sufficient randomization of keys becomes more difficult as key size increases. Okta, Duo, Ping, that sort of thing. GitBook ⭕ Code Signing Information related to signing code with your Yubikey Why Sign Code? Code signing does two things: it confirms who the author of the software is and. hello, i tried to use my Yubikey 5C NFC key with a SHA2048 Key in slot 9a or 0x5fc108 or 0x5fc108 but veracrypt detects none of my certificate if it is in slot 0x5fc108 and 0x5fc103 however when it is in slot 9a it detects everything fin. 0 answers. ⭕. smartcard; openpgp; yubikey; juanii. Description. This doc includes guides on setting up your Yubikey with Bitlocker, EFS, Code Signing, Veracrypt, Github. Sign documents with programs like Adobe Acrobat. Download VeraCrypt for free. Depends on your threats. Insert the YubiKey and press its button.