pub type YubikeyCR = KeyingScheme<YubikeyHeader, Symmetric>;Expand description
This mode’s behaviour is equivalent to the
UsernamePassword KeySource, but
adds a second factor.
Touch-to-sign configuration
In case you configure your Yubikey to require a touch authorization for HMAC operations, you will need to touch the Yubikey on both decrypt and encrypt operations.
If you are looking to secure a long-running job, or a background process that periodically commits changes, this will probably not be an optimal configuration for you.
Implementation details
The 512-byte binary header layout looks like so:
encrypt(root[88] || mode[1] || convergence_key[32] || 0[..]) || mac[16] || nonce[12] || yubikey_challenge[64]