GITBOOK-388: change request with no subject merged in GitBook

defguard-community · gitbook-bot · commit 2f8324c0a251 · 2025-05-22T19:05:39.000Z
diff --git a/admin-and-features/features-and-configuration/yubikey-provisioning.md b/admin-and-features/features-and-configuration/yubikey-provisioning.md
@@ -4,14 +4,20 @@ description: 'Provisioner repository: https://github.com/DefGuard/YubiKey-Provis
 
 # YubiKey Provisioning
 
-{% hint style="danger" %}
-We only support (and tested) Yubikey 5.
+### Compatibility
 
-Yubikey 4 should work - we have not tested.
+Some Yubikey's will not be compatible with this feature.
 
-Other Yubikeys - especially NEO (which has slots for RSA GPG/PGP keys) will not work, as YK NEO has only 2048 key length slot, which is commonly treated as unsecure for RSA key length.
+{% hint style="danger" %}
+This feature was tested only on Yubikey series 5, we don't support older series ( some still might work).
 {% endhint %}
 
+Conditions below needs to be met:
+
+* Yubikey needs to return serial number via `ykman list`&#x20;
+* Yubikey needs to have available and active OpenPGP application. You can check out your series capabilities on yubico website [here](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP).
+* Yubikey needs to support RSA 4096, older series can have problem with this especially with older firmware versions.
+
 ## Overview
 
 Our provisioning service (installed on a computer that has USB access and securely communicating with defguard) allows you to easily create and populate the **SSH and GPG/OpenPGP** keys on a YubiKey hardware key, and share its public information inside defguard - which can be [used for example to authenticate to servers using defguard](ssh-authentication.md).
@@ -30,6 +36,10 @@ That also means that the **master key** is deleted and only sub-keys are stored
 As we do not want to store any private keys for security reasons, we have some ideas and plans for **optional master-key** storage based on **HSM encryption**, but we want to see if any actual companies/users need that, as there is always a way just to overwrite the existing YK and provision with new data.
 {% endhint %}
 
+### Prerequisites
+
+If you want to use solutions other then docker, the provisioning station needs to have both gpg2 and [ykman](https://docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html) programs on the provisioning machine.
+
 ## Installation of provisioning service
 
 {% hint style="info" %}
