YubiKey PIV

Hardware-backed cryptography on YubiKey 5C NFC, PIV applet. Two slots: one signs release artifacts (yubisigner), one encrypts files at rest (yubicrypt).

Slot 9c — Ed25519 signing (yubisigner)

Visual fingerprint

YubiKey PIV

Verify this identicon at identicons.virebent.art (Analyze tab) by pasting the certificate block below.

Subject:    CN=Gab Virebent, emailAddress=gabriel1@virebent.art
Issuer:     CN=Gab Virebent, emailAddress=gabriel1@virebent.art (self-signed)
Algorithm:  Ed25519
Serial:     A2:33:63:AC:2A:51:AE:62
Validity:   2026-04-30  →  2036-04-27
Pubkey fpr: 4C:BE:E6:8D:92:22:BB:64:27:E7:1C:AE:48:D4:FC:0B
            F9:D1:05:D3:5F:EB:8F:D5:D7:4D:97:DB:CB:F4:06:2A

Download gabvirebent-sign.crt

-----BEGIN CERTIFICATE-----
MIIBbjCCASCgAwIBAgIJAKIzY6wqUa5iMAUGAytlcDA9MRUwEwYDVQQDDAxHYWIg
VmlyZWJlbnQxJDAiBgkqhkiG9w0BCQEWFWdhYnJpZWwxQHZpcmViZW50LmFydDAe
Fw0yNjA0MzAxODQ3NTBaFw0zNjA0MjcxODQ3NTBaMD0xFTATBgNVBAMMDEdhYiBW
aXJlYmVudDEkMCIGCSqGSIb3DQEJARYVZ2FicmllbDFAdmlyZWJlbnQuYXJ0MCow
BQYDK2VwAyEAAWowIvBUt5RGntAXgjWv1VGslTflxKeHzq7IzmvCmoqjPTA7MB0G
A1UdDgQWBBR51EWHiZDFT7pDjMMFaxFhyxInGjAJBgNVHSMEAjAAMA8GA1UdEwEB
/wQFMAMBAf8wBQYDK2VwA0EA7HkjlTTZBF9rL0X2o6Y0GBhGsmdlmg8VmrUlC1bF
s04lUbLb+34XhOdyZqsoZmbWLjaYECGULlD62z9jtWQpBA==
-----END CERTIFICATE-----

Used to sign the .sh tools listed on /tools. Detached .sig files, verifiable with the certificate above.

Slot 9d — RSA-4096 encryption (yubicrypt)

Visual fingerprint

gabvirebent

Verify this identicon at identicons.virebent.art (Analyze tab) by pasting the certificate block below.

Subject:    CN=Gab Virebent, emailAddress=gabriel1@virebent.art
Issuer:     CN=Gab Virebent, emailAddress=gabriel1@virebent.art (self-signed)
Algorithm:  RSA 4096-bit, signed with SHA-512
Serial:     F6:57:5F:DF:27:2D:DA:54
Validity:   2026-04-30  →  2036-04-27
Pubkey fpr: 11:F6:EF:2F:BD:5E:87:E0:2F:F1:8C:65:09:3E:D2:AC
            65:D8:73:A3:B7:A2:00:3A:A1:60:4C:BB:0E:1A:1D:CE

Download gabvirebent-encrypt.crt · Download gabvirebent-encrypt.crt.sig (yubisigner Ed25519 detached signature)

-----BEGIN CERTIFICATE-----
MIIFOjCCAyKgAwIBAgIJAPZXX98nLdpUMA0GCSqGSIb3DQEBDQUAMD0xFTATBgNV
BAMMDEdhYiBWaXJlYmVudDEkMCIGCSqGSIb3DQEJARYVZ2FicmllbDFAdmlyZWJl
bnQuYXJ0MB4XDTI2MDQzMDE5MDEzOVoXDTM2MDQyNzE5MDEzOVowPTEVMBMGA1UE
AwwMR2FiIFZpcmViZW50MSQwIgYJKoZIhvcNAQkBFhVnYWJyaWVsMUB2aXJlYmVu
dC5hcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNJg4xDdBPnbhi
V/QHXvQtspyhSzsnAWlUhokm/tZiW9DvoYTS8Uweg91hHDYK77yUP/dizfmT641s
I0v7lBOZeyLLIbxYZ+UUUT0IOUKC5uSLPmcgDqNsKCaRIEa9RkNs4SPI6PVW1//s
Wgn5iaD0BsSKmXN84v5a47+0vsy4eT4MYpVRmOOwa4x+werI1i0XxoHEh6gQ6akc
WydQoyBtFUShPRsYtHEKGuX0fB5bFElroYSwraJsuIXJqAmxf9mNDWNaLwrEVa3m
uP9wsgRkAon20OmFB4mtbPTLOp9clL/Cu3/WmJmIf2g/Zk5DEyVaf590p8P6B0JI
llU7o/j877EbcUuly1ts56hq4NNK5bfFALxwZ/++qpkJ1P22BsTNJ7/MaB7pxoqg
x6KUBZusI0NlLFvI9aN8GvZ5+KEgVKYQsc+NVWWZIpSRHKzZSldNvZWjvih1D2mS
P8hjij4H5kU886DYJvrSQ7XAGsySMyOK60rR17Ne5D2Tl5d5EZEFZE4o7WEgMEeE
CvIwNpEAzUOz0R8f7fIhJc+SzaWxUUzKvoHsPLmvucGoWfte5Tf/Jd6DvAKtCQvh
DUwPTXJxcMiOj8ju2hopXBLVwWoJ2y80O1vf0KF5km0QSbjm3utgB3SmV+P/iQZZ
r0ytE7s5lCVVhTmtgvVRaLhOLTI0pQIDAQABoz0wOzAdBgNVHQ4EFgQUEzPzMOg9
s1c+VoBbybCevhXPTZIwCQYDVR0jBAIwADAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBDQUAA4ICAQBsvhbzUSFsNXsOEPoDp69uMnRNUbMj5o/D0/px1sQSl8Te
xTiq34PzBPEGMbl2fGx04w5flpEoY7JgC4gayZhneJsaOysyMB1d11+jcmS4cNaC
J4PAhY2UCr9vS2rnrgYphqnHqGasdGeXAB6c4wR56yZGErxagGAqCvgZjBUwATzl
PrKlAzJjkvhLILEJlxCu+R1GPrSFACSPThvRHAaloU/H2KR2LLZVdG42o+UkFEZ2
c1o3ePQi+1ruSmjLp9wHyXkE3Fr4z46iK0+stpgDoqpswjPZpYo0DMfieZXB2NDw
uJzHpmzkxgZxUfYn3o+nDLekBgJnj8ovdVjTDTaV2gk4fhvhnWYBjr1rdZgA2/iL
oxiW7DuvpvF8h4CjdXXivMCU2g1paJMBUl/KQ9r2mM2Nf+1U8jl4L6CDqEYOg+hs
uGHd05FyqqbDd4bVP10Y2tGgnmNPUBdpGuIAiVUXG+u8dGigkh/29yvXJxGFFLr8
s0D+WlbHoBIggCz84C3T5/04n5d8vlN9s1NjEmggAtDwgxX60IddaFj9AlfBMIwA
aSBUbXkxUBC4zr+JkjmoFF33WNtb6QXrs/B2eVsuolbdh9KsD7EdRpgQgLnlE9CR
O+hqCDhTHABfL4QAzrXRJeEO42wSqqrNEVY6UQh1IUQVgKr4IXk2pDf+LVgBmQ==
-----END CERTIFICATE-----

To verify the certificate above is unmodified, check the detached signature with yubisigner (Ed25519, hardware-bound):

yubisigner verify --in gabvirebent-encrypt.crt --sig gabvirebent-encrypt.crt.sig --pubkey gabvirebent-sign.crt

To send a confidential file:

yubicrypt encrypt -cert gabvirebent-encrypt.crt -in your-file -out your-file.enc

Decryption requires the YubiKey present. Plaintext never touches the server.

Integrity: Merkle-tree + OpenTimestamps (submitted) · verify
Gemini: gemini://contact.virebent.art/keys.gmi