Description
YubiKey 5.2.3 supports KDF which might be worth mentioning (?):
Key Derived Format
To remove the transmission and on-card storage of OpenPGP PINs in plain text, the YubiKey supports the Key Derived Function (KDF) functionality. With the KDF function enabled, the PIN is stored as a hash on the YubiKey. When entering the PIN to the OpenPGP Smart Card, the OpenPGP client will only pass the hashed value, never passing the PIN directly. KDF functionality is set on the card itself, and communicated to the client; it is transparent to the user. Should the KDF functionality not be enabled, the PIN function will work as previously. The KDF function is listed in section 4.3.2 of the OpenPGP Smart Card 3.4 spec.
Current stable releases (2.2.20) of gnupg support enabling KDF.
- Enable KDF
$ gpg --edit-card gpg/card> admin gpg/card> kdf-setup gpg/card> passwd gpg: OpenPGP card no. D2760001240103030006294453760000 detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 1 PIN changed.