When choosing to use “Local Validation Server” with YubiRADIUS, what is a use of YubiKey records like AES Key and Private ID?

A short description is found in the YubiRADIUS Manual under section 5.2.4, here. In order to perform the task of OTP validation, the selected validation server needs to maintain the AES Key, Private ID and other relevant parameters (like the counter values from the last successfully validated OTP etc.) for your YubiKeys. The AES keys are stored securely by a Key Storage Module, which may be either the software solution YK-KSM or the hardware YubiHSM device.

If you select the “Local Validation Server” you will need to:

  • Reprogram your YubiKeys using the cross-platform personalization tool
  • The tool will generate a log file from your programming activity that has the details of the AES key, Public and Private IDs for each YubiKey programmed
  • Import the .csv log file generated by the tool so the AES keys and other related information is imported into the internal database of the Key Storage Module. This will allow for the OTPs from your YubiKeys to be validated by the local Validation Server.

Posted in: 7. YubiRADIUS