# Install yubikey-agent with Homebrew, apk, apt, Nix

Seamless ssh-agent for YubiKeys and other PIV tokens. Version 0.1.6 via Homebrew; verified 2026-06-06.

## Install

```sh
sudo av install brew:yubikey-agent
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install yubikey-agent
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add yubikey-agent
```

  Evidence: Alpine Linux edge package indexes: yubikey-agent from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install yubikey-agent
```

  Evidence: Debian stable package indexes: yubikey-agent from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#yubikey-agent
```

  Evidence: nixpkgs package indexes: pkgs/by-name/yu/yubikey-agent/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:yubikey-agent
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/yubikey-agent>
- **Version:** 0.1.6
- **Source summary:** Seamless ssh-agent for YubiKeys and other PIV tokens
- **Homepage:** <https://github.com/FiloSottile/yubikey-agent>
- **Repository:** <https://github.com/FiloSottile/yubikey-agent>
- **Upstream docs:** <https://github.com/FiloSottile/yubikey-agent#readme>
- **License:** BSD-3-Clause
- **Source archive:** <https://github.com/FiloSottile/yubikey-agent/archive/refs/tags/v0.1.6.tar.gz>
- **Last updated:** 2026-06-06T11:29:14Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- yubikey-agent (cli)
- yubikey-agent (alias)

## Build dependencies

- go
- pkgconf

## Uses from macOS

- pcsc-lite

## Install behavior

- Post-install hook: not defined
- Service: declared
- Caveats: To use this SSH agent, set this variable in your ~/.zshrc and/or ~/.bashrc: export SSH_AUTH_SOCK="$HOMEBREW_PREFIX/var/run/yubikey-agent.sock"
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.1.6
- Package-manager updated: 2026-06-06
- Local data: ok
- Upstream repository: https://github.com/FiloSottile/yubikey-agent
- Upstream latest detected: v0.1.6 (current)
## Project history and usage

yubikey-agent is Filippo Valsorda’s Go ssh-agent for YubiKeys and other PIV tokens, packaged because it makes hardware-backed SSH keys feel like a normal SSH_AUTH_SOCK workflow.

### Project history

The project appeared publicly in 2020, in the same period when OpenSSH 8.2 introduced native FIDO/U2F security-key support. yubikey-agent chose a different compatibility path: use the YubiKey PIV applet to present ordinary SSH public keys through an agent interface, so existing servers did not need support for the newer `-sk` SSH key types.

The README emphasizes three design goals that shaped its history: one-command setup, resilience across unplugging and sleep, and keys generated on the YubiKey so private material cannot be extracted. It is written in Go and built on go-piv/piv-go plus Go’s SSH libraries.

Its documentation also candidly records the tradeoffs: keeping a persistent PIV transaction helps PIN caching and UX, but can conflict with gpg-agent, YubiKey Manager, and other tools that want the same PIV applet.

### Adoption history

Early adoption came from security-conscious developers who wanted hardware-backed SSH without the fragility of gpg-agent, manual PKCS#11 loading, or server-side FIDO2 support. A Hacker News launch discussion in May 2020 framed it as a friendly way to plug in a key and SSH securely with minimal setup.

Packaging spread through Homebrew, AUR/Arch-style packaging, NixOS modules, FreeBSD ports, Alpine testing, Debian, and Ubuntu. The README’s install instructions are package-manager first, which helped the tool become a normal service rather than a custom local build.

### How it is used

Users install the package, start the service, run `yubikey-agent -setup` to generate a key on the YubiKey, and point `SSH_AUTH_SOCK` or per-host `IdentityAgent` settings at the agent socket. After that, SSH sees an ordinary agent while the YubiKey enforces PIN and touch policy.

The tool is commonly compared with OpenSSH FIDO2 keys, gpg-agent with the OpenPGP applet, raw ssh-agent PKCS#11 loading, pivy-agent, and macOS Secure Enclave tools such as Secretive. Its niche is the compatibility and UX middle ground: hardware-backed keys with ordinary SSH public-key compatibility.

### Why package nerds care

yubikey-agent is a package-nerd favorite because it collapses a historically fiddly stack into one daemon and one socket. It is not the only hardware-backed SSH route, but it is one of the cleanest examples of wrapping smart-card behavior in a familiar Unix interface.

It also tells a packaging story about defaults: Homebrew services, systemd user units, NixOS services, pcscd, and SSH_AUTH_SOCK all matter as much as the binary itself.

### Timeline

- 2020-02: OpenSSH 8.2 introduces built-in FIDO/U2F security-key SSH support, setting the context for hardware-backed SSH alternatives.
- 2020-04: Early yubikey-agent issue traffic discusses PIV applet locking behavior with YubiKey Manager.
- 2020-05-10: yubikey-agent is discussed on Hacker News as an easy Go ssh-agent for YubiKeys.
- 2020-06: Go module metadata shows early v0.1.x releases such as v0.1.2 and v0.1.3.
- 2020s: The package lands across Homebrew, NixOS/nixpkgs, FreeBSD ports, Arch/AUR, Debian/Ubuntu, and Alpine testing.

### Related projects

- Related projects include go-piv/piv-go, yubico-piv-tool, YKCS11, OpenSSH, gpg-agent, OpenSC, pivy-agent, Secretive, SeKey, YubiKey Manager, and OpenSSH FIDO2 security-key support.

### Sources

- <https://deps.dev/go/filippo.io%2Fyubikey-agent/v0.1.6>
- <https://formulae.brew.sh/formula/yubikey-agent>
- <https://github.com/FiloSottile/yubikey-agent>
- <https://github.com/FiloSottile/yubikey-agent/issues/4>
- <https://news.ycombinator.com/item?id=23130053>
- <https://pkg.go.dev/filippo.io/yubikey-agent>
- <https://pkgs.alpinelinux.org/package/edge/testing/x86/yubikey-agent>
- <https://words.filippo.io/openssh-fido2/>


## Security Notes

broad file, network, media, or database tool signal. formula declares a Homebrew service.

- **Geiger risk:** orange / medium
- broad file, network, media, or database tool signal
- formula declares a Homebrew service

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** yubikey-agent
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - yubikey-agent - 0.1.4-2+b19: normalized package name match | Debian stable package indexes: yubikey-agent from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | seamless ssh agent for YubiKeys | https://github.com/FiloSottile/yubikey-agent
- Nix - yubikey-agent: normalized package name match | nixpkgs package indexes: pkgs/by-name/yu/yubikey-agent/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - yubikey-agent - 0.1.4-2build1: normalized package name match | Ubuntu 24.04 LTS package indexes: yubikey-agent from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | seamless ssh agent for YubiKeys | https://github.com/FiloSottile/yubikey-agent
- apk - yubikey-agent - 0.1.6-r22: normalized package name match | Alpine Linux edge package indexes: yubikey-agent from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Seamless ssh-agent for YubiKeys | https://github.com/FiloSottile/yubikey-agent


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [tkey-ssh-agent](https://www.automicvault.com/pkg/brew/tkey-ssh-agent/) - Shares av.db curated category or tags: cli, hardware-token, security, ssh, ssh-agent.
- [skm](https://www.automicvault.com/pkg/brew/skm/) - Shares av.db curated category or tags: cli, security, ssh.
- [sshguard](https://www.automicvault.com/pkg/brew/sshguard/) - Shares av.db curated category or tags: cli, security, ssh.
- [ykman](https://www.automicvault.com/pkg/brew/ykman/) - Shares av.db curated category or tags: cli, hardware-token, security, yubikey.
- [yubico-piv-tool](https://www.automicvault.com/pkg/brew/yubico-piv-tool/) - Shares av.db curated category or tags: cli, piv, security, yubikey.
- [age-plugin-yubikey](https://www.automicvault.com/pkg/brew/age-plugin-yubikey/) - Shares av.db curated category or tags: cli, piv, security, yubikey.
- [openssh](https://www.automicvault.com/pkg/brew/openssh/) - Shares av.db curated category or tags: cli, security, ssh.
- [pivit](https://www.automicvault.com/pkg/brew/pivit/) - Shares av.db curated category or tags: cli, piv, security, yubikey.
- [keepkey-agent](https://www.automicvault.com/pkg/brew/keepkey-agent/) - Security-sensitive metadata or terminology overlaps. Shared terms: agent, cli, hardware, security, ssh.

## Combined YAML source

View the package source record on GitHub. [combined/yubikey-agent.yml](https://github.com/automic-vault/db/blob/main/combined/yubikey-agent.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
