diff --git a/advanced/yubikey_notes.md b/advanced/yubikey_notes.md
new file mode 100644
index 0000000..1da2f0b
--- /dev/null
+++ b/advanced/yubikey_notes.md
@@ -0,0 +1,181 @@
+# Yubikey 4 Setup
+
+This guide assumes you have an existing GPG key generated and saved as an asc file. There are ways to have the Yubikey 4 generate the GPG private key but for our needs we generate the GPG keys ahead of Yubikey setup using tails and keep the secret key material on encrypted disks as much as possible.
+
+# Reset The Yubikey
+
+## Reset Main Slot Configuration
+
+Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and delete the configuration for ALL of the Yubikey's slots.
+
+``` bash 
+
+sudo apt install yubikey-personalization-gui
+
+```
+
+## Reset GPG Configuration
+
+``` bash
+
+gpg-connect-agent
+/hex
+scd serialno
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
+scd apdu 00 e6 00 00
+scd apdu 00 44 00 00
+/echo Card has been successfully reset.
+/bye
+
+# Unplug / plug back in to ensure fully reset
+gpg --card-status # Should show blank card
+
+```
+
+# Basic Slot Setup
+
+Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and setup the Yubikey OTP 2FA in Slot 1. Leave Slot 2 non-configured. You may need/want to set this up later but it's outside the scope of this document.
+
+``` bash
+
+sudo apt install yubikey-personalization-gui
+
+```
+
+# GPG Setup
+
+Make sure you have ```gpg2``` and ```scdaemon``` installed before doing anything further.
+
+## Setup Yubikey For GPG
+
+- [https://developers.yubico.com/PGP/Card_edit.html](https://developers.yubico.com/PGP/Card_edit.html)
+
+``` bash
+
+gpg --card-status # Shouldn't show anything useful
+gpg --card-edit
+admin
+passwd
+    1
+        123456
+    3
+        12345678
+    q
+name
+lang
+    en
+url
+    https://lollipopcloud.solutions/gpg/lc_keys/kemonine.pub
+login
+    kemonine
+quit
+gpg --card-status
+
+```
+
+
+## Import GPG Keys
+
+Remember: we pre-generate GPG keys for people. They need to be imported before setting up the Yubikey.
+
+- [https://developers.yubico.com/PGP/Importing_keys.html](https://developers.yubico.com/PGP/Importing_keys.html)
+
+``` bash
+
+gpg --import kemonine.asc 
+gpg --list-keys --keyid-format LONG
+gpg --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
+trust
+    5
+    y
+    save
+gpg --card-status
+gpg --expert --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
+toggle
+keytocard
+    y
+    1
+keytocard
+    y
+    3
+key 1
+keytocard
+    2
+key 1
+key 2
+keytocard
+quit
+    y
+gpg --card-status
+gpg --list-secret-keys
+# Unplug Yubikey
+gpg --list-secret-keys
+
+```
+
+# Setup Git GPG Signing
+
+- [https://kemonine.info/post/2017/12/signed-git-commits/](https://kemonine.info/post/2017/12/signed-git-commits/)
+
+``` bash
+
+gpg --list-secret-keys --keyid-format LONG
+# Look for something like: rsa4096/9D79FBF661EC6779 the part after the / is the key id to use with git
+# cd to git project
+git config commit.gpgsign true
+git config user.signingkey [Your Key ID]
+# Add key to gitea / gitlab -- the contents of kemonine.pub are what you put into the gitea instance
+
+````
+
+# SSH Auth with GPG Key
+
+- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
+- [https://kemonine.info/post/2017/12/gpg---ssh-auth/](https://kemonine.info/post/2017/12/gpg---ssh-auth/)
+- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
+- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
+- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
+- [https://mlohr.com/gpg-agent-ssh-gnome/](https://mlohr.com/gpg-agent-ssh-gnome/)
+
+``` bash
+
+apt install pinentry-curses
+
+```
+
+``` bash
+
+ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg-agent.conf 
+enable-ssh-support
+pinentry-program /usr/bin/pinentry-curses
+default-cache-ttl 60
+max-cache-ttl 120
+
+```
+
+``` bash
+
+ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg.conf 
+personal-digest-preferences SHA256
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
+
+```
+
+``` bash
+
+ubuntu@ubuntu ~ $ cat .bashrc # append this to the bottom
+export GPG_TTY="$(tty)"
+export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+gpg-connect-agent updatestartuptty /bye
+
+```
+
+