Troubleshooting Issues with GPG


This article covers some of the issues you may experience when using GnuPG (GPG) with your YubiKey, and possible solutions. 

 

gpg --card-status

If gpg --card-status fails to detect the YubiKey, try following the steps below.

 

  1. Double-check that your device includes support for OpenPGP (see the Compatible devices section above).

  2. Using YubiKey Manager, verify that your YubiKey has the relevant application enabled under Interfaces. For YubiKey NEOs, and YubiKeys from the 4 Series, this will be CCID, For 5 Series YubiKeys, OpenPGP will be listed separately.

  3. Specify the smart card reader GPG uses by adding the line reader-port Yubico Yubi to the file scdaemon.conf file. Create this file if it does not exist. After making this change, reboot your computer to ensure it takes affect.

    • On Windows, this file's path should be %APPDATA%\gnupg\scdaemon.conf

    • On macOS and Linux, it is ~/.gnupg/scdaemon.conf

    • On macOS and Linux, you may need to add reader-port Yubico Yubikey (with a lowercase K) instead of what is above if you are using a YubiKey 4 Series or NEO

  4. Test with a fresh set of GPG configuration files. To do this, rename your GPG folder (add .old to the end, etc.) so that GPG can no longer "see" it, reboot your system, and re-run gpg --card-status. This will create a new folder, with fresh default files.
    • On Windows, the path to your GPG folder should be %APPDATA%\gnupg
    • On macOS and Linux, it should instead be ~/.gnupg
    • If this doesn't help, you can revert to your old configuration by renaming/deleting the new folder, and then renaming the original back to its original name (remove .old, etc. from the end of the name).

If gpg --card-status detects the YubiKey, but throws the error Operation not supported by device, try configuring GPG's scdaemon to open the YubiKey in shared mode (instead of exclusive) by adding shared-access to your scdaemon.conf file, and rebooting your computer. See item 3 above for more details on where to find/create this file on your system.

 

Importing PGP Key to the YubiKey Fails

If you run keytocard under the gpg --card-edit feature and it fails, this usually indicates you are using a large key (4096bit) and an older version of GPG. For large keys you need to use GPG v2.0 or newer which you can verify by running gpg --version. On some systems, both GPG v1.x and GPG v2.x exist simultaneously and you need to access GPG v2 by running gpg2 instead of gpg.