Troubleshooting Issues with GPG


This article covers some of the issues you may experience when using GnuPG (GPG) with your YubiKey, and possible solutions. 

 

Note: as of GPG 2.3 there is a regression that prevents GPG from identifying the YubiKey by name and setting "reader port Yubico YubiKey" is ignored. This has been reported to the GPG developers and the problem has been identified and fix has been pushed into the main tree. However this fix may take some time to make it to the release versions. as a workaround you can try adding disable-ccid to the scdaemon.conf. at this time we recommend not upgrading to GPG 2.3

 

gpg --card-status

If gpg --card-status fails to detect the YubiKey, try following the steps below.

 

  1. Double-check that your device includes support for OpenPGP (see the Compatible devices section above).

  2. Using YubiKey Manager, verify that your YubiKey has the relevant interface enabled (under Interfaces). For YubiKeys from the 4 Series, this will be CCID, For 5 Series YubiKeys, OpenPGP will be listed separately.

  3. Specify the smart card reader GPG uses by adding the line reader-port Yubico Yubi to the scdaemon.conf file; create the file if it does not exist. After making this change, reboot your computer to ensure it takes affect. 

    • On Windows, this file's path is %APPDATA%\gnupg\scdaemon.conf

    • On macOS and Linux, it is ~/.gnupg/scdaemon.conf

    • On macOS and Linux, you may need to add reader-port Yubico Yubikey (with a lowercase K) instead of what is above if you are using a YubiKey 4 Series or NEO

If gpg --card-status detects the YubiKey, but throws the error Operation not supported by device, try configuring GPG's scdaemon to open the YubiKey in shared mode (instead of exclusive) by adding shared-access to your scdaemon.conf file, and rebooting your computer. See item 3 above for more details on where to find/create this file on your system.

 

Importing PGP Key to the YubiKey Fails

If you run keytocard under the gpg --card-edit feature and it fails, this usually indicates you are using a large key (4096bit) and an older version of GPG. For large keys you need to use GPG v2.0 or newer which you can verify by running gpg --version. On some systems, both GPG v1.x and GPG v2.x exist simultaneously and you need to access GPG v2 by running gpg2 instead of gpg.