Resetting the OpenPGP Application on the YubiKey


This article covers the two options for resetting the OpenPGP application on your YubiKey. 


Warning: This will permanently delete any PGP keys you have on the YubiKey.

 

Option 1 - Reset Using YubiKey Manager

  1. Download and install YubiKey Manager.
  2. Insert the YubiKey into a USB port.
  3. Open Command Prompt (Windows) or Terminal (Mac / Linux).
  4. Type ykman openpgp reset and press Enter.
  5. When prompted, press Y and then Enter to confirm the reset.

Note: If you receive an error about not being able to find the program ykman, you will need to use cd to navigate to the folder it is in before running the ykman command.

  • For Windows you would run cd "C:\Program Files\Yubico\YubiKey Manager"
  • For Mac you would run cd /Applications/YubiKey\ Manager.app/Contents/MacOS/

Option 2 - Manual Reset Using GPG 

  1. Insert the YubiKey into a USB port.
  2. Open Command Prompt (Windows Users) or Terminal (Mac / Linux).
  3. To check the PIN/Admin PIN reset status, enter the GPG command: gpg --card-status. If you receive the response "gpg --card-status" fails, terminate gpg-agent and gpg-connect-agent processes, then try again, or you can reboot.
  4. Run gpg-connect-agent --hex
  5. If PIN retry counter from step 2 is greater than 0, enter the command: scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
  6. Repeat the above command until one of the following occurs:
    • YubiKey 4/5 Series device reports "D[0000]  69 83"
    • YubiKey NEO device reports "D[0000]  63 C0"
  7. If Admin PIN retry counter is greater than 0, enter the GPG command: scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
  8. Repeat the above command until one of the following occurs:
    • YubiKey 4/5 Series device reports "D[0000]  69 83"
    • YubiKey NEO device reports "D[0000]  63 C0"
  9. To terminate card, run the GPG command: scd apdu 00 e6 00 00 You should see "D[0000]  90 00" (if already terminated, you should receive "D[0000]  69 85").
  10. To reactive card, run the GPG command: scd apdu 00 44 00 00 You should see "D[0000]  90 00" (if card hasn't been terminated, you should receive "D[0000]  69 85").
  11. Close or exit the command prompt or terminal window, and then remove and re-inser the YubiKey device.
  12. Terminate gpg-agent and gpg-connect-agent processes (or restart), then run the GPG command: gpg --card-status 
  13. Confirm the PIN Retry counter is as follows:
    • "3  0  3" on a a YubiKey 4/5 Series device
    • "3  3  3" on a YubiKey NEO device