Using Your YubiKey with OpenPGP

Applicable Products


Note: If you haven't set a User PIN or an Admin PIN for OpenPGP, the default values are 123456 and 12345678, respectively. If the User PIN and/or Admin PIN have been changed and are not known, the OpenPGP Applet can be reset by following this article.

These instructions will show you how to set up your YubiKey with OpenPGP. Before you begin, decide if you want to generate the private key on the YubiKey device, or if you want to generate the private key off of the YubiKey and then move the subkeys to the YubiKey. To allow for your PGP keys to be backed up, we recommend you generate them on your computer, not directly on the YubiKey. We also recommend that you personalize YubiKey by changing the PIN, setting the admin PIN, and so on, before you move the subkeys to the device.

Requirements

  • A compatible YubiKey.
  • A current version of the GnuPG software installed.
    • Windows: GPG4Win
    • macOS: GPG Tools
    • Linux: Pre-installed on all common distributions.

Instructions

Generating the Key external to the YubiKey (Recommended)

Note: It is strongly recommended for you to generate the keys not on the same machine where you'll be using the YubiKey. Instead generating them with a live linux distribution such as Ubuntu ( https://tutorials.ubuntu.com/tutorial/try-ubuntu-before-you-install#0 ) to generate your keys. 

  1. Insert the YubiKey into the USB port if it is not already plugged in.
  2. Enter the GPG command: gpg --expert --full-gen-key
  3. When prompted to specify the key type, enter 1 (for "RSA and RSA (Default)") and press Enter.
  4. Specify the size of key you want to generate. Do one of the following:
    • For a YubiKey NEO, enter 2048 and press Enter.
    • For a YubiKey 4 or 5, enter 4096 and press Enter.
  5. Specify the expiration date of the key, and press Enter. Verify the expiration date when prompted.
  6. Now you will enter your user information. Enter your Real Name and press Enter. Be sure to enter both your first and last name.
  7. Enter your Email Address and press Enter.
  8. If desired, enter a Comment about this key, and press Enter. (To leave the comment blank, just press Enter.)
  9. Review the information you entered, make any changes if necessary. If all information is correct, enter O (for Okay) and press Enter.
  10. A dialog box is displayed so you can enter the passphrase for your key. While the key is being generated, move your mouse around or type on the keyboard to gain enough entrophy.When the key has been generated, you will see several messages displayed. Make a note of the key ID, that is displayed in the message such as "gpg: key 1234ABC marked as ultimately trusted". The key ID in this case is 1234ABC and you will need this key ID to perform other operations.

To add an authentication key:

Note: Recent release of GnuPG may have the default allowed actions to be both sign and encrypt. Please be sure to check the default allowed action before proceeding with adding the authentication key. 

  1. Insert the YubiKey into the USB port if it is not already plugged in.
  2. Enter the GPG command: gpg --expert --edit-key 1234ABC (where 1234ABC is the key ID of your key)
  3. Enter the command: addkey
  4. Enter the passphrase for the key. Note that this is the passphrase, and not the PIN or admin PIN.
  5. You are prompted to specify the type of key. Enter 8 for RSA.
  6. Initial default will be Sign and Encrypt. To select authentication key toggle S to disable sign, E to disable encrypt, A to enable authentication.
  7. Once you can confirm that authentication is the current allowed actions select Q to Finish the selection.
  8. Specify the key size.
  9. Specify the expiration of the authentication key (this should be the same expiration as the key).
  10. When prompted to save your changes, enter y (yes).

To add a signing key:

Note: Recent release of GnuPG may have the default allowed actions to be both sign and encrypt. Please be sure to check the default allowed action before proceeding with adding the signing key. 

  1. Enter the GPG command: gpg --expert --edit-key 1234ABC (where 1234ABC is the key ID of your key) if you are not in edit mode already.
  2. Enter the command: addkey
  3. Enter the passphrase for the key. Note that this is the passphrase, and not the PIN or admin PIN.
  4. You are prompted to specify the type of key. Enter 8 for RSA.
  5. Initial default will be Sign and Encrypt. You can either select E to also toggle Encryption as an allowed actions or continue with sign being allowed for the subkey. 
  6. Once you can confirm that authentication is the current allowed actions select Q to Finish the selection.
  7. Specify the key size.
  8. Specify the expiration of the authentication key (this should be the same expiration as the key).
  9. When prompted to save your changes, enter y (yes).

To create a backup of your key:

  1. Insert the YubiKey into the USB port if it is not already plugged in.
  2. Enter the GPG command: gpg --export-secret-key --armor 1234ABC (where 1234ABC is the key ID of your key)
  3. Store the text output from the command in a safe place ( e.g. Print the text, save the text in password managers, save the text on a USB storage device).

To import the key on your YubiKey:

  1. Insert the YubiKey into the USB port if it is not already plugged in.
  2. Enter the GPG command: gpg --edit-key 1234ABC (where 1234ABC is the key ID of your key)
  3. Enter the command: toggle
  4. Enter the command: keytocard
  5. When prompted if you really want to move your primary key, enter y (yes).
  6. When prompted where to store the key, select 1. This will move the signature subkey to the PGP signature slot of the YubiKey.
  7. Enter the command: key 1
  8. Enter the command: keytocard
  9. When prompted where to store the key, select 2. This will move the encryption subkey to the YubiKey.
  10. Enter the command: key 1
  11. Enter the command: key 2
  12. Enter the command: keytocard
  13. When prompted where to store the key, select 3. This will move the authentication subkey to the YubiKey.
  14. Enter the command: quit
  15. When prompted to save your changes, enter y (yes). You have now saved your keyring to your YubiKey.

Generating Your PGP Key directly on Your YubiKey

Warning: Generating the PGP on the YubiKey ensures that malware can never steal your PGP private key, but it means that the key can not be backed up so if your YubiKey is lost or damaged the PGP key is irrecoverable. 

  1. Insert the YubiKey into the USB port if it is not already plugged in.
  2. Open Command Prompt (Windows) or Terminal (macOS / Linux).
  3. Enter the GPG command: gpg --card-edit
  4. At the gpg/card> prompt, enter the command: admin
  5. If you want to use keys larger than 2048 bits, run: key-attr
  6. Enter the command: generate
  7. When prompted, specify if you want to make an off-card backup of your encryption key. 
    • Note: This is a shim backup of the private key, not a full backup, and cannot be used to restore to a new YubiKey.
  8. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
  9. Confirm the expiration day.
  10. When prompted, enter your name.
  11. Enter your email address.
  12. If needed, enter a comment.
  13. Review the name and email, and accept or make changes.
  14. Enter the default admin PIN again. The green light on the YubiKey will flash while the keys are being written.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.