YubiKey 4 and PGP/GPG

The YubiKey is an OTP/U2F device that fits on a keychain and shows up as an input device. By pressing the button on the YubiKey it outputs a long string that is used for OTP/U2F. It costs about $40 on Amazon and can easily be used with multiple Google or GitHub accounts. The newer versions of the YubiKey support storing PGP keys.

I’ll be using Arch for this guide.

  1. Install the YubiKey personalization tools
    • pacman -S yubikey-personalization
  2. Put the device in CCID mode.
    • ykpersonalize -m82
  3. Next, the card needs to be configured.
    • gpg --card-edit
    • admin
    • passwd
      • Set both the admin PIN and user PIN
    • generate
    • The card should now have PGP keys.
  4. Make sure the PGP key exists on the card.
    • gpg --card-status
  5. Also make sure the secret exists.
    • gpg --list-secret-keys
  6. Now that you have PGP keys you can signup for keybase.io or any other PGP key server.

  7. I recommend that you go back to the gpg --card-edit menu and set the url of your public PGP key.

  8. Now when you plug your YubiKey into another machine, you can fetch the PGP key off the card like so.
    • gpg --card-edit
    • fetch
pgp Related
    Comments