YubiKey 4 and PGP/GPG
Nov 15, 2016
The YubiKey is an OTP/U2F device that fits on a keychain and shows up as an input device. By pressing the button on the YubiKey it outputs a long string that is used for OTP/U2F. It costs about $40 on Amazon and can easily be used with multiple Google or GitHub accounts. The newer versions of the YubiKey support storing PGP keys.
I’ll be using Arch for this guide.
- Install the YubiKey personalization tools
pacman -S yubikey-personalization
- Put the device in CCID mode.
ykpersonalize -m82
- Next, the card needs to be configured.
gpg --card-edit
admin
passwd
- Set both the admin PIN and user PIN
generate
- The card should now have PGP keys.
- Make sure the PGP key exists on the card.
gpg --card-status
- Also make sure the secret exists.
gpg --list-secret-keys
-
Now that you have PGP keys you can signup for keybase.io or any other PGP key server.
-
I recommend that you go back to the
gpg --card-edit
menu and set theurl
of your public PGP key. - Now when you plug your YubiKey into another machine, you can fetch the PGP key off the card like so.
gpg --card-edit
fetch