Link Search Menu Expand Document

Setting up yubikeys to store gpg and ssh keys

I use yubikeys to store my gpg and ssh keys.

Before starting do a little bit of reading to familiarize yourself with the setup procedure. I have added a list of links at the end. These are mainly the resources that I used.

Generate a new gpg key

I have generated my keys on a qube VM without internet connection.

$ gpg --gen-key

Selected option 0 and moved on to create my ID associated with the key.

In this step I used mostly the guide from yubico developers website [1] The guide goes through generating Sign (S) Authentication (A) and Encryption (E) keys.

Add an authentication key

$ gpg --expert --edit-key 123ABC45

At this step we select another RSA key to attach to our key. In the gpg selection menu this corresponds to option 8.


Here is where you should backup your keys and revocation certificates. Please do I have personally lost yubikeys and having backups really helps.

Also setup a PIN and a admin PIN for your yubikey [5]. With:

$ gpg --card-edit

$ gpg/card> admin

Import the key to the yubikey

Finally we edit our key and add it to the keycard [1].

$ gpg --expert --edit-key 123ABC45

$ gpg> keytocard

Now your key is exported to your card and ready to be used.

Setup key to be used with ssh

$ gpg2 -K --with-keygrip

This will show all your keys available with keygrip. Use the keygrip of your authentication key to export it to sshcontrol

echo 1234567AB8CDFFF90G9H1I23JJ4K5L67M89N012O > ~/.gnupg/sshcontrol

I have also added the following to my ~/.gnupg/gpg-agent.conf [4]:

default-cache-ttl 600
max-cache-ttl 7200
write-env-file ~/.gpg-agent-info

And edited my ~/.bashrc with:

gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

You can now:

$ source ~/.bashrc
$ ssh-add -l

This should list your new key.