YubiBlog
Yubico news and comments on strong two-factor authentication and secure online identity
YubiKey NEO and OpenPGP
December 18, 2012 | Yubico Team | 13 Comments
In this post we will take you through the steps to enable the YubiKey NEO App: OpenPGP on a production YubiKey NEO. We ship the YubiKey NEO with the YubiKey functionality enabled – but the NEO Apps disabled. Currently we are shipping the YubiKey NEO with an OpenPGP app. To enable this you will need to use the YubiKey command line personalization tool - ykpersonalize. If you are not familiar with using command line tools, this app is probably not for you. To download ykpersonalize please click here.
Once you have installed the ykpersonalize software, insert your YuibiKey NEO and you can check the version with the ykinfo -v command – which shows version: 3.0.1 for our YubiKey NEO. To enable your YubiKey NEO’s Smartcard interface (CCID), enter the command ykpersonalize -m82 as:
The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card. Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.
Now our NEO App: OpenPGP is visible we can use the gpg program to set-up a new smart card: gpg –card-edit and then enter the admin command to enable admin commands. The command to create a new set of public/private key pairs is generate. You should see something like:
Note the default PINs as you will need to enter them into the pop ups – e.g.:
Once you enter the Admin and User PINs, gpg will ask you for various settings. Once you select Okay the YubiKey NEO will work for between 1 minute and 3 minutes to generate 3 key pairs. It took our YubiKey NEO 1 minute 40 seconds. WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup. It is sensible to backup the public key – we often use the Export Certificates to Server function in Kleopatra to do this. You cannot extract the Public Key from the YubiKey NEO. This is our screen:
The public keys and private key stubs are automatically loaded into the gpg database; we are running Kleopatra – so before completing, Kleopatra showed my soft keys:
And afterwards Kleopatra shows the YubiKey NEO with the SmartCard icon:
With details:
We can now select my YubiKey NEO to sign and encrypt files e.g.:
The source code for the YubiKey NEO OpenPGP app is available here.
‘Lose’ is spelled with one ‘o’, not ‘loose’.
Thanks Bob!
This looks great!
Two questions:
1) Is this compatible with a PKCS#11 library?
2) How many certificates/key pairs can be stored on the device?
Really looking forward to see what Yubico can do with the smartcard side of authentication!
In regards to the PKCS#11 library…
Would something like Scute do the trick?
http://www.scute.org
Hi Matt,
The first release of the OpenPGP app supports one instance of a GPG identity consisting of 3 subkeys. This version does not support the PKCS11 Library. Scute is a pkcs11 module for NSS, it might work with the YubiKey NEO but it has not been tested by Yubico.
Ok, thanks for the info.
I understand Yubikey firmware is not user upgradable.
Does that also mean that the “Apps” portion of the device is also not upgradable?
When a new version of the OpenPGP app is released (or other NEO apps become available) – will the user be able to install/update? Or are you stuck with whatever version/type of app that came with the device?
Hello Matt!
The YubiKey NEO will not have specific apps tied to specific hardware/firmware versions. Everyone who already purchased a YubiKey NEO production version will not be locked our of future apps. More details will be released with the next apps.
-David Maples
Yubico Technical Support
Hi,
This really looks interesting!
I would also like to know if there is a PKCS11 interface available?
Also is it possible to import keys that have been generated outside the NEO (I know this is not as secure as having the keys generated by the onboard chip but it would be useful for older keys that I still need).
Thanks,
/E
Hi Erik,
This version does not support the PKCS11 Library, and it’s not possible to import keys, only generate on chip.
Hello Yubicu Guys,
in regards to that “it is not possible” to import keys comment: Is that going to change in future versions, because off-card master keys with subkeys on card is basically a standard today. I would never use on-card generated keys personally.
Is there a even a possibility for you guys to change that in future versions ? Meaning, is it TECHNICALLY possible and just not supported at the moment, or is the missing ability to import a technical limitation.
Hello Sebastian,
It is possible to add support for the PKSC11 library and importing keys, it just has not yet been developed for the NEO.
The YubiKey NEO apps code is available at https://github.com/Yubico/ykneo-openpgp and we welcome patches!
Ok
I’ll dig in. I’ll send you the request for patch when im done 
OpenSC provides a multi platform PKCS11 library, and does support an openPGP Applet, (the older jopenpgpcard project applet). More information here: https://www.opensc-project.org/opensc/wiki/OpenPGP