These instructions will show you how to reset your OpenPGP applet on a YubiKey device.

Software tools referenced in these instructions can be found on our Downloads page. Need help Identifying Your YubiKey?


Setting Up Your YubiKey

Requirements:

  • YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n
  • A current version of GnuPG software installed (GnuPG v2 required to work with 4096 key sizes).

Note: If you are using a YubiKey 4 and want to work with 4096 key sizes, you need to use GPG v 2. Substitute all of the following gpg commands with gpg2. For example, instead of using the command “gpg --card-edit” you would use the command “gpg2 --card-edit”.

Instructions

Resetting the OpenPGP Applet

  1. Insert the YubiKey into the USB port.
  2. To check the PIN/Admin PIN reset status, enter the GPG command:
    gpg --card-status
  3. If you receive the response “gpg --card-status” fails, terminate gpg-agent and gpg-connect-agent processes, then try again, or you can reboot.
  4. Enter the GPG command:
    gpg-connect-agent --hex
  5. If PIN retry counter is greater than 0, enter the command:
    scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
  6. Repeat the above command until one of the following occurs:
    • YubiKey 4 device reports “D[0000]  69 83 “
    • YubiKey NEO device reports “D[0000]  63 C0”
  7. If Admin PIN retry counter is greater than 0, enter the GPG command:
    scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
  8. Repeat the above command until one of the following occurs:
    • YubiKey 4 device reports “D[0000]  63 C0”
    • YubiKey NEO device reports “D[0000]  63 C0”
  9. To terminate card, run the GPG command:
    scd apdu 00 e6 00 00
    You should see “D[0000]  90 00” (if already terminated, you should receive “D[0000]  69 85”).
  10. To reactive card, run the GPG command:
    scd apdu 00 44 00 00
    You should see “D[0000]  90 00” (if card hasn’t been terminated, you should receive “D[0000]  69 85”).
  11. Close or exit the command prompt or terminal window, and then remove and re-inser the YubiKey device.
  12. Terminate gpg-agent and gpg-connect-agent processes (or restart), then run the GPGP command:
    gpg --card-status
    Confirm the PIN Retry counter is as follows:

    • “3  0  3” on a a YubiKey 4 device
    • “3  3  3” on a YubiKey NEO device
in How To