These instructions will show you how to set up your YubiKey with OpenPGP.

Before you begin, decide if you want to generate the private key on the YubiKey device, or if you want to generate the private key off of the YubiKey and then move the subkeys to the YubiKey. For greater security, we recommend that you store your subkeys on the device (therefore, generate your private key off of the device). We also recommend that you personalize YubiKey by changing the PIN, setting the admin PIN, and so on, before you move the subkeys to the device.

Software tools referenced in these instructions can be found on our Downloads page. Need help Identifying Your YubiKey?


Setting Up Your YubiKey

Requirements:

  • YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, YubiKey NEO-n
  • If you are using an older version of the YubiKey NEO, may also need to change the mode to enable CCID. The following instructions describe how to use the YubiKey NEO Manager (preferred) or the Yubico Personalization Tool (command line tool) to change the connection mode. Note that all YubiKey 4 devices and all YubiKey NEO devices are now shipped with CCID mode enabled by default.
  • A current version of GnuPG software installed (GnuPG v2 required to work with 4096 key sizes).

Note: If you are using a YubiKey 4 and want to work with 4096 key sizes, you need to use GPG v 2. Substitute all of the following gpg commands with gpg2. For example, instead of using the command “gpg –card-edit” you would use the command “gpg2 –card-edit”.

Preparing Your YubiKey NEO or YubiKey NEO-n:

  1. If you have an YubiKey NEO or YubiKey NEO-n, verify that the device has CCID enabled. To do this, open YubiKey NEO Manager.
  2. Click Change connection mode [OTP + U2F].
  3. Select the checkbox for CCID and click OK.
  4. Continue with the following instructions for all other YubiKeys.Tip: You can also enable CCID mode using the Yubico Personalization Tool command, “ykpersonalize -m86”, to change modes for YubiKey 4 and YubiKey NEO devices sold after September 2014. For devices sold prior to September 2014, use “ykpersonalize -m82”. Reboot the device if you use the command line to change modes by removing the YubiKey from your computer, and then reinserting the device in the USB port.

Instructions

Generating Your OpenPGP Key Directly on your YubiKey

  1. Insert the YubiKey into the USB port.
  2. Enter the GPG command:
    gpg –card-edit
  3. At the gpg/card> prompt, enter the command:
    admin
  4. Enter the command:
    –generate
  5. When prompted, specify if you want to make an off-card backup of your encryption key.
  6. When prompted to enter the PIN, enter the default PIN (123456).
  7. Specify the keysize you want for the Signature Key (2048 or 4096).
  8. Enter the default admin PIN (12345678).
  9. Specify the keysize you want for the Encryption Key (2048 or 4096).
  10. Enter the default admin PIN again.
  11. Specify the keysize you want for the Authentication Key (2048 or 4096).
  12. Enter the default admin PIN again.
  13. Specify how long the key should be valid for (specify the number in days, weeks, months, or years).
  14. Confirm the expiration day.
  15. When prompted, enter your name.
  16. Enter your email address.
  17. If needed, enter a comment.
  18. Review the name and email, and accept or make changes.
  19. Enter the default admin PIN again. The green light on the YubiKey will flash while the keys are being written.
  20. When complete, a message appears and you are prompted to enter the PIN.

Generating the key on your local system

Before you generate the key on your local system, you will personalize the YubiKey, then generate the key(s).

To generate an OpenPGP key on your local system:

  1. Insert the YubiKey into the USB port.
  2. Enter the GPG command:
    gpg –gen-key
  3. When prompted to specify the key type, enter 1 (for “RSA and RSA (Default)”) and press Enter.
  4. Specify the size of key you want to generate. Do one of the following:
    • For a YubiKey NEO, enter 2048 and press Enter.
    • For a YubiKey 4 device, enter 4096 and press Enter.
  5. Specify the expiration date of the key, and press Enter. Verify the expiration date when prompted.
  6. Now you will enter your user information. Enter your Real Name and press Enter. Be sure to enter both your first and last name.
  7. Enter your Email Address and press Enter.
  8. If desired, enter a Comment about this key, and press Enter. (To leave the comment blank, just press Enter.)
  9. Review the information you entered, make any changes if necessary. If all information is correct, enter O (for Okay) and press Enter.
  10. A dialog box is displayed so you can enter the passphrase for your key. While the key is being generated, move your mouse around or type on the keyboard to gain enough entrophy.When the
    key has been generated, you will see several messages displayed. Make a note of the key ID, that is displayed in the message such as this:
    gpg: key 1234ABC marked as ultimately trustedThe key ID is 1234ABC. You will need this key ID to perform other operations.

To add an authentication key:

  1. Insert the YubiKey into the USB port.
  2. Enter the GPG command:
    gpg –expert –edit-key 1234ABC
    (where 1234ABC is the key ID of your key)
  3. Enter the command:
    addkey
  4. Enter the passphrase for the key. Note that this is the passphrase, and not the PIN or admin PIN.
  5. You are prompted to specify the type of key. Enter 8 for RSA.
  6. To add an authentication key, enter A, and then Q if you are finished.
  7. Specify the key size.
  8. Specify the expiration of the authentication key (this should be the same expiration as the key).
  9. When prompted to save your changes, enter y (yes).

To add a signing key:

  • Repeat the previous steps, except in step 6 enter an S for a signing key.

To create a backup of your key:

  1. Insert the YubiKey into the USB port.
  2. Enter the GPG command:
    gpg –export-secret-key –armor 1234ABC
    (where 1234ABC is the key ID of your key)

To import the key on your YubiKey:

  1. Insert the YubiKey into the USB port.
  2. Enter the GPG command:
    gpg –edit-key 1234ABC
    (where 1234ABC is the key ID of your key)
  3. Enter the command:
    toggle
  4. Enter the command:
    keytocard
  5. When prompted if you really want to move your primary key, enter y (yes).
  6. When prompted where to store the key, select 1. This will move the signature subkey to the PGP signature slot of the YubiKey.
  7. Enter the command:
    key 1
  8. Enter the command:
    keytocard
  9. When prompted where to store the key, select 2. This will move the encryption subkey to the YubiKey.
  10. Enter the command:
    key 1
  11. Enter the command:
    keytocard
  12. When prompted where to store the key, select 3. This will move the authentication subkey to the YubiKey.
  13. Enter the command:
    quit
  14. When prompted to save your changes, enter y (yes). You have now saved your keyring to your YubiKey.

More Ways to Use Your YubiKey

Do you use Gmail, LastPass, or WordPress? Check out these and many other uses for your YubiKey.

in How To