This allows you to use the GPG private key on your yubikey (or any OpenPGP security card) on a new workstation. Note that the secret key will continue to live on the card – just as we typically desire.
Since we’re using the gpg tool directly, this should work on Windows, macOS and linux.
1. Plug in your YubiKey
Plug in the YubiKey or OpenPGP card and then run
gpg --card-statusYou should see the card recognized and you should see information about your card-stored keys. This is needed for gpg to ‘see’ your card-keys.
2. Import your public key
Have your public key in a file and import it. For example:
gpg --armor --import /path/to/yourpublickeyThat’s it! During import, gpg automatically sees that the imported public key is for the private key on the card and you’re all set. You can verify this as follow:
$ gpg --list-secret-keys
----------------------------------------------
sec> rsa4096 2016-03-18 [SC]
1111111111111111111111111111111111111111
Card serial no. = 1111 11111111 <== SECRET KEY ON CARD !
uid [ultimate] Sid Shetye <[email protected]>
uid [ultimate] Sid Shetye <[email protected]>
ssb> rsa4096 2016-03-18 [E]3. Trust your own key
gpg --edit-key "Sid Shetye"then
trustthen
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) ythen
quitFinally, to verify that it’s trusted as follows
PS C:\Users\sid> gpg -K
C:/Users/sid/AppData/Roaming/gnupg/pubring.kbx
----------------------------------------------
sec> rsa4096 2016-03-18 [SCA]
B93C88D65A5F53F7C64FD0ACE40417A78068C109
Card serial no. = 0006 11467785
uid [ultimate] Sid Shetye <[email protected]>
uid [ultimate] Sid Shetye <[email protected]>
ssb> rsa4096 2016-03-18 [E]The [ultimate] seen in the output confirms this.