Menu
Anti-random
  • Contact Us
Anti-random
Yubikey 5 NFC

Importing GPG Key pairs with OpenPGP Cards

Posted on March 12, 2020March 24, 2020 by Sid

This allows you to use the GPG private key on your yubikey (or any OpenPGP security card) on a new workstation. Note that the secret key will continue to live on the card – just as we typically desire.

Since we’re using the gpg tool directly, this should work on Windows, macOS and linux.

1. Plug in your YubiKey

Plug in the YubiKey or OpenPGP card and then run

gpg --card-status

You should see the card recognized and you should see information about your card-stored keys. This is needed for gpg to ‘see’ your card-keys.

2. Import your public key

Have your public key in a file and import it. For example:

gpg --armor --import /path/to/yourpublickey

That’s it! During import, gpg automatically sees that the imported public key is for the private key on the card and you’re all set. You can verify this as follow:

$ gpg --list-secret-keys

----------------------------------------------
sec>  rsa4096 2016-03-18 [SC]
      1111111111111111111111111111111111111111
      Card serial no. = 1111 11111111  <== SECRET KEY ON CARD !
uid           [ultimate] Sid Shetye <sid@example.com>
uid           [ultimate] Sid Shetye <sid2@example.com>
ssb>  rsa4096 2016-03-18 [E]

3. Trust your own key

gpg --edit-key "Sid Shetye"

then

trust

then

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

then

quit

Finally, to verify that it’s trusted as follows

PS C:\Users\sid> gpg -K
C:/Users/sid/AppData/Roaming/gnupg/pubring.kbx
----------------------------------------------
sec>  rsa4096 2016-03-18 [SCA]
      B93C88D65A5F53F7C64FD0ACE40417A78068C109
      Card serial no. = 0006 11467785
uid           [ultimate] Sid Shetye <sid@crypteron.com>
uid           [ultimate] Sid Shetye <sid314@outlook.com>
ssb>  rsa4096 2016-03-18 [E]

The [ultimate] seen in the output confirms this.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

©2023 Anti-random | Powered by WordPress & Superb Themes