Andrew Jorgensen
It's better than bad, it's good!

False Steps with OpenPGP on YubiKey

I recently started using a GPG key on my YubiKey 5 NFC as my SSH key for personal stuff. I generated the key on a PC so that I'd be able to restore it to another key some day, but I regularly use my older YubiKey NEO as well and I hadn't bothered to restore the key to it. It didn't go well, but I worked it out, so blog.

Something was configured weird. I'd experimented with other smartcard certificates, hoping to get to where I could use SSH with generic smartcard support instead of using a gpg-agent pretending to be an ssh-agent. I must have messed up along the way.

Resetting the OpenPGP Applet

This is supposed to be as easy as ykman openpgp reset (from YubiKey Manager) and it probably is if you have a build of YubiKey Manager supports command-line usage. The AppImage build for Linux does not support this - even if you rob it of its DISPLAY variable it just errors out because it can't find the display. I ended up using Windows to run ykman.exe openpgp reset instead, though I worked out later that I could have installed yubikey-manager on my Fedora system.

Along the way I hit other speedbumps. I thought I needed to reset it another way because ykman wasn't going to work. I thought I needed the older ykpers to work, but smartcard configuration hadn't been the only thing I messed with. Everyone who uses a YubiKey has been embarassed by typing the OTP into a chat window. I don't use the OTP feature so I disable it on my personal keys. But a older YubiKey tools won't talk to the NEO unless OTP is enabled, so I turned that back on using YubiKey Manager. Once it was on, other tools like ykinfo would talk to it again but GPG couldn't talk to it anymore. This turned out to be a distraction anyway.

ykman openpgp reset

Restoring the Key

Obviously if you didn't export a backup of the private key you're out of luck. Your backup should be encrypted with a passphrase, so hopefully you kept that passphrase somewhere.

First you've got to add the private key to your GPG keyring.

gpg --import <backup>.asc

At this point you can follow the instructions at developers.yubico.com to move the key onto the YubiKey. This is where I had run into trouble when I tried before resetting.