The Yubikey is small USB device which can be used as a simple HSM for use with GPG. Above this it can also be used as a generator for OTPs etc.

Basic Usage as HSM


To check if the device is detected use gpg --card-status

The result should look something like this:

Reader ...........: xxxx:xxxx:X:0
Application ID ...: Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Interactive Use via GPG

Then go into interactive mode to configure the card gpg --card-edit. Then type admin to activate admin commands. ? will show the available commands.

quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
name           change card holder's name
url            change URL to retrieve key
fetch          fetch the key specified in the card URL
login          change the login name
lang           change the language preferences
sex            change card holder's sex
cafpr          change a CA fingerprint
forcesig       toggle the signature force PIN flag
generate       generate new keys
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
factory-reset  destroy all keys and data

Signing a File

The command gpg --sign -u **keyID** **filename** can be used to create a signature for a file.

gpg --sign -u 793D4D2929B2CEC7 test.txt

This will create a file called test.txt.gpg.

Change PIN

To set a PIN use passwd

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 

The default PINs should be

Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'

You will have to set both a user and an admin PIN.

Generating Keys

The generate command can be used to generate keys.

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

Please note that the factory settings of the PINs are
   PIN = '123456'     Admin PIN = '12345678'
You should change them using the command --change-pin

What keysize do you want for the Signature key? (2048) 
What keysize do you want for the Encryption key? (2048) 
What keysize do you want for the Authentication key? (2048) 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at So 07 Apr 2019 11:14:33 CEST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: Tester
E-mail address: tester@nope.nope
Comment: Only for testing
You selected this USER-ID:
    "Tester (Only for testing) <tester@nope.nope>"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
gpg: key 793D4D2929B2CEC7 marked as ultimately trusted
gpg: revocation certificate stored as '/home/Tester/.gnupg/openpgp-revocs.d/72CEC465A553A414A2C4B760793D4D2929B2CEC7.rev'
public and secret key created and signed.

Listing Keys

The list command will show all keys.

Signature key ....: 72CE C465 A553 A414 A2C4  B760 793D 4D29 29B2 CEC7
      created ....: 2017-04-07 09:15:37
Encryption key....: 3D51 6E23 CFE5 45FB B7C6  EAD2 4D63 9B15 8768 F01B
      created ....: 2017-04-07 09:15:37
Authentication key: 2768 B94E F631 B636 806F  B98C C511 AD6A 09C2 6A66
      created ....: 2017-04-07 09:15:37
General key info..: pub  rsa2048/793D4D2929B2CEC7 2017-04-07 Tester (Only for testing) <tester@nope.nope>
sec>  rsa2048/793D4D2929B2CEC7  created: 2017-04-07  expires: 2019-04-07
                                card-no: 0006 05029630
ssb>  rsa2048/C511AD6A09C26A66  created: 2017-04-07  expires: 2019-04-07
                                card-no: 0006 05029630
ssb>  rsa2048/4D639B158768F01B  created: 2017-04-07  exxpires: 2019-04-07
                                card-no: 0006 05029630