Putting gpg keys onto yubikeys

Posted on 2026-02-25 :: 132 Words :: Tags: gpg , yubikey , notes-for-myself :: Source Code

Prepare the yubikey

You need to decide on a user and admin pin. You need the user pin often, and the admin pin only rarely. put them in your passwordmanager.

$ export USER_PIN="your pin"
$ export ADMIN_PIN="your pin"

$ gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
3
12345678
$ADMIN_PIN
$ADMIN_PIN
q
EOF

$ gpg --command-fd=0 --pinentry-mode=loopback --change-pin <<EOF
1
123456
$USER_PIN
$USER_PIN
q
EOF

From now, you have three attempts whenever you are asked for the pin. Three wrong user pins and you are asked to enter the admin pin. Three wrong admin pins and the data (your key!) will be erased.

You can change the number of attempts using ykman, e.g. 5:

ykman openpgp access set-retries 5 5 5 -f -a $ADMIN_PIN

The keys and such

this assumes you already have your certifyy key, and only need fresh subkeys for the yubikey.

generate subkeys:

export KEYFP="your key id"
export PASSPHRASE="your passphrase"
export EXPIRATION=2029-12-01

echo "$PASSPHRASE" | \
	gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
		--quick-add-key "$KEYFP" "$KEY_TYPE" sign "$EXPIRATION"

echo "$PASSPHRASE" | \
	gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
		--quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION"
echo "$PASSPHRASE" | \
	gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \
		--quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION"

export the subkeys:


echo "$PASSPHRASE" | \
	gpg --output $KEYFP-Certify.key \
		--pinentry-mode=loopback --passphrase-fd 0 \
		--armor --export-secret-keys $KEYFP

echo "$PASSPHRASE" | \
	gpg --output $KEYFP-Subkeys.key \
		--batch --pinentry-mode=loopback --passphrase-fd 0 \
		--armor --export-secret-subkeys $KEYFP

gpg --output $KEYFP-$(date +%F).asc \
	--armor --export $KEYFP

gpg --armor --export $KEYFP

now transfer the keys to the yubikey:

gpg --command-fd=0 --pinentry-mode=loopback --edit-key $KEYFP <<EOF
key 1
keytocard
1
$PASSPHRASE
$ADMIN_PIN
save
EOF

gpg --command-fd=0 --pinentry-mode=loopback --edit-key $KEYFP <<EOF
key 2
keytocard
2
$PASSPHRASE
$ADMIN_PIN
save
EOF

gpg --command-fd=0 --pinentry-mode=loopback --edit-key $KEYFP <<EOF
key 3
keytocard
3
$PASSPHRASE
$ADMIN_PIN
save
EOF

using it

ensure pcscd is installed and running. on arch: sudo systemctl enable --now pcscd.service

import that key locally

use it