Product SiteDocumentation Site

Chapter 9. Yubikey

9.1. Yubikey Neo
9.1.1. Installing the necessary tools
9.1.2. Creating the key on the Yubikey Neo
9.1.3. Using gnupg2

9.1. Yubikey Neo

9.1.1. Installing the necessary tools

sudo yum install libykneomgr pcsc-lite pcsc-tools gnupg2 gnupg2-smime --enablerepo=updates-testing
sudo systemctl start pcscd.service pcscd.socket
sudo systemctl enable pcscd.service pcscd.socket
ykneomgr -a, then copy the first 12 characters of last key to the clipboard.
ykneomgr -D d27600012401, and then it should return with no output. This deletes the version of the OpenPGP applet that is on the card.
Grab the latest version of the .cap file from http://opensource.yubico.com/ykneo-openpgp/releases.html. For this example, we downloaded ykneo-openpgp-1.0.5.cap.
ykneomgr -i /tmp/ykneo-openpgp-1.0.5.cap to install the new version of the OpenPGP applet.
gpg --card-status to make sure GPG can see and talk to the card. 
gpg: detected reader `Yubico Yubikey NEO OTP+CCID 00 00'
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg --card-edit to edit the settings on the card.
admin to turn on admin mode, do 1 and 3, and set a pin for each. Can be alpha-numeric.
q to quit.
name to add your name.
lang to set your language (en for example).
sex to set your gender.
quit to quit.

9.1.2. Creating the key on the Yubikey Neo

gpg --edit-key key-id
addcardkey to generate a new key on the Yubikey Neo
Select Signature key.
Enter the PIN
Unlock your master key
Specify the expiration date for your key -- and yes, please set an expiration date. You can always edit the key and

9.1.3. Using gnupg2

We can't write to the card from gpg itself, so let's switch to gpg2. First, make sure that gpg2 can see your card by running gpg2 --card-status. If it can't see your card, you probably forgot to install the gnupg2-smime package.
Run sudo gpg2 --no-default-keyring --keyring ~/.gnupg/pubring.gpg --secret-keyring ~/.gnupg/secring.gpg --edit-key key-id
toggle to switch between public key and secret key
Subkeys are numbered starting with 1, so type key 2 to select the 2nd subkey. Now you'll notice a * next to the key.
keytocard to write the key to the Yubikey Neo.