False Steps with OpenPGP on YubiKey

# False Steps with OpenPGP on YubiKey I recently started using a GPG key on my YubiKey 5 NFC as my SSH key for personal stuff. I generated the key on a PC so that I'd be able to restore it to another key some day, but I regularly use my older YubiKey NEO as well and I hadn't bothered to restore the key to it. It didn't go well, but I worked it out, so blog. Something was configured weird. I'd experimented with other smartcard certificates, hoping to get to where I could use SSH with generic smartcard support instead of using a `gpg-agent` pretending to be an `ssh-agent`. I must have messed up along the way. ## Resetting the OpenPGP Applet This is supposed to be as easy as `ykman openpgp reset` (from [YubiKey Manager](https://www.yubico.com/products/services-software/download/yubikey-manager/)) and it probably is if you have a build of YubiKey Manager supports command-line usage. The AppImage build for Linux does not support this - even if you rob it of its `DISPLAY` variable it just errors out because it can't find the display. I ended up using Windows to run `ykman.exe openpgp reset` instead, though I worked out later that I could have installed `yubikey-manager` on my Fedora system. Along the way I hit other speedbumps. I thought I needed to reset it another way because `ykman` wasn't going to work. I thought I needed the older `ykpers` to work, but smartcard configuration hadn't been the only thing I messed with. Everyone who uses a YubiKey has been embarassed by typing the OTP into a chat window. I don't use the OTP feature so I disable it on my personal keys. But a older YubiKey tools won't talk to the NEO unless OTP is enabled, so I turned that back on using YubiKey Manager. Once it was on, other tools like `ykinfo` would talk to it again *but* GPG couldn't talk to it anymore. This turned out to be a distraction anyway. ```sh ykman openpgp reset ``` ## Restoring the Key Obviously if you didn't export a backup of the private key you're out of luck. Your backup should be encrypted with a passphrase, so hopefully you kept that passphrase somewhere. First you've got to add the private key to your GPG keyring. ```sh gpg --import <backup>.asc ``` At this point you can follow the [instructions at developers.yubico.com](https://web.archive.org/web/20190208000700/https://developers.yubico.com/PGP/Importing_keys.html#_importing_the_key) to move the key onto the YubiKey. This is where I had run into trouble when I tried before resetting.