Yubico Forum

I have a key pair that I use to sign e-mails and encrypt documents. I bought the Yubikey 4 because the website states that the 4 supports 4096 key length, but for some reason every time I issue the keytocard command I get an error that makes it sound like the key is expecting a 2048 key. The Yubikey 4 supports higher key lengths right? Is there a step by step guide for importing a key? Maybe I'm missing a step...

I appreciate any input you can provide.

It's probably your gpg version. Works fine for me using gpg v 2.0.29 on Windows. I follow the instructions here - https://developers.yubico.com/PGP/Importing_keys.html

[apologies in advance for the length]

C:\Users\Chris>gpg --edit-key 6B23937C
gpg (GnuPG) 2.0.29; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01 usage: SC
trust: ultimate validity: ultimate
sub 4096R/2FD28DC8 created: 2015-12-02 expires: 2018-12-01 usage: E
[ultimate] (1). Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Chris Halos (testing addcardkey) <chris@yubico.com>"
4096-bit RSA key, ID 6B23937C, created 2015-12-02

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at 12/01/18 15:10:24 Pacific Standard Time
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01 usage: SC
trust: ultimate validity: ultimate
sub 4096R/2FD28DC8 created: 2015-12-02 expires: 2018-12-01 usage: E
sub 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01 usage: S
[ultimate] (1). Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> toggle

sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb 4096R/2FD28DC8 created: 2015-12-02 expires: never
ssb 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> key 2

sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb 4096R/2FD28DC8 created: 2015-12-02 expires: never
ssb* 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> keytocard
Signature key ....: 857D 4C3A D9D3 3F04 CD5E 7959 DB6B EB55 D8C6 FD6E
Encryption key....: 6201 28E7 5D81 8D83 EE46 0CA0 196D CB20 A991 18D0
Authentication key: 8338 0EF3 4758 8E95 7328 5D5C 7D60 935F F9F6 21B9

Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "[User ID not found]"
4096-bit RSA key, ID 911B11FD, created 2015-12-02


sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb 4096R/2FD28DC8 created: 2015-12-02 expires: never
ssb* 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> key 2

sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb 4096R/2FD28DC8 created: 2015-12-02 expires: never
ssb 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> key 1

sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb* 4096R/2FD28DC8 created: 2015-12-02 expires: never
ssb 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> keytocard
Signature key ....: 72E9 E258 6A1D 4658 F976 72A2 3F42 0515 911B 11FD
Encryption key....: 6201 28E7 5D81 8D83 EE46 0CA0 196D CB20 A991 18D0
Authentication key: 8338 0EF3 4758 8E95 7328 5D5C 7D60 935F F9F6 21B9

Please select where to store the key:
(2) Encryption key
Your selection? 2

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "Chris Halos (testing addcardkey) <chris@yubico.com>"
4096-bit RSA key, ID 2FD28DC8, created 2015-12-02


sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb* 4096R/2FD28DC8 created: 2015-12-02 expires: never
card-no: 0006 04227930
ssb 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
(1) Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> toggle

pub 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01 usage: SC
trust: ultimate validity: ultimate
sub 4096R/2FD28DC8 created: 2015-12-02 expires: 2018-12-01 usage: E
sub 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01 usage: S
[ultimate] (1). Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> addcardkey
Signature key ....: 72E9 E258 6A1D 4658 F976 72A2 3F42 0515 911B 11FD
Encryption key....: 3304 484D 0AA3 DD93 FE0C 2570 7B28 34B5 2FD2 8DC8
Authentication key: 8338 0EF3 4758 8E95 7328 5D5C 7D60 935F F9F6 21B9

Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
Your selection? 3

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y
What keysize do you want for the Authentication key? (4096) 4096
Key is protected.

You need a passphrase to unlock the secret key for
user: "Chris Halos (testing addcardkey) <chris@yubico.com>"
4096-bit RSA key, ID 6B23937C, created 2015-12-02

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at 12/01/18 15:15:55 Pacific Standard Time
Is this correct? (y/N) y
Really create? (y/N) y

pub 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01 usage: SC
trust: ultimate validity: ultimate
sub 4096R/2FD28DC8 created: 2015-12-02 expires: 2018-12-01 usage: E
sub 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01 usage: S
sub 4096R/B062AF76 created: 2015-12-02 expires: 2018-12-01 usage: A
[ultimate] (1). Chris Halos (testing addcardkey) <chris@yubico.com>

gpg> save

C:\Users\Chris>gpg --card-status
Application ID ...: D2760001240102010006042279300000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04227930
Name of cardholder: Halos Chris
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 5
Signature key ....: 72E9 E258 6A1D 4658 F976 72A2 3F42 0515 911B 11FD
created ....: 2015-12-02 23:10:06
Encryption key....: 3304 484D 0AA3 DD93 FE0C 2570 7B28 34B5 2FD2 8DC8
created ....: 2015-12-02 23:07:26
Authentication key: 278E 7DCD 1840 B5F5 51C2 355C 0694 6E03 B062 AF76
created ....: 2015-12-02 23:15:47
General key info..: pub 4096R/911B11FD 2015-12-02 Chris Halos (testing addcardkey) <chris@yubico.com>
sec 4096R/6B23937C created: 2015-12-02 expires: 2018-12-01
ssb> 4096R/2FD28DC8 created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
ssb> 4096R/911B11FD created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930
ssb> 4096R/B062AF76 created: 2015-12-02 expires: 2018-12-01
card-no: 0006 04227930

C:\Users\Chris>