Yubico Forum

Hi,
I have transfered with success my pgp keys to my Yubico key 4.
But how to check it ? How to use it ?
Nothing is shown on my Yubico key.
Thx

assuming that you are on windows and that you have installed gpg4win with gpa and kleopatra selected:

in kleopatra you should see your key with a smartcard icon next to it that means that the private key is on the smartcard.
to check the gpg data on yubikey you can use this command (from cmd):

this will tell you if there are keys and their fingerprint.

to use it you can drag&drop a file in kleopatra and it will ask you what to do with it:
-sign
-encrypt
-both
-decrypt
-verify
the same apply if you don't use a yubikey.

make a copy of the private key OFFLINE before moving the key to card (after is no more possible).
keep also a copy of the public key, you will need it.
you can move it to other pc, import it (drag&drop), and issue the above command to let gpg understand that the private key part is on the smartcard.

Yes this is very good. I agree you should make a backup. I like the idea that it is possible to generate a new key from within the Yubikey 4 it's self, but I like the idea better of making it myself on the computer and making a backup somewhere and then adding it to the Yubikey. I would recommend making a revocation key as well, so if the worst happens and your Yubikey dies, you can always officially revoke and upload your dead public key and make a new key and start over.

I have to say though, the whole experience of setting up this OpenPGP aspect on my Yubikey was painful. Discrepancies between the PIV manager code not matching when I was entering in the pgp commandline etc.

PGP is fantastic, but it really needs to be more user-friendly else it will stay in the hands of us techies, geeks and those who are issued with the capability by their job or something which is just already ready to use.

Now that I have made a new pgp key that is compatible with the YK4 (I never really bothered much with RSA keys before) and gotten it set up in the YK4, it has simplified my decrypting and signing processes and I really like it. I have tested blocking my key by using the wrong pin and have managed to figure out how to get it unblocked by using the admin pin. But I am concerned that if I tested the same thing out by purposefully failing the admin code, that it might kill my ability to ever use my YK4 for openpgp functionality or something. I have no idea (does anyone know what steps are needed if you get the wrong admin pin too many times?)