Yubico Forum

Hi,

I recently got a Yubikey 4. According to the feature list, this device should support RSA-Keys up to 4096 bit for GnuPG. However, when I do a gpg2 --card-status I get the following:
In the line Key attributes it only says 2048R, which looks like it only supports 2048-bit keys.
Am I misunderstanding the meaning of this value? Or does the device require me to configure something to support longer keys? Has it to do with the GPG-version? (I'm using 2.0.28)

Thanks.

Yep.. You right. It shows that it support only 2048, but if you manually choose 4096 it will generate it.
Application ID ...: D2760001240102010006041615780000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 0416xxxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 5
Signature key ....: B690 00AC 40B3 B578 A768 18AB B6EF FBE8 7982 EFC2
created ....: 2015-12-02 09:38:37
Encryption key....: 3A09 6ACB B7F3 19BB 6E60 2D00 17F5 FF2E 59DC E7D2
created ....: 2015-12-02 09:38:37
Authentication key: ABE8 1FFF B778 94BC 4376 8055 D38A AA6E 5FDE 027C
created ....: 2015-12-02 09:38:37
General key info..: pub 4096R/7982EFC2 2015-12-02 Dmitry Monakhov (hw-gen-key-test) <dmonakhov@openvz.org>
sec> 4096R/7982EFC2 created: 2015-12-02 expires: 2017-12-01
card-no: 0006 0416xxxx
ssb> 4096R/5FDE027C created: 2015-12-02 expires: 2017-12-01
card-no: 0006 0416xxxx
ssb> 4096R/59DCE7D2 created: 2015-12-02 expires: 2017-12-01
card-no: 0006 0416xxxx

subkey import (via "keytocard") and and subkey generation (via "addcardkey") are also works fine.
In this example Sign and Encryption subkeys was imported, Auth subkey was generated on card
Application ID ...: D2760001240102010006041615780000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04161578
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: B0ED 248E 6922 E471 B7A7 7EBA F666 8E6D 506B 0421
created ....: 2015-12-02 10:05:57
Encryption key....: 84DA 7E09 7FF0 4AE5 57E4 4019 F042 CC5D 71C3 BCD1
created ....: 2015-12-02 09:55:29
Authentication key: 5C6B B320 A373 9700 75FA 6C46 D879 48F0 ECE2 B258
created ....: 2015-12-02 10:11:20
General key info..: pub 4096R/506B0421 2015-12-02 Dmitry Monakhov (hw-key-gen-test-yubikey-4096) <dmonakhov@opnevz.org>
sec 4096R/A6C30BA6 created: 2015-12-02 expires: 2025-11-29
ssb> 4096R/71C3BCD1 created: 2015-12-02 expires: 2025-11-29
card-no: 0006 04161578
ssb> 4096R/506B0421 created: 2015-12-02 expires: 2016-12-01
card-no: 0006 04161578
ssb> 4096R/ECE2B258 created: 2015-12-02 expires: 2016-12-01
card-no: 0006 04161578

Thanks for the information. Indeed it works with longer keys.
So the output of gpg was just confusing.