Secure OpenPGP Keys with YubiKeys

We’re now ready to increase the security of our OpenPGP keys by transferring them to a YubiKey.

Prerequisites

Before proceeding with this post, make sure you first read the Generate Secure OpenPGP Keys post which will walk you through how to do the following:

• Set up a secure environment which we’ll still be using throughout this post

• Harden your GPG configuration

• Photo preparation if you want to add a photo to your key

• Generating a passphrase for the primary key

• Generating the primary key

• Adding subkeys

• Adding additional user IDs

• Adding the photo

• Creating backups

• Changing the subkeys passphrase

• Removing the primary secret key

• Encrypting backups

• Decrypting backups

Backups

It’s important to make sure you have the following items backed up before proceeding with this post:

• Secret key

• Secret subkeys

• Revocation certificate

• Public key

• Primary key passphrase

• Primary key passphrase for the secret subkeys

• Secret key file passphrase

• Secret subkeys file passphrase

• Revocation certificate file passphrase

As previously mentioned, the previous post goes over recommended ways to back up these items.

When moving the secret subkeys to the YubiKey, the secret subkeys stored in the keyring get converted into stubs which point to the YubiKey. These stubs are no longer usable to transfer to other YubiKeys. Therefore, if you want to transfer the secret subkeys to multiple YubiKeys, then make sure you have a backup of the secret subkeys.

Purchase a Supported YubiKey

The following YubiKeys have OpenPGP card support and should work with the steps outlined in this post:

• YubiKey 5 FIPS Series

• YubiKey 5 Series

• YubiKey FIPS (4 Series)

• YubiKey 4 Series

• YubiKey Neo

• YubiKey Neo-n

You can purchase a supported YubiKey from the Yubico Store.

The YubiKeys that have been specifically tested with this post include the YubiKey 5C NFC and the YubiKey 5 Nano.

It’s recommended to purchase at least two YubiKeys, so you’ll have at least one backup in case one of the keys is lost, stolen, broken, etc.

It’s also worth mentioning that the firmware on YubiKeys is unable to be upgraded for security reasons. Therefore, if there is a security vulnerability found within the YubiKey model you purchased, then you’ll have to purchase a different model that has OpenPGP card support.

YubiKey Verification

After purchasing a supported YubiKey, you can verify the YubiKey is genuine by visiting the YubiKey Verfication page using an up to date web browser, e.g., Brave, Firefox, etc.

To verify the YubiKey you need to insert the YubiKey into your device, press the Verify Device button to begin the verification process, press the YubiKey when prompted, and if asked allow the site to see the make and model of the YubiKey. If you see “Verification Complete“, then your device is authentic.

By verifying the YubiKey is genuine you’re helping to mitigate the possibility of a supply chain attack, i.e., someone interfering with the device or replacing the device with a sabotaged device. It’s also a good idea to get the device shipped to a location that isn’t easily tied to your identity, e.g., a PO box, UPS box, Amazon box, a random address not associated with you, etc.

Import Secret Subkeys

If you needed to restart the secure environment and you’re using a Live Operating System (Live OS), then you can insert the device you’re storing the secret subkeys on into the device and copy the file onto the device.

You can then decrypt the secret subkeys file by running the following command:

gpg secret_subkeys.gpg

You can then import the secret subkeys by running the following command:

gpg --import secret_subkeys

You’ll then be prompted to enter the primary key passphrase for the secret subkeys.

OpenPGP Card Status

After verifying the YubiKey is genuine and that you successfully backed up all of the necessary items, you’re now ready to insert the YubiKey into the secure environment.

To check the status of the OpenPGP card which is stored on the YubiKey you can run the following command:

gpg --card-status

You should see output that looks similar to the following:

Reader ...........: Yubico Yubikey OTP FIDO CCID 00 00
Application ID ...: D2760001240103040006123456780000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

We’re now going to discuss what each line represents:

• Reader is the device that is reading the OpenPGP card, e.g., Yubico Yubikey OTP FIDO CCID 00 00 which may be different for you depending on your device.

• Application ID is the ID of the application being used which includes the type of OpenPGP card being used, the implemented version of the OpenPGP specification, the manufacturer’s information, and the serial number of the device. The application ID is a unique identifier for every card, so it will be different for your device and can be used to uniquely identify the card. Therefore, if you’re using this card for anonymous or pseudonymous reasons be aware that the application ID can be used to link the keys and potentially other accounts you may use the YubiKey with together.

• Application type is the type of application being used with the card, i.e., OpenPGP.

• Version represents the version of the OpenPGP specification that’s being used which may be different for you.

• Manufacturer represents the manufacturer of the card, i.e., Yubico.

• Serial number is a unique identifier assigned by the manufacturer which can be used to link the keys and potentially other accounts you use the YubiKey with together.

• Name of cardholder is used to provide an optional name of the cardholder which must be only plain ASCII characters. You can set the field to be, e.g., the name you set for the keys, i.e., your-name if you want to let others know the name or pseudonym you’re using with the card. It’s also a good way to identify the card if you’re using multiple YubiKeys.

• Language prefs is used to provide an optional language preference of the cardholder, e.g., if your preferred language is English you can set this field to be en.

• Salutation is used to provide an optional salutation of the cardholder, e.g., Mr. or Ms.

• URL of public key is used to provide an optional URL that’s used to retrieve the OpenPGP public key by using the fetch command. For the URL to retrieve the public key it must have already been uploaded to the provided keyserver.

• Login data is used to provide an optional account name of the cardholder that may be used for login purposes. You can set this field to be, e.g., the email address you set for the keys, i.e., your-email@example.com. Note that gpg doesn’t enforce any match between the login data and the name or email used in the keys.

• Signature PIN can be set to forced or not forced. When the field is set to forced, gpg will request the entry of a PIN for each signature operation. When the field is set to not forced, gpg may cache the PIN as long as the card has not been removed from the device you’re using it with. If you want to require the PIN to be entered for each signature operation which is more secure than using a cached PIN, then be sure to set this to forced.

• Key attributes is used to specify the kind of keys being used by the OpenPGP card which all default to rsa2048. This field will match the value you use for the keys you’re transferring to the YubiKey, e.g., rsa4096.

• Max. PIN lengths is used to specify the the maximum length allowed for each PIN, e.g., the user PIN and admin PIN which may be different for you. The value is set by the manufacturer and cannot be changed.

• PIN retry counter saves how many tries are still left to enter the correct PIN. Whenever a wrong PIN is entered the fields are decremented by 1. The fields are reset whenever a correct admin PIN is entered. The first and second PIN are for the user PIN. The second PIN is required due to peculiarities of the ISO-7816 standard. The third PIN represents the retry counter for the admin PIN.

• Signature counter is used to keep track of the number of signatures performed by the transferred key and will only reset if a new signature key is created on the card or transferred to the card.

• KDF setting is used to enable Key Derived Function (KDF) settings for the YubiKey which allows the YubiKey to store a hash of the PIN. This prevents the PIN from being passed as plain text. This field must be enabled before changing the PIN or transferring keys to the YubiKey or else you’ll see the following error: gpg: error for setup KDF: Conditions of use not satisfied. If you want to enable this setting after changing the PIN or transferring keys, then you’ll have to factory reset the YubiKey. This feature may not be compatible with older GnuPG versions which will always reject the PIN.

• Signature key is commonly used as the primary key or in our case a signature subkey.

• Encryption key is commonly used as an encryption subkey which what we’ll be using it for.

• Authentication key is commonly used for an authentication subkey which is what we’ll be using it for.

• General key info displays general information about the keys stored on the card.

Before transferring the subkeys, we’re going to first discuss how to edit these fields.

Editing the OpenPGP Card

To edit the OpenPGP card, you can use the following command:

gpg --card-edit

The output will display the same information as the gpg —card-status command, but we now have a command prompt that we can use to edit the card.

Help

To get help with how to edit the card, you can enter the following command:

help

The output should look similar to the following:

quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
fetch          fetch the key specified in the card URL
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
openpgp        switch to the OpenPGP app

The help command displays a list of commands we can use as well as a brief description of the commands.

Admin Mode

To edit the fields on the card you need to enter admin mode by entering the following command:

admin

The output should look similar to the following:

Admin commands are allowed

To get help with how to edit the card in admin mode, you can enter the following command:

help

The output should look similar to the following:

quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
name           change card holder's name
url            change URL to retrieve key
fetch          fetch the key specified in the card URL
login          change the login name
lang           change the language preferences
salutation     change card holder's salutation
cafpr          change a CA fingerprint
forcesig       toggle the signature force PIN flag
generate       generate new keys
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
factory-reset  destroy all keys and data
kdf-setup      setup KDF for PIN authentication (on/single/off)
key-attr       change the key attribute
uif            change the User Interaction Flag
openpgp        switch to the OpenPGP app

Name

To edit the name enter the following command:

name

You’ll first be asked to enter the cardholder’s surname, i.e., the last name of the cardholder which you can leave empty by pressing Enter:

Cardholder's surname:

You’ll then be asked to enter the cardholder’s given name, i.e., the first name of the cardholder which you can set to be, e.g., your-name:

Cardholder's given name:

URL

To edit the URL used to retrieve the public key you can enter the following command:

url

You’ll then be asked to enter the URL to retrieve the public key from:

URL to retrieve public key:

The format to use for the URL is based on the OpenPGP HTTP Keyserver Protocol (HKP).

E.g., to set the URL to use the keys.openpgp.org keyserver you can type the following and press Enter:

hkps://keys.opengpg.org:443/pks/lookup?op=get&search=KEYID

Here KEYID is the key ID for the primary key which you can determine by running the following command:

gpg -k your-email@example.com

The output should look something like this:

pub   rsa4096/0x46B680BB17A6BD07 2024-07-23 [C] [expires: 2027-07-23]
      Key fingerprint = 0512 CEFB 5478 FEB9 032F  FB6C 46B6 80BB 17A6 BD07
uid                   [ultimate] your-name <your-email@example.com>
uid                   [ultimate] [jpeg image of size 5143]
sub   rsa4096/0x4288AC227E259D0F 2024-07-23 [S] [expires: 2025-07-23]
sub   rsa4096/0xC5AB9F2897890EFF 2024-07-23 [E] [expires: 2025-07-23]
sub   rsa4096/0xE13FEA1C7ABD419E 2024-07-23 [A] [expires: 2025-07-23]

The key ID for the primary key is located on the first line after the rsa4096 text, i.e., 0x46B680BB17A6BD07.

Onion Service

You can also set the URL to use a Tor onion service, e.g. zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion which is the onion service for the keys.openpgp.org keyserver.

To use the keys.openpgp.org onion service you can type the following and press Enter:

hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion/pks/lookup?op=get&search=KEYID

Be sure to replace KEYID with the key ID of your key.

Login

To edit the login you can run the following command:

login

You’ll be asked to enter the cardholder’s login, e.g., the email address you used with your keys, i.e., your-email@example.com:

Login data (account name):

Salutation

To edit the salutation you can run the following command:

salutation

You’ll be asked to enter the cardholder’s salutation:

Salutation (M = Mr., F = Ms., or space):

You can type M for Mr., F for Ms., or leave the input empty to leave the salutation empty.

KDF

To enable KDF you can run the following command:

kdf-setup

A window will then be displayed asking for the admin PIN which has a default value of:

12345678

Be sure to enter the admin PIN correctly, if you enter the wrong admin PIN three times in a row the YubiKey will be bricked.

If you’re prompted to enable KDF, then type on and press Enter.

Signature PIN

To toggle the signature force PIN flag you can run the following command:

forcesig

Generate

The generate command allows you to generate keys directly on the YubiKey instead of transferring already generated keys to the YubiKey.

If you generate the keys directly on the YubiKey, then it's not possible to move the keys from the YubiKey. Therefore, if the YubiKey is lost, stolen, damaged, etc., then you'll be unable to retrieve the keys.

We want to have a more robust back up solution which is why we’re not generating the keys directly on the YubiKey, but if you want to you can run the following command:

generate

Admin PIN, User PIN, and Reset Code

As previously mentioned, if you enter the admin PIN wrong three times in a row the YubiKey will be bricked, so be sure to enter the correct admin PIN.

The admin PIN has a configured maximum number of characters, e.g., 127, can contain any ASCII characters, and has a minimum length of 8. The user PIN also has a configured maximum number of characters, e.g., 127, can contain any ASCII characters, and has a minimum length of 6.

Since the admin PIN can only be entered three times before the YubiKey is bricked, you can use a shorter value. Similarly, since the user PIN can only be entered three times before the YubiKey is blocked and requires the admin PIN or reset code to be entered to unblock it, you can use a shorter value.

It’s recommended to use an admin PIN of 8 numbers and a user PIN of 6 numbers to avoid any issues with accidentally entering a longer PIN wrong three times in a row as well as any potential issues with using certain ASCII characters.

To come up with a random PIN you can, e.g., open up KeePassXC which should be available if you're using Tails, navigate to the password generator, then generate a random PIN consisting of 8 numbers for the admin PIN and 6 numbers for the user PIN.

It's also recommended to write down the admin PIN and the user PIN and/or store them in a secure password manager like KeePassXC in case you forget it. Just make sure you secure all written copies of the PINs as well as any password manager you decide to save the PINs in.

To change the admin PIN, user PIN, and/or the Reset Code you can run the following command:

passwd

The following prompt will then be displayed:

gpg: OpenPGP card no. D2760001240103040006123456780000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection?

To change the admin PIN type 3 and press Enter.

A window will then appear asking you to input the current admin PIN which has a default value of:

12345678

After correctly entering the current admin PIN, you’ll then be prompted to enter the new admin PIN in a new window.

After entering the new admin PIN, you’ll then be asked to enter it again to confirm the new admin PIN.

The output will display the following:

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection?

To change the user PIN type 1 and press Enter.

A window will then appear asking you to input the current user PIN which has a default value of:

123456

After correctly entering the current user PIN, you’ll then be prompted to enter the new user PIN in a new window.

After entering the new user PIN, you’ll then be asked to enter it again to confirm the new user PIN.

The output will display the following:

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection?

The reset code is only used for allowing a user to reset their PIN if they’ve locked themselves out by entering the wrong user PIN three times in a row. The reset code cannot be used to edit the card.

Setting a reset code is useful if you’re the admin of the card and plan to give a configured card to another user which will allow them to reset their PIN if they’ve locked themselves out, but they won’t be able to edit the card without knowing the admin PIN.

Since we’re assuming the YubiKey is for a single user, we’re not going to set a reset code because we can use the admin PIN to change the user PIN and to unblock the card.

Verify

To verify the user PIN and to see all of the card data you can run the following command:

verify

After entering the correct user PIN, you’ll be shown the same output as the gpg —card-status command.

Factory Reset

To perform a factory reset which will delete all keys and data on the OpenPGP card in the YubiKey you can run the following command:

factory-reset

You’ll be presented with a prompt asking for confirmation:

gpg: OpenPGP card no. D2760001240103040006123456780000 detected

gpg: Note: This command destroys all keys stored on the card!

Continue? (y/N)

To confirm the factory reset type y and press Enter.

You’ll then be presented with another prompt asking for confirmation:

Really do a factory reset? (enter "yes")

To confirm the factory reset type yes and press Enter.

Transferring Subkeys

YubiKeys currently only support three OpenPGP subkeys or a primary key which is generally considered to be used for signing and two subkeys for encryption and authentication.

We’re going to be transferring our three subkeys to the YubiKey since the primary secret key is only used for certification and has been removed from the key.

To transfer the subkeys you need to first make sure if exited the OpenPGP card edit prompt which you can do by typing Ctrl+c.

We need to now edit the subkeys which you can do by running the following command:

gpg --expert --edit-key your-email@example.com

You should see output similar to the following:

Secret subkeys are available.

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb  rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb  rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

If you had to import the subkeys again, then instead of seeing trust and validity as ultimate, you’ll see unknown.

Before proceeding with the editing of the key, you should set the trust value to 5 by typing trust, selecting 5 from the prompt, and then saving your changes by typing save and pressing Enter. You can then run the command to edit the subkeys again, and you should see the trust and validity values as ultimate.

Signature Key

We’re now going to select the first key in the list of subkeys by running the following command:

key 1

You should see output similar to the following:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb  rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb  rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

The * is used to denote the currently selected subkey.

You can now run the following command to begin the process of transferring the subkey to the YubiKey OpenPGP card:

keytocard

You should now be presented with a prompt that looks similar to the following:

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection?

The first subkey is the signature key, so you should enter the following:

1

A window prompt will then appear asking for the primary key passphrase for the secret subkeys.

After successfully entering the passphrase, another window prompt will appear asking for the admin PIN for the OpenPGP card. Another window prompt may also appear asking for the admin PIN again as well.

After successfully entering the admin PIN you should see the following output:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb  rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb  rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

You now need to deselect the first key by typing the following command:

key 1

Encryption Key

To edit the second subkey you can enter the following command:

key 2

You should see output similar to the following:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb* rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb  rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

You can now run the following command to begin the process of transferring the second subkey to the YubiKey OpenPGP card:

keytocard

You should now be presented with a prompt that looks similar to the following:

Please select where to store the key:
   (2) Encryption key
Your selection?

The second subkey is the encryption key, so you should enter the following:

2

A window prompt will then appear asking for the primary key passphrase for the secret subkeys.

After successfully entering the passphrase, another window prompt will appear asking for the admin PIN for the OpenPGP card.

After successfully entering the admin PIN you should see the following output:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb* rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb  rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

You now need to deselect the second key by typing the following command:

key 2

Authentication Key

To edit the third subkey you can enter the following command:

key 3

You should see output similar to the following:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb  rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb* rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

You can now run the following command to begin the process of transferring the third subkey to the YubiKey OpenPGP card:

keytocard

You should now be presented with a prompt that looks similar to the following:

Please select where to store the key:
   (3) Authentication key
Your selection?

The third subkey is the encryption key, so you should enter the following:

3

A window prompt will then appear asking for the primary key passphrase for the secret subkeys.

After successfully entering the passphrase, another window prompt will appear asking for the admin PIN for the OpenPGP card.

After successfully entering the admin PIN you should see the following output:

pub  rsa4096/0x46B680BB17A6BD07
     created: 2024-07-23  expires: 2027-07-23  usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0x4288AC227E259D0F
     created: 2024-07-23  expires: 2025-07-23  usage: S
ssb  rsa4096/0xC5AB9F2897890EFF
     created: 2024-07-23  expires: 2025-07-23  usage: E
ssb* rsa4096/0xE13FEA1C7ABD419E
     created: 2024-07-23  expires: 2025-07-23  usage: A
[ultimate] (1). your-name <your-email@example.com>
[ultimate] (2)  [jpeg image of size 5143]

You can now type the following command to save the changes:

save

Once you save the changes gpg will delete the subkeys from the keyring and you won’t be able to copy the secret subkeys to another YubiKey, so make sure you have your backup of the secret subkeys.

Verification

To verify the transfer of the subkeys you can run the following command:

gpg -K

The output should look similar to the following:

/home/amnesia/.gnupg/pubring.kbx
--------------------------------
sec#  rsa4096/0x46B680BB17A6BD07 2024-07-23 [C] [expires: 2027-07-23]               
      Key fingerprint = 0512 CEFB 5478 FEB9 032F  FB6C 46B6 80BB 17A6 BD07
uid                   [ultimate] your-name <your-email@example.com>
uid                   [ultimate] [jpeg image of size 5143]
ssb>  rsa4096/0x4288AC227E259D0F 2024-07-23 [S] [expires: 2025-07-23] ssb>  rsa4096/0xC5AB9F2897890EFF 2024-07-23 [E] [expires: 2025-07-23] ssb>  rsa4096/0xE13FEA1C7ABD419E 2024-07-23 [A] [expires: 2025-07-23]

The > after the ssb is used to indicate that the subkey is now a stub and is pointing to the subkey stored in the OpenPGP card on the YubiKey.

Multiple YubiKeys

Since the subkeys get deleted from the keyring and are replaced with stubs that point to the subkeys stored on a specific YubiKey, you need to remove the first YubiKey from the device then delete the stubs that point to the first YubiKey as well as the previous secret subkeys.

To delete the stubs and the secret subkeys you can navigate to the private-keys-v1.d directory by running the following command:

cd ~/.gnupg/private-keys-v1.d

You can list the contents of the directory by running the following command:

ls

Each file in the private-keys-v1.d directory is a secret key that is stored by gpg. The filenames are the keygrip for each secret key and has a file extension of key.

To determine which keygrip belongs to which secret subkey and secret subkey stub you can run the following command:

gpg -K --with-keygrip

The output will list all of the secret keys in the keyring with the keygrip displayed underneath each key.

You can now match the keygrips with the filenames in the private-keys-v1.d directory to make sure you’re deleting the correct three secret subkeys and any values that aren’t displayed in the output should correspond to the secret subkey stubs pointing to the first YubiKey.

To delete the secret subkeys and the three stubs pointing to the first YubiKey you can run the following command:

rm -rf keygrip.key

Be sure to import the secret subkeys again before attempting to transfer them to the second YubiKey which we previously mentioned how to do above.

Once the three secret subkeys and the three stubs are deleted and the secret subkeys have been imported again, you can insert the second YubiKey and follow the steps outlined in this post again to transfer the subkeys to the second YubiKey.