Certain instructions on this page may vary slightly for you. It depends on which version of GPG you have installed.
DANGER:
Exporting keys to Yubikey will destroy the local key. Ensure a backup has been made before doing this (so original state can be restored). See and respectively.
Plug your yubikey into a usb slot on your device and run the command:
gpg --card-status
Once you've confirmed that your Yubikey data is being read, type:
Note the ID 531AF8AA at the top of the list under sec. You will need to copy your own key ID and use it with the following command:
gpg --edit-key --expert 531AF8AA
Console will now print out the keys associated to that master key id:
gpg --edit-key --expert 531AF8AA
gpg (GnuPG) 2.3.8; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
To move a key to your Yubikey; you need to select it and then transfer.
To select, we use the key command followed by the key number which is 12 or 3.
For example: type key 1to select first subkey.
The console will place a * next to ssb. Typing key 1again will deselect that key.
gpg> key 1
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb * rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
gpg> key 1
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
After you select the subkey and it shows a * to the right of the word ssb, type:
keytocard
Since we're moving our signature subkey, we will select (1) Signature Key from the options:
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
You will be prompted for your passphrase.
Once that key is moved, type key 1 again to deselect the first key and remove the * asterisk from the front.
We will now execute:
key 2
List of keys will appear with the selection:
gpg> key 2
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb * rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
gpg> key 2
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
Transfer the subkey to your card:
keytocard
Select the slot Encryption Key:
Please select where to store the key:
(2) Encryption key
Your selection? 2
Deselect key 2 to remove the asterisk:
key 2
Select key 3:
key 3
List of keys will appear with the selection:
gpg> key 3
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb * rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
gpg> key 3
sec rsa4096/A6EFD06F531AF8AA
created: 2022-11-14 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/B4E1E1271705A11E
created: 2022-11-14 expires: never usage: S
ssb rsa4096/7C7E7CCE8E7130EA
created: 2022-11-14 expires: never usage: E
ssb rsa4096/6C643BF62D4537E9
created: 2022-11-14 expires: never usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>
Start the transfer with:
keytocard
Select the Authentication Key option:
Please select where to store the key:
(3) Authentication key
Your selection? 3
After you've entered the requested passphrase, we will save all changes with:
save
You now have your subkeys transferred to your Yubikey.
To confirm all the keys are on your Yubikey, unplug your Yubikey for a few seconds, and then plug it back in. Open your Command Prompt / Powershell, and type:
gpg --card-status
You should see a list of information about your GPG interface of your Yubikey, and toward the bottom, you should also see a list of keys imported onto your Yubikey.
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: D2760001234567890123456789012345
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: John Doe
Language prefs ...: en
Salutation .......:
URL of public key :
Login data .......: johndoe
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 10 10
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=on Decrypt=on Auth=on
Signature key ....: 1A2B 3C4D 5E6F 1A2B 3C4D 1A2B 3C4D 5E6F 1A2B 3C4D
created ....: 2022-11-06 19:55:30
Encryption key....: 3C4D 1A2B 5E6F 3C4D 1A2B 3C4D 1A2B 5E6F 3C4D 1A2B
created ....: 2022-11-06 19:56:26
Authentication key: 1A2B 3C4D 5E6F 1A2B 3C4D 3C4D 1A2B 5E6F 3C4D 1A2B
created ....: 2022-11-06 19:57:11
General key info..: sub rsa4096/1A2D5CA34FE3F14A 2022-11-06 John Doe <jdoe@outlook.com>
sec rsa4096/45E5A25FA25F14AB created: 2022-11-06 expires: never
ssb rsa4096/11A63ECB252A6541 created: 2022-11-06 expires: never
ssb rsa4096/6BC4D3A3FE25FBCA created: 2022-11-06 expires: never
ssb rsa4096/CDBA3096BDCA9846 created: 2022-11-06 expires: never