⭕With Commandline

Instructions on importing your gpg keys from your device to your yubikey.

Certain instructions on this page may vary slightly for you. It depends on which version of GPG you have installed.

DANGER: Exporting keys to Yubikey will destroy the local key. Ensure a backup has been made before doing this (so original state can be restored). See Backup GPG Keys and Restore Original GPG State respectively.

Plug your yubikey into a usb slot on your device and run the command:

gpg --card-status

Once you've confirmed that your Yubikey data is being read, type:

gpg --list-secret-keys --keyid-format=short

This will print a list of your current keys.

sec   rsa4096/531AF8AA 2022-11-14 [C]
      516755A58447F4FE8D2AE8A3A6EFD06F531AF8AA
uid         [ultimate] Aetherinox <johndoe@email.com>
ssb   rsa4096/1705A11E 2022-11-14 [S]
ssb   rsa4096/8E7130EA 2022-11-14 [E]
ssb   rsa4096/2D4537E9 2022-11-14 [A]

Note the ID 531AF8AA at the top of the list under sec. You will need to copy your own key ID and use it with the following command:

gpg --edit-key --expert 531AF8AA

Console will now print out the keys associated to that master key id:

gpg --edit-key --expert 531AF8AA

gpg (GnuPG) 2.3.8; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/A6EFD06F531AF8AA
     created: 2022-11-14  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/B4E1E1271705A11E
     created: 2022-11-14  expires: never       usage: S
ssb  rsa4096/7C7E7CCE8E7130EA
     created: 2022-11-14  expires: never       usage: E
ssb  rsa4096/6C643BF62D4537E9
     created: 2022-11-14  expires: never       usage: A
[ultimate] (1). Aetherinox <johndoe@email.com>

To move a key to your Yubikey; you need to select it and then transfer.

To select, we use the key command followed by the key number which is 1 2 or 3.

For example: type key 1 to select first subkey.

The console will place a * next to ssb. Typing key 1 again will deselect that key.

gpg> key 1

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb   *   rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb       rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb       rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

gpg> key 1

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb       rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb       rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb       rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

After you select the subkey and it shows a * to the right of the word ssb, type:

keytocard

Since we're moving our signature subkey, we will select (1) Signature Key from the options:

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
   
Your selection? 1

You will be prompted for your passphrase.

Once that key is moved, type key 1 again to deselect the first key and remove the * asterisk from the front.

We will now execute:

key 2

List of keys will appear with the selection:

gpg> key 2

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb       rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb   *   rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb       rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

gpg> key 2

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb       rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb       rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb       rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

Transfer the subkey to your card:

keytocard

Select the slot Encryption Key:

Please select where to store the key:
   (2) Encryption key
   
Your selection? 2

Deselect key 2 to remove the asterisk:

key 2

Select key 3:

key 3

List of keys will appear with the selection:

gpg> key 3

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb       rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb       rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb   *   rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

gpg> key 3

sec       rsa4096/A6EFD06F531AF8AA
          created: 2022-11-14  expires: never       usage: C
          trust: ultimate      validity: ultimate
          
ssb       rsa4096/B4E1E1271705A11E
          created: 2022-11-14  expires: never       usage: S
          
ssb       rsa4096/7C7E7CCE8E7130EA
          created: 2022-11-14  expires: never       usage: E
               
ssb       rsa4096/6C643BF62D4537E9
          created: 2022-11-14  expires: never       usage: A
          
[ultimate] (1). Aetherinox <johndoe@email.com>

Start the transfer with:

keytocard

Select the Authentication Key option:

Please select where to store the key:
   (3) Authentication key

Your selection? 3

After you've entered the requested passphrase, we will save all changes with:

save

You now have your subkeys transferred to your Yubikey.

To confirm all the keys are on your Yubikey, unplug your Yubikey for a few seconds, and then plug it back in. Open your Command Prompt / Powershell, and type:

gpg --card-status

You should see a list of information about your GPG interface of your Yubikey, and toward the bottom, you should also see a list of keys imported onto your Yubikey.

Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: D2760001234567890123456789012345
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 12345678
Name of cardholder: John Doe
Language prefs ...: en
Salutation .......: 
URL of public key : 
Login data .......: johndoe
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 10 10 10
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=on Decrypt=on Auth=on
Signature key ....: 1A2B 3C4D 5E6F 1A2B 3C4D  1A2B 3C4D 5E6F 1A2B 3C4D
      created ....: 2022-11-06 19:55:30
Encryption key....: 3C4D 1A2B 5E6F 3C4D 1A2B  3C4D 1A2B 5E6F 3C4D 1A2B
      created ....: 2022-11-06 19:56:26
Authentication key: 1A2B 3C4D 5E6F 1A2B 3C4D  3C4D 1A2B 5E6F 3C4D 1A2B
      created ....: 2022-11-06 19:57:11
General key info..: sub  rsa4096/1A2D5CA34FE3F14A 2022-11-06 John Doe <jdoe@outlook.com>
sec   rsa4096/45E5A25FA25F14AB  created: 2022-11-06  expires: never
ssb   rsa4096/11A63ECB252A6541  created: 2022-11-06  expires: never
ssb   rsa4096/6BC4D3A3FE25FBCA  created: 2022-11-06  expires: never
ssb   rsa4096/CDBA3096BDCA9846  created: 2022-11-06  expires: never

PreviousWith Kleopatra NextWith Kleopatra

Last updated 2 years ago

Was this helpful?