When you use your YubiKey as a smart card to store PGP Keys, you usually need to enter your PIN before the certificate can be used. This is fine, but the default user pin is
123456, and the default admin pin is
12345678. The whole goal of purposing your YubiKey in this manner is to keep you keys safe, and this default PIN configuration is not doing that.
Thankfully, YubiKeys mimic a PIV device (smart card) and therefore can be managed using the standard
gpg --card-edit command.
To set a new user PIN and admin PIN, you will need to do the following:
# Enter the card edit mode of GPG gpg --card-edit # Enter admin mode admin # Enter password change mode passwd
You will be prompted to select which PIN to change, and will be asked to enter the existing PIN and the new PIN twice to ensure you got it right.
If you want to be absolutely certain you need to enter your PIN before signing anything with you YubiKey, while still in admin mode, enter the following:
# While still in admin mode forcesig
And that’s pretty much it!
Now, if your YubiKey is ever lost or stolen, the user will not be able to use your keys without the PIN. It’s still good practice to revoke those keys, but this gives you added piece of mind!