Using Yubikey PGP Keys on new computer

I recently went through the effort of setting up PGP identities for my most used email addresses on my Yubikey. The purpose of this was to ensure my digital identity was safe, as the Yubikey needs to be present to encrypt, sign, or otherwise use my identity. And since the master key is not stored on the Yubikey, if it were to get compromised, I could revoke the certificates easily.

However, my main goal besides security was portability. I wanted to be able to encrypt private org mode files (such as a journal) across multiple computers, sign / encrypt emails on both my laptops and my Android phone, and generally keep my certificates with me wherever I happen to be.

Importing Yubikey keys to a local keychain

I soon found out that when plugging in my Yubikey to a different computer worked fine, but the keys needed to be imported into the local keychain. In reality, this is pretty easy so long as you have configured the Yubikey correctly.

Basically, the Yubikey acts a as a smart card and keeps your private keys stored onboard. If you’ve configured the URL of the Public Key field correctly, then you can simply do the following after plugging in your Yubikey (and yes, this assumes you have a recent version of gpg installed on your computer).

gpg --card-edit

What this does is retrieve the public key from the url stored in the URL of the Public Key field on the Yubikey.

You then need to create a stub for the secret key on your local keychain.

gpg --card-status

Finally, importing the key does not place any trust in the key, so you may want to edit your local key and trust it by doing the following.

gpg --edit-key <key identifier>

Given that this is my key I verified it was downloaded correctly and chose to give it ultimate trust.