Now that you have your Yubikeys configured you can make use of them on your daily machines.


  • Configured Yubikeys
  • gpg software installed
  • pcsc software installed

For my gentoo machines I use the following packages:

app-crypt/gnupg (USE: smartcard)

Ensure your version of app-crypt/gnupg is 2.x and above.
Since I can't write steps for every distro, your going to need to install the packages yourself.


The gpg-agent config

Create or edit the following file:

default-cache-ttl 600
max-cache-ttl 7200

This file controls the gpg-agent, the gpg-agent will interact with the pcsc application.

Spawning the gpg-agent

You also need a way to start the gpg-agent, I use the following in my .bashrc file:

if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
    eval "$(gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
export GPG_AGENT_INFO  # the env file does not contain the export statement
export SSH_AUTH_SOCK   # enable gpg-agent for ssh

Checking access

With the above in place when you spawn a new shell you will be able to see the following

$ export | grep gpg
declare -x GPG_AGENT_INFO="/home/brendan/.gnupg/S.gpg-agent:29109:1"
declare -x SSH_AUTH_SOCK="/home/brendan/.gnupg/S.gpg-agent.ssh"
$ ps -ef | grep gpg
brendan   4358 29098  0 16:16 pts/8    00:00:00 grep --colour=auto gpg
brendan  29109     1  0 16:10 ?        00:00:00 gpg-agent --daemon --enable-ssh-support --write-env-file /home/brendan/.gnupg/gpg-agent.env

Now you test access to the Yubikey by running the "gpg --card-status" command.

$ gpg --card-status
Application ID ...: D2760001240102000006036475550000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03647555
Name of cardholder: Brendan Horan
Language prefs ...: en
Sex ..............: male
URL of public key : https://brendan.horan.hk/76E0A15A-pub-key.txt
Login data .......: brendan
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 2
Signature key ....: 1C9B 6940 B360 826A 51E3  A869 9C52 FFF7 0B16 AD9B
      created ....: 2015-09-22 06:52:32
Encryption key....: 0D85 5A98 E9D6 2E80 65D8  B0DB 0B4C F791 1360 580A
      created ....: 2015-09-22 07:00:43
Authentication key: AB73 B37E 760C D6B3 5C9B  86D7 F2D5 C074 0EEC D0AE
      created ....: 2015-09-22 07:02:24
General key info..: pub  2048R/0B16AD9B 2015-09-22 Brendan Horan <brendanhoran@basstech.net>
sec#  4096R/76E0A15A  created: 2015-09-22  expires: never
ssb>  2048R/0B16AD9B  created: 2015-09-22  expires: 2016-03-20
                      card-no: 0006 03647555
ssb>  2048R/1360580A  created: 2015-09-22  expires: 2016-03-20
                      card-no: 0006 03647555
ssb>  2048R/0EECD0AE  created: 2015-09-22  expires: 2016-03-20
                      card-no: 0006 03647555

You can now make use of the Yubikey to encrypt/decrypt/sign and authenticate on your machines.


GPG Agent config options
GPG command man page
ArchLinux GPG wiki