Solenberg.dev

Fedora and YubiKey PGP SmartCards

April 02, 2020

The Backstory

I am one of those weird people that likes to use GPG Encryption. As a responsible GPG user, I do not keep my signing key or decryption key on my computer. I use a YubiKey 5c to hold those credentials. When I need to sign or decrypt something I plug my YubiKey into the computer and touch the contact to complete whatever task. I like to sign my Git commits so this is a situation I run into often.

The problem

Fedora does not support YubiKey smart cards out of the box. If you run gpg --card-edit with a YubiKey plugged in, you will see the following

terminal output

The Solution

After a bit of trial and error and searching around the internet I found that I only needed to install pcsc-lite.

sudo dnf install pcsc-lite

Plug your YubiKey in and run gpg --card-edit again and you should see the standard --card-edit output.

If you have setup your YubiKey correctly you can retrieve your credentials from whichever key server URL you have setup by running fetch in the card edit prompt.

After you have imported your key, use the standard gpg tooling to set your key trust level.

Confirm that your secret key shows a Card serial no. by running 

gpg --list-secret-keys
/home/solenberg/.gnupg/pubring.kbx
----------------------------------
sec>  rsa2048 2019-08-15 [SC] [expires: 2021-08-14]
      AEC23C7473E54DF22982139E0101BF112BD69CF9
      Card serial no. = 0000 00000000
uid           [ultimate] Ryan James Solenberg <me@me.com>
uid           [ultimate] Ryan James Solenberg <other_me@me.com>
ssb>  rsa2048 2019-08-15 [E] [expires: 2021-08-14]

Written by R.James Solenberg who is an AWS Solutions Architect and Linux Sys Admin living in Indianapolis, Indiana. Follow him on Twitter