Restoring GPG from a Yubikey

Written by Martijn Braam on 2019-01-18

In this post I'll be using a clean Ubuntu 18.10 installation and a Yubikey that has already been set-up an used before with GPG on another device. I was happy that U2F at least works out-of-the-box on the newer Ubuntu versions, GPG has to be more difficult as always.

The first step is installing the required packages:

$ apt install gnupg2 gnupg-agent scdaemon pcscd

After installing you should be able to see the info on your ubikey by running the gpg card status command:

$ gpg --card-status

Reader ...........: Yubico Yubikey NEO OTP U2F CCID 00 00
Application ID ...: D2760001240102000006036453060000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 00000000
Name of cardholder: Martijn Braam
Language prefs ...: nl
Sex ..............: male
URL of public key : https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E
Login data .......: martijn
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : []
Signature key ....: F876 7C32 32CF 4C30 E4C9  CD0F C428 0ACB 000B 060F
      created ....: 2015-09-26 13:22:54
Encryption key....: 6E38 D86C AA21 B228 5ECD  2A63 8156 D7E0 6B94 80DD
      created ....: 2015-09-26 13:23:39
Authentication key: CA8A 3EDB 6B16 48F3 7EAD  0406 DA35 1779 9D3C 0921
      created ....: 2015-09-26 13:25:14
General key info..: sub  rsa2048/C4280ACB000B060F 2015-09-26 Martijn Braam <martijn@brixit.nl>

Unfortunately GPG smartcards don't store enough information on the card to recreate the public key so that has to be fetched from somewhere else. The easiest is if your key has been uploaded to a keyserver and a key url has been set on the yubikey. If your yubikey doesn't contain the url to your public key you can add that using gpg --card-edit

To fetch the public key associated with the card and add it to the keyring you can use the fetch command:

$ gpg2 --card-edit

Reader ...........: Yubico Yubikey NEO OTP U2F CCID 00 00
... snipped out card info block ...
General key info..: [none]

gpg/card> fetch
gpg: requesting key from 'https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E'
gpg: WARNING: unable to fetch URI https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E: No data

gpg/card> fetch
gpg: requesting key from 'https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E'
gpg: key ABB914B86234BE5E: public key "Martijn Braam <martijn@brixit.nl>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg/card> quit

This shows it fetches my public key from sks-keyservers, it also shows that sks-keyservers are struggeling and you sometimes have to retry.

After this you're done, the key is imported and usable.