Restoring GPG from a Yubikey
In this post I'll be using a clean Ubuntu 18.10 installation and a Yubikey that has already been set-up an used before with GPG on another device. I was happy that U2F at least works out-of-the-box on the newer Ubuntu versions, GPG has to be more difficult as always.
The first step is installing the required packages:
$ apt install gnupg2 gnupg-agent scdaemon pcscd
After installing you should be able to see the info on your ubikey by running the gpg card status command:
$ gpg --card-status Reader ...........: Yubico Yubikey NEO OTP U2F CCID 00 00 Application ID ...: D2760001240102000006036453060000 Version ..........: 2.0 Manufacturer .....: Yubico Serial number ....: 00000000 Name of cardholder: Martijn Braam Language prefs ...: nl Sex ..............: male URL of public key : https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E Login data .......: martijn Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter :  Signature key ....: F876 7C32 32CF 4C30 E4C9 CD0F C428 0ACB 000B 060F created ....: 2015-09-26 13:22:54 Encryption key....: 6E38 D86C AA21 B228 5ECD 2A63 8156 D7E0 6B94 80DD created ....: 2015-09-26 13:23:39 Authentication key: CA8A 3EDB 6B16 48F3 7EAD 0406 DA35 1779 9D3C 0921 created ....: 2015-09-26 13:25:14 General key info..: sub rsa2048/C4280ACB000B060F 2015-09-26 Martijn Braam <email@example.com>
Unfortunately GPG smartcards don't store
enough information on the card to recreate the public key so that has to be fetched from somewhere
else. The easiest is if your key has been uploaded to a keyserver and a key url has been set on the
yubikey. If your yubikey doesn't contain the url to your public key you can add that using
To fetch the public key associated with the card and add it to the keyring you can use the fetch command:
$ gpg2 --card-edit Reader ...........: Yubico Yubikey NEO OTP U2F CCID 00 00 ... snipped out card info block ... General key info..: [none] gpg/card> fetch gpg: requesting key from 'https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E' gpg: WARNING: unable to fetch URI https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E: No data gpg/card> fetch gpg: requesting key from 'https://sks-keyservers.net/pks/lookup?op=get&search=0xABB914B86234BE5E' gpg: key ABB914B86234BE5E: public key "Martijn Braam <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg/card> quit
This shows it fetches my public key from sks-keyservers, it also shows that sks-keyservers are struggeling and you sometimes have to retry.
After this you're done, the key is imported and usable.