# Setup 1. Generate a GPG key for the #Yubikey, and make sure to add an authentication key. 2. Ensure that the following is in `~/.gnupg/gpg-agent.conf`: ``` enable-ssh-support ``` 3. Ensure the following is in the shell configuration: ```bash export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh ``` 4. Restart `gpg-agent` 5. In a new terminal, run: ```bash $ ssh-add -L ``` 6. Put that value in the server's `~/.ssh/authorized_keys`. > [!NOTE] Card Numbers > `ssh-add -L` will show `cardno:` entries corresponding to the Yubikey owning these keys. This is an identifier and is not enforced. Instead, that's [[GnuPG]] handling the linkage of card numbers. See [[#Replacing a YubiKey]] below. ## Forcing Touch Access Optionally, require touch access. This can be done for the Auth key, Encryption key, and Signature key separately. ```bash $ pipx run yubikey-manager openpgp keys set-touch aut on # Auth $ pipx run yubikey-manager openpgp keys set-touch dec on # Encryption $ pipx run yubikey-manager openpgp keys set-touch sig on # Signing ``` These require the Admin PIN to change settings. There are other possible values. See [GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GPG and SSH](https://github.com/drduh/YubiKey-Guide#require-touch) # Usage If set up correctly, `ssh` should prompt for the GPG PIN when SSHing to the server. This is remembered for a time, so repeated SSH connections within a period of time (defined in `gpg-agent.conf`) will work without prompting for a new PIN. # Replacing a YubiKey If a key has to be replaced: 1. Run `gpg2 -k --with-keygrip` and find the keygrip IDs. 2. Go to `~/.gnupg/private-keys-v1.d` and delete the matching files. 3. Re-run `gpg2 --card-status` This will ensure that the new card is used for the [[GnuPG]] keys corresponding to the SSH keys.