Securing GPG keys with a Yubikey security device

I’ve been using my Yubikey for years with Ubuntu SSO, as a 2-factor authentication device.

Recently, I started playing with some of its other capabilities. In particular, I became interested in the OpenPGP capabilities. I spent a couple hours working through this excellent guide on the subject.

The end result: I have a GPG key stored on my hardware key, in the device’s “secure element”. I can sign and decrypt messages/files when the key is inserted into my Ubuntu or Mac systems, and the private key is not stored on the system at all.

A brief summary of the process:

  • Buy a Yubikey. If you want to carry it with you, don’t get the Nano–they’re easy to lose.
  • Install scdaemon to your system. You will also need pinentry
  • Generate the key. You can do on the Yubikey but I recommend doing it on an offline computer or live CD.
  • BACK UP the private key offline. This is important, as the next step is destructive.
  • Move the private key/subkeys to the Yubikey, one at a time. They will be removed from your keyring.
  • Edit gpg-agent.conf and add “pinentry” as described.
  • Edit gpg.conf and add “use-agent” as described.
  • Optional: upload your public key to

To use the key on another system, you will need scdaemon and pinentry, along with the configuration files. I find that I need to import my public key for the system to recognize the private key on my Yubikey. Also, don’t lose your offline backup of your private key. Some functions (like adduid) apparently require you to re-import your private key to your keyring–and the private key cannot be exported from the Yubikey.

Finally, you can use your GPG key in your Yubikey as an SSH private key. See the steps in the guide on Github. If you have any questions, hit me up in #Ubuntu-US-AZ on Freenode.


Ubuntu 14.04 reaches end-of-life…sort of

Ubuntu 14.04 (codenamed Trusty Tahr) was released five years ago (in April of 2014). As a long-term support (LTS) release, that means it was eligible to receive bug fix and security updates for five years. As of April 30, 2019, the standard support period will end, and you will no longer be able to download updates from

For the typical user (like us), this means:

  • No security fixes. No package updates. No new kernels. That’s the end.
  • The packages will, at some point, be removed from, and archived at

When the files are archived, that also means that you can no longer upgrade using the do-release-upgrade command. The only “official” remedy is to reinstall. There is an “unofficial” community-authored method for upgrading via, but I have not tested this with Trusty.

If you run 14.04 in a business environment and are unable to update or redeploy for awhile, you can purchase limited additional support from Canonical (the company that provides commercial support for Ubuntu). Starting with 12.04, Canonical began providing critical security fixes beyond “end-of-life” for LTS releases, through a program called “Extended Security Maintenance”. You can find more information about ESM here.