Setting up an existing Yubikey on Linux

Yesterday, I ran into an issue with Pop! OS that resulted in me having to reinstall my operating system. I use a Yubikey for my SSH keys and to sign git commits, so it was necessary to set this up again. DrDuh has a very comprehensive guide on how to set up Yubikeys on multiple platforms.

However, I didn't want to setup a new Yubikey - I already had the Yubikey that I used from the previous installation of my operating system. As such, I wanted to get this Yubikey working. The steps are pretty simple:

First, install the required software:

sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization

Next, install the ykman utility:

sudo apt -y install python3-pip python3-pyscard
pip3 install PyOpenSSL
pip3 install yubikey-manager
sudo service pcscd start

After this, you'll need to configure your gpg-agent by adding the following to ~/.gnupg/gpg.conf:

auto-key-locate keyserver
comment GPGTools - https://gpgtools.org
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

And the following to ~/.gnupg/gpg-agent.conf (note, if desired you can change the pinentry-program to something else if you don't want the gnome3 popup to come up):

enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gnome3

You also will need to set up the gpg-agent instead of the default ssh agent to run when your shell starts. To do this, you can place this in your .bashrc or .zshrc file:

# Make gpg-agent replace SSH agent                                              
export GPG_TTY="$(tty)"                                                         
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)                    
gpgconf --launch gpg-agent  

Finally, you need to restart the gpg-agent:

gpgconf --launch gpg-agent