YubiKey NEO and OpenPGP key generation and loading on Windows

This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.

If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See my previous post to get started. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.

After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.

YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.

Generating your initial key pair

Open a command prompt and run:

gpg --expert --gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

For ‘kind of key’, select 8 (RSA: Set your own capabilities)

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection?

Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.

Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.

Take note of your 8-character key ID. You will need it for future steps.

Adding the sub-keys

You need to add two sub-keys; one for encryption, and one for authentication.

From the command line, run (where keyID is your 8-character key ID) :

gpg --expert --edit-key keyID

Now, type:


Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.

Repeat addkey one last time, and toggle abilities so you have an authentication-only key.

Then q to quit, and y to save changes.

Backing up the keys

Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:

gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID

Moving the keys to the YubiKey

Run the following command:

gpg –expert –edit-key keyID

Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.

card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:

gpg –card-status

If this comes back with data (and not an error), then run this again and continue:

gpg –expert –edit-key key-ID

Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.