Debian GPG Yubikey

Configure Yubikey for SSH authentication on Debian based linux.

Required Materials

  1. Pre-configured Yubikey using Export GPG Subkeys to Yubikey.

Install GPG and security card agents on machine.
apt update && apt upgrade
apt install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization


Ubuntu 18.04+ needs to add universe multiverse repositories to all apt sources in /etc/apt/sources.list. Additional dependencies:

apt install libssl-dev swig libpcsclite-dev

Optionally install yubikey manager to manage yubikeys.
apt install python3-pip python3-pyscard
pip3 install PyOpenSSL
pip3 install yubikey-manager
service pcscd start
~/.local/bin/ykman openpgp info

Configure GPG/GPG Agent

This will enable SSH usage with the gpg-agent.

0644 user user ~/.gnupg/gpg-agent.conf
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses
#pinentry-program /usr/bin/pinentry-tty
#pinentry-program /usr/bin/pinentry-gtk-2
#pinentry-program /usr/bin/pinentry-x11
#pinentry-program /usr/bin/pinentry-gnome3
#pinentry-program /usr/local/bin/pinentry-curses
#pinentry-program /usr/local/bin/pinentry-mac

Download gpg-agent.conf

0600 user user** ~/.gnupg/gpg.conf
# Use AES256, 192, or 128 as cipher
personal-cipher-preferences AES256 AES192 AES
# Use SHA512, 384, or 256 as digest
personal-digest-preferences SHA512 SHA384 SHA256
# Use ZLIB, BZIP2, ZIP, or no compression
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
# Default preferences for new keys
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
# SHA512 as digest to sign keys
cert-digest-algo SHA512
# SHA512 as digest for symmetric ops
s2k-digest-algo SHA512
# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256
# UTF-8 support for compatibility
charset utf-8
# Show Unix timestamps
# No comments in signature
# No version in output
# Disable banner
# Long hexidecimal key format
keyid-format 0xlong
# Display UID validity
list-options show-uid-validity
verify-options show-uid-validity
# Display all keys and their fingerprints
# Display key origins and updates
# Cross-certify subkeys are present and valid
# Disable caching of passphrase for symmetrical ops
# Enable smartcard
# Disable recipient key ID in messages
# Default/trusted key ID to use (helpful with throw-keyids)
#default-key 0xFF3E7D88647EBCDB
#trusted-key 0xFF3E7D88647EBCDB
# Group recipient keys (preferred ID last)
#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
# Keyserver URL
#keyserver hkps://
#keyserver hkps://
#keyserver hkps://
#keyserver hkps://
# Proxy to use for keyservers
#keyserver-options http-proxy=
#keyserver-options http-proxy=socks5-hostname://
# Verbose output
# Show expired subkeys
#list-options show-unusable-subkeys

Download gpg.conf

See Import GPG Master Public Key for importing your public key and assigning ultimate trust for use.

Verify SSH Works

Ensure Yubikey is readable by GPG. This assumes you already setup:

  1. ~/.ssh/authorized_keys on the target machine with your exported GPG SSH RSA Public Key; see Export GPG Keys. Reference SSH for remote SSH configuration.

  2. Trusted the GPG Master Public Key on the local machine; see Import GPG Master Public Key.

  1. Connect with SSH as normal.

  2. A Pin Entry pop-up window should appear. It may not be in focus. Enter your user PIN.

  3. OK

  4. There will be no prompt in putty, but the Yubikey will start blinking. Tap Your Key to login.


  • Number is the Yubikey serial number.

  • Holder is the First/Last name of the GPG certificate on the key.

  • Your key will blink when waiting for password or touch.