Published on

Moving to new Yubikeys

  • avatar

My old Yubikey 5Ci was cracked. So I ordered a new Yubikey 5C NFC. Yubico sent me a wrong key Yubikey 5 NFC and the correct one later.

Now I have 3 keys in total.


Generate a recovation certicate

Revoke the key

$ gpg --import new-3AF9BF2B-pgp-revocation.asc

gpg: key E761498A3AF9BF2B: "HackingGate <[email protected]>" revocation certificate imported
gpg: Total number processed: 1
gpg:    new key revocations: 1
gpg: no ultimately trusted keys found

Send key to keyserver

$ gpg --send-key E761498A3AF9BF2B

gpg: sending key E761498A3AF9BF2B to hkps://

Check if the key was revoked

% gpg --search-keys "E761498A3AF9BF2B"

gpg: data source:
(1)	  4096 bit RSA key E761498A3AF9BF2B, created: 2020-05-10 (revoked)
Keys 1-1 of 1 for "E761498A3AF9BF2B".  Enter number(s), N)ext, or Q)uit > 

Generate a new PGP

Follow the tutorial

Generating Keys externally from the YubiKey (Recommended)

Reimport the key

gpg --import EFB4B737-private.asc

Repeat the tutorial and import it to the second Yubikey.

Switching between two or more Yubikeys.

gpg-connect-agent "scd serialno" "learn --force" /bye

Send key ot keyserver

gpg --send-key E83E59A8EFB4B737

Export public key

gpg --output public.asc --armor --export
cat public.asc | pbcopy

Require touch

ykman openpgp keys set-touch aut on
ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on

Change info

gpg/card> admin
gpg/card> passwd
gpg/card> name
gpg/card> lang
gpg/card> login
gpg/card> url
gpg/card> list


When you touch Yubikey. It inputs a OTP code look like this: cccccbcbfbdkghkvhtlcunbibljiuelhhllirikbtjfi.

To diable it

ykman config usb --disable OTP
ykman config nfc --disable OTP

Check if the interfaces are disabled.

ykman info
View on GitHubThis article is licensed under a CC BY-SA 4.0 license.