Based on the following guides:
- https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on-windows-complete-walkthrough/
- https://scatteredcode.net/signing-git-commits-using-yubikey-on-windows/
- https://bhavik.io/2019/02/02/yubikey-git-ssh.html
- Open Powershell
- Set up new PINs:
- Tip: the PINs doesn't have to be numeric-only
gpg --expert --edit-card > admin > factory-reset # optional step > passwd # choose 1 to change PIN # default PIN is 123456 # choose 3 to change Admin PIN # default PIN is 12345678 > q > forcesig > quit
- Add identification data
gpg --expert --edit-card > admin > name # type your last names # and then your first names > lang # type your preference language (e.g., en)
- Check keys:
gpg --expert --card-status
- Go to Tools > Manage smartcard
- Click on Generate new keys (I recommend creating a RSA 4096 key)
- In Kleopatra, click on Settings > Configure Kleopara
- Select GnuPG System
- Go to the tab Private Keys
- Check Enable ssh support and Enable putty support
- Click on Apply settings
- Run this command to add Github to the list of known hosts and avoid a freezing issue using git:
plink -agent -v [email protected]
- If this command fails with an
FATAL ERROR: No supported authentication methods available (server sent: publickey)
error, try restarting the GPG Agent
- If this command fails with an
- Verify that the key is set up correctly:
gpg --list-secret-keys --keyid-format LONG
- Look for something like
sec > rsa4096/683AB68D867FEB5C
. - The key is the string after rsa4060/
- Look for something like
- Point Git to globally use GnuPG:
git config --global gpg.program "c:\Program Files\GnuPG\bin\gpg.exe" git config --global commit.gpgsign true git config --global user.signingkey KEY_FROM_THE_PREVIOUS_STEP git config --global core.sshcommand "plink -agent"
- If you haven't set up your Git user data, do it now:
git config --global user.email [email protected] git config --global user.name "Your Full Name Here"
- Generate a public SSH key:
gpg --export-ssh-key [email protected] > id_rsa.pub
- Add the public key into your Github account
- Open Kleopatra, double-click on your click, click Export...
- Make sure you are exporting the public key. It should start with "-----BEGING PBP PUBLIC KEY BLOCK-----"
- Copy the key
- Go into Github
- Click on your profile image
- Click on Settings
- On the sidebar, click on SSH and GPG Keys
- Click on New GPG Key
- Paste the key
- Instead of using the
ssh
command on Powershell, you have to use theplink
command:plink username@server
- On Kleopatra main screen, select your certificates
- Go to File > Export...
- Select a place to store your OpenPGP certificates
- On Kleopatra main screen, go to File > Import...
- Select your OpenPGP certificates files
- On Powershell, list the existing keys:
gpg --list-secret-keys --keyid-format LONG
- If no key show up, try restarting the GPG Agent
- To edit a key:
gpg --edit-key KEYID
- To set trust level to ultimate:
trust
5 # to trust completely (ultimate)
y # to confirm your decision
save
- If you have issues connecting to your smartkey, try restarting the GPG Agent:
gpg-connect-agent killagent /bye
gpg-connect-agent /bye
Now you're all set. When using git or ssh, it should get the private key from your Yubikey and ask for its PIN number.
Enjoy :)
Thank you very much. I almost searched half the internet for a sufficient guide.