The Common YubiKey Frustration: "Why Can't I Sign?"
You've done everything right: created a master key, generated subkeys, moved them to your YubiKey, and set up your PINs. You're feeling secure and prepared. But then, when you try to use your YubiKey on a new computer, you get this frustrating error:
Wait, what? Your secret keys are on the YubiKey. You can see them when you run gpg --card-status. So why can't you sign?
Image: A person looking confused at their computer with a YubiKey inserted, with a large "Error: No public key" message on screen. The YubiKey should be glowing to indicate it's connected.
Image prompt: A person with a confused expression looking at a computer screen showing an error message "gpg: signing failed: No public key". A YubiKey is plugged into the USB port of the computer with its light glowing.
The Missing Piece: Understanding the Public Key Requirement
The issue lies in a crucial but rarely explained aspect of how GPG works with hardware tokens. Even though your YubiKey contains your private subkeys, your computer's GPG keyring still needs your public key.
Warning
Real User Confusion
This confusion is very common. Consider this conversation with a user who had followed all the recommended steps:
"I carefully moved my 3 subkeys to the yubikey. But I'm missing something else? I did follow a guide and derived them from my master key but no one told me that I needed to also add the public key onto the yubi or set a URL to my public key keyserver..."
Tip
The Public-Private Key Relationship
Think of it this way: Your YubiKey contains your private keys that perform cryptographic operations, but GPG needs your public key in its keyring to:
- Associate your private keys with your identity (email addresses)
- Verify signatures made by your private key
- Know which encryption key should be used when someone wants to encrypt to you
- Store metadata about your keys, including preferences and trust settings
Verifying the Missing Public Key
You can confirm this is your issue by running:
You can also check your YubiKey status to see the key information:
Image: A diagram showing the relationship between a YubiKey containing private subkeys and a GPG keyring containing public keys.
Image prompt: A technical diagram showing a YubiKey device on the left containing private subkeys (signing, encryption, authentication), and a computer's GPG keyring on the right containing public keys. Arrows connect them showing the relationship. Label the YubiKey with "Private Subkeys" and the computer with "Public Keyring".
The Complete YubiKey Workflow
Let's clarify the complete recommended workflow for using a YubiKey with GPG:
Complete YubiKey Setup Workflow
Initial Setup (Airgapped Machine)
- Create master key and subkeys on an airgapped machine
- Back up the master key and subkeys to secure storage
- Move the subkeys to the YubiKey
- Configure PINs on the YubiKey
- Export your public key (This is the critical step many miss!)
- Securely delete the private master key from the computer (keeping only your backup)
Using YubiKey on a New Computer
- Insert your YubiKey
- Import your public key to the GPG keyring
- Use GPG with your YubiKey for signing, encryption, and authentication
Warning
Common Misconception
Many users assume that since they've moved their keys to the YubiKey, they should be able to just plug it in anywhere and start using it immediately. Unfortunately, GPG still requires the corresponding public key in your keyring on each computer.
Image: A flowchart showing the complete YubiKey workflow from setup to usage.
Image prompt: A detailed flowchart showing the YubiKey PGP workflow. Starting with "Create Master Key" → "Generate Subkeys" → "Export Public Key" → "Transfer Subkeys to YubiKey" → "Set PINs", then branching to "New Computer" which requires "Import Public Key" → "Use YubiKey". Use a visual style with clear boxes and arrows, color-coding the critical "Export Public Key" and "Import Public Key" steps in a bright color.
Common Questions About YubiKey Public Key Management
Q: "But wait, I thought the YubiKey would be all I needed!"
"Now a user needs three USB sticks: one to unlock his machine (YubiKey biometric for instance), one to carry around his public key, and one with the three subkeys. Isn't that crazy complicated and impractical, preventing safe easy security behaviors? The more friction we add, the less people might use and practice good security."
This is a valid concern. The current GPG+YubiKey workflow is more complex than it needs to be. In an ideal world, you'd simply:
Ideal User Experience
- Buy a YubiKey
- Set it up once
- Plug it in anywhere and start using it
Current Reality
- Generate master key on air-gapped machine
- Generate subkeys
- Transfer subkeys to YubiKey
- Export public key
- Manage public key separately
- Import public key on each new machine
The good news is there are several practical solutions to simplify this process, which we'll cover below.
Q: "If I upload my public key to a keyserver, do I still need to manage it separately?"
If you upload your public key to a keyserver, your workflow can become simpler:
Simplified Workflow with Keyservers
- Insert your YubiKey on a new computer
- Run
gpg --card-statusto let GPG detect your YubiKey - Run
gpg --recv-keys YOUR_KEY_IDto download your public key from a keyserver - Use your YubiKey for signing, encryption, and authentication
Some security-focused applications can even automate this process, making it nearly transparent.
Keyserver Caveats
- Keyservers may be temporarily unavailable
- You need internet access to fetch the key
- There are privacy implications of fetching your key from a public server
- Not all applications automatically check keyservers
Solutions for Managing Your Public Key
Let's look at practical solutions for managing your public key across devices:
1. Public Keyservers
One of the most convenient options is to upload your public key to a keyserver:
Pros: Convenient, widely accessible, some applications may automatically fetch your key
Cons: Requires internet access, may have privacy implications, keyservers can sometimes be unreliable
2. Carry Your Public Key
You can export your public key and keep it with you:
Pros: Works offline, you control distribution of your key
Cons: Requires managing another file, potential to lose it
3. Store in Password Manager
A modern approach is to store your public key in your password manager:
Pros: Always available, securely stored, accessible on all your devices
Cons: Requires a password manager with file attachment capabilities
4. Store URL on YubiKey
Your YubiKey's OpenPGP application has a URL field specifically for pointing to where your public key can be found:
Pros: The URL travels with your YubiKey, helps others find your public key
Cons: Manual step still required to fetch the key, requires internet access
Image: Various methods for transporting public keys - keyserver, USB drive, password manager, cloud storage.
Image prompt: A split image showing four different methods of transporting a PGP public key: 1) A keyserver represented as a cloud server, 2) A USB flash drive with a key icon, 3) A password manager app with a key being stored in it, 4) A cloud storage service showing a key file. Each should have a small label identifying the method.
Additional YubiKey Public Key Techniques
Q: "Can I store my public key directly on my YubiKey?"
Yes, there are several advanced methods to store your public key on or with your YubiKey:
Option 1: Certificate Storage
YubiKeys have additional certificate storage in their PIV application:
Option 2: YubiKey USB Mass Storage
Some YubiKey models support USB mass storage mode, allowing you to store your public key file directly on the device.
Warning
Privacy and Personal Information
Some users express concerns about adding personal information like their real name to YubiKey metadata. The name and email on the YubiKey's internal metadata is completely optional and separate from your cryptographic identity. This is just a label on the physical device to help identify which YubiKey is which if you have multiple.
Automating Public Key Management with Secure Mail Client
Secure Mail Client helps streamline this process with several features designed specifically for YubiKey users:
Secure Mail Client YubiKey Intelligence
Automatic Key Retrieval
- •Detects when YubiKey is inserted without matching public key
- •Checks URL field on YubiKey for public key location
- •Offers to automatically fetch the public key
Public Key Storage
- •Built-in encrypted storage for your public keys
- •Synchronizes keys across your devices (optional)
- •One-click import to the local GPG keyring
Troubleshooting Key Issues
If you're still having trouble with your YubiKey and public key management, here are some common issues and solutions:
| Issue | Solution |
|---|---|
| GPG doesn't recognize YubiKey | Run gpg --card-status to force GPG to detect the YubiKey |
| "No default secret key" error | Import your public key to the GPG keyring |
| Can't remember your key ID | Run gpg --card-status and look for the key fingerprints |
| Lost your public key | Try to retrieve it from a keyserver using your key ID or fingerprint |
| YubiKey works on one computer but not another | Ensure your public key is imported on all computers where you use the YubiKey |
Best Practices for YubiKey Public Key Management
Always Export Before Removing Master Key
Before you securely delete your master private key from a computer, always export both the public and private keys. Store the private master key securely offline, and keep multiple copies of your public key.
Use Multiple Distribution Methods
Don't rely on just one method for public key distribution. Upload to keyservers, keep a copy in your password manager, and set the URL field on your YubiKey.
Create a YubiKey Setup Kit
Prepare a "YubiKey setup kit" with your public key, basic instructions, and maybe a simple script to automate the import process when setting up a new machine.
Document Your Workflow
Create personal documentation of your specific workflow, including key IDs, storage locations, and procedures. This will be invaluable if you need to recover or if you haven't used your YubiKey for some time.
Tip
Power User Tip: Automatic Import Script
Create a small script that detects your YubiKey, fetches your public key from your preferred location, and imports it automatically. You can run this script whenever you set up a new machine.
Image: A YubiKey setup kit with a USB drive, printed instructions, and backup codes.
Image prompt: A flat-lay image of a "YubiKey Setup Kit" consisting of a YubiKey device, a small USB flash drive labeled "PUBLIC KEY", a printed instruction card, and a small sealed envelope labeled "BACKUP CODES". Arrange these items neatly on a dark desk surface.
Conclusion: Bridging the Gap
Understanding the relationship between the private keys on your YubiKey and the public key in your GPG keyring is essential for a smooth experience. While it may seem like an extra step to manage your public key, it provides important flexibility in how you use your keys.
With these techniques and best practices, you'll be able to use your YubiKey seamlessly across multiple computers without the frustration of missing public keys. And remember, Secure Mail Client helps automate many of these steps to make the process even easier.
Next Steps
- Export your public key and store it in multiple safe locations
- Upload your public key to a keyserver
- Set the URL field on your YubiKey
- Create a simple script for automating public key import
- Learn about Master Keys and Subkeys to understand the structure of your OpenPGP keys