Thursday, April 8, 2021

Yubikey PGP on Windows 10

Yubico has a write-up describing how to configure GPG4Win to use a Yubikey for PGP and even SSH authentication on Windows 10. I ran into 2 issues however and am sharing my steps and solution here.

Issue 1 - No such device

C:\>gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Running the card-status command I only got "No such device" errors. A suggestion I found was to use reader-port Yubico YubiKey in the scdaemon.conf, but that didn't fix the issue.

Enabling logging and debugging

In the scdaemon manual are some helpful options that helped me construct the following scdaemon.conf:
verbose
debug-level 4
log-file C:\scdaemon.log

Restarted the gpg-agent, connected the Yubikey and ran the card-status command again.

Along with other log lines, the log file now contained these lines:
2021-04-08 18:36:05 scdaemon[6108] detected reader 'Microsoft Virtual Smart Card 0'
2021-04-08 18:36:05 scdaemon[6108] detected reader 'Yubico YubiKey OTP+FIDO+CCID 0'

That looks like the reader-port configuration, so I gave it a shot in scdaemon.conf:
reader-port Yubico YubiKey OTP+FIDO+CCID 0

Restarted the gpg-agent, connected the Yubikey and ran the card-status command again.

Hooray! The "card" reported present.

Issue 2 - PuTTY won't use GPG-agent

My second issue; somehow my PuTTY wouldn't use keys present in the gpg-agent. This was finally solved with new information available in Yubico's blog.

I've updated my gpg-agent.conf as described and now PuTTY is able to use my Yubikey:
enable-putty-support
enable-ssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200