ykman-openpgp

Display general information about the OpenPGP application

$ ykman openpgp info

$ ykman openpgp access set-retries [3] [3] [3]

$ ykman openpgp access change-[pin|reset-code|admin-pin]

$ ykman openpgp reset

ykman openpgp [OPTIONS] COMMAND [ARGS...]

attest <KEY_SLOT>
    Generates an attestation certificate for a key in a specific slot (e.g., signature, encryption, authentication).

change-pin
    Changes the user PIN for the OpenPGP application.

change-rc
    Changes the reset code (Admin PIN) for the OpenPGP application.

delete-key <KEY_SLOT>
    Deletes a key from a specified key slot.

disable-button
    Disables the button touch requirement for signature operations. Use with caution.

info
    Displays general status information about the OpenPGP application on the YubiKey, including firmware version, PIN status, and key attributes.

keys [COMMAND]
    A subcommand for managing OpenPGP keys themselves. It includes:
import <SLOT> <FILE>: Imports a private key into a slot from a file.
export <SLOT> <FILE>: Exports a public key from a slot to a file.
list: Lists keys on the device.
delete <SLOT>: Deletes a key from a specific slot.
set-touch <SLOT> <POLICY>: Sets touch policy for a specific key slot (e.g., off, on, fixed, cached).

reset
    Resets the entire OpenPGP application to factory defaults. Warning: This operation is destructive and irreversible, erasing all keys and settings.

set-consent <TYPE> <POLICY>
    Sets the consent for attestation (e.g., attestation on or off).

set-touch <KEY_SLOT> <POLICY>
    Sets touch policy for a key slot (e.g., signature on). Note: For specific key slots, keys set-touch is often preferred in newer versions.

set-url <URL>
    Sets the URL where the public key can be found, often used for key discovery.

unblock-pin
    Unblocks the user PIN using the reset code (Admin PIN).

The ykman-openpgp command is a subcommand of ykman, the YubiKey Manager tool, specifically designed to interact with and manage the OpenPGP application present on a YubiKey. It allows users to perform various cryptographic operations and administrative tasks related to PGP keys stored on the hardware security module.

This includes managing private keys (importing, deleting), setting touch policies for operations, changing PINs, unblocking PINs, generating attestations, and resetting the entire OpenPGP application. It provides a command-line interface to secure key management, ensuring that sensitive cryptographic material remains protected by the YubiKey's hardware security features. This tool is essential for users who rely on YubiKeys for PGP-based authentication, encryption, and digital signing.

ykman-openpgp requires the ykman tool to be installed and a YubiKey device to be connected.
Operations like reset are destructive and irreversible; ensure backups are made if needed.
Losing PINs or the reset code can lead to keys becoming inaccessible.
Touch policies affect security and user experience; understand their implications before changing.
This tool primarily manages private keys on the YubiKey; public key management and broader OpenPGP operations are typically handled by tools like gpg.

The OpenPGP application on a YubiKey typically has three dedicated key slots: signature, encryption, and authentication. These slots are used for different purposes in PGP and can store distinct private keys.

This setting determines if a physical touch of the YubiKey button is required for certain sensitive operations (e.g., signing or decrypting). Common policies include off (no touch required), on (touch always required), fixed (always on, cannot be changed), and cached (touch required once per session).

The ykman tool, including its openpgp subcommand, was developed by Yubico to provide a cross-platform, command-line interface for managing YubiKey devices. As YubiKeys evolved to support various applications, including OpenPGP (which became a standard feature on many models), a dedicated tool was needed beyond simple smart card utilities. ykman-openpgp provides a more user-friendly and YubiKey-specific way to interact with the OpenPGP application, complementing the more general gpg command-line tools which primarily interact with the OpenPGP application via the SmartCard interface. Its development reflects the growing need for robust hardware-backed security for PGP keys.

ykman(1), gpg(1), gpg-agent(1)