Yubikey keytocard: "Bad secret key"

Farhan Khan farhan at farhan.codes
Sun Feb 17 08:20:30 CET 2019 

Hi all,

I am trying to import my existing PGP key to my Yubikey and I keep getting:

gpg: KEYTOCARD failed: Bad secret key

Even after I reset the pin or set a custom value. I am following the instructions here (https://support.yubico.com/support/solutions/articles/15000006421-resetting-the-openpgp-applet-on-your-yubikey) to reset the device, but am told the pin is wrong. This happens both when I set a custom pin and not. Am I doing something wrong? Below is an output of what I did to reset the pin, expecting it to be "1234578".

Please advise.

---------------
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006047082720000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.              
OK
> scd apdu 00 e6 00 00
D[0000]  90 00                                              ..              
OK
> scd apdu 00 44 00 00
D[0000]  90 00                                              ..              
OK
>
 
---------------
>From here I killed the running gpg-agent process, removed the device, re-entered it, and opened a new terminal. I do not have gpg-connect-agent running.
---------------
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006047082720000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg --list-keys test at test.com
pub   rsa1024 2019-02-16 [SC]
      B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82
uid           [ultimate] test test (Test Comment) <test at test.com>
sub   rsa1024 2019-02-16 [E]

$ gpg --edit-key B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1). test test (Test Comment) <test at test.com>

gpg> toggle

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1). test test (Test Comment) <test at test.com>

gpg> 1

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1)* test test (Test Comment) <test at test.com>

gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Bad secret key
---------------
I am prompted to enter the PGP password, which seems to work, but when I enter the admin key of "12345678" I get this error. Any ideas where the problem may lay?

Thanks!

---
Farhan Khan

More information about the Gnupg-users mailing list