GPG and YubiKey setup illustration

Managing Multiple GPG Keys and YubiKey Setup

security GPG YubiKey encryption Git macOS

Managing Multiple GPG Keys and YubiKey Setup

If you use GPG (GNU Privacy Guard) for signing Git commits, encrypting files, or authenticating SSH sessions, you’ll eventually want to manage multiple keys — or move them to a YubiKey for hardware-backed security.
This guide explains how to list, export, import, back up, and use multiple GPG private keys, and how to set up your YubiKey as a GPG smartcard.

🧭 1. Listing your keys

List public keys:

gpg --list-keys

List private keys:

gpg --list-secret-keys --keyid-format LONG

Example output:

sec   rsa4096/ABCDEF1234567890 2024-03-12 [C]
uid           [ultimate] Lei Wang <lei@example.com>
ssb   rsa4096/1122334455667788 2024-03-12 [S]
ssb   rsa4096/2233445566778899 2024-03-12 [E]
ssb   rsa4096/3344556677889900 2024-03-12 [A]

📦 2. Exporting private keys

Export a single private key

gpg --export-secret-keys --armor <KEYID> > private-key.asc

Export multiple private keys

gpg --export-secret-keys --armor KEYID1 KEYID2 > multi-private.asc

Export public keys

gpg --export --armor KEYID1 KEYID2 > public-keys.asc

Generate revocation certificate

gpg --output revoke-<KEYID>.asc --gen-revoke <KEYID>

🔐 3. Importing private keys

gpg --import private-key.asc

For multiple keys:

gpg --import multi-private.asc

Then verify:

gpg --list-secret-keys --keyid-format LONG

🧰 4. Set trust level

gpg --edit-key <KEYID>
# gpg> trust
# choose 5 (ultimate)
# gpg> save

🗂 5. Managing defaults and identities

Set a default GPG key:

echo "default-key <KEYID>" >> ~/.gnupg/gpg.conf

Configure Git to use a specific key:

git config --global user.signingkey <KEYID>
git config --global commit.gpgsign true

📀 6. Full backup & restore

Backup all keys

mkdir ~/gpg-backup
cd ~/gpg-backup
gpg --export --armor > public.asc
gpg --export-secret-keys --armor > private.asc
gpg --export-ownertrust > ownertrust.txt
cp ~/.gnupg/gpg.conf .
cp ~/.gnupg/gpg-agent.conf .

Restore on a new machine

mkdir -m 700 ~/.gnupg
gpg --import public.asc
gpg --import private.asc
gpg --import-ownertrust ownertrust.txt

🪄 7. Handling multiple identities

If you manage separate keys for work and personal use, you can isolate them with different GPG directories:

gpg --homedir ~/.gnupg-work --list-keys
gpg --homedir ~/.gnupg-personal --list-keys

Each directory acts as a distinct keyring with its own configuration.

🔑 8. Using YubiKey with GPG

A YubiKey can act as a hardware-backed smartcard to store and use your GPG keys securely — the keys never leave the device.

🧩 Step 1: Install dependencies (macOS example)

brew install gnupg pinentry-mac yubikey-personalization
pip3 install --user yubikey-manager

Then verify:

ykman info
gpg --card-status

🪪 Step 2: Generate subkeys and move them to the YubiKey

gpg --edit-key <KEYID>
# Inside gpg> prompt:
addkey     # choose RSA 4096, usage: S (sign)
addkey     # usage: E (encrypt)
addkey     # usage: A (auth)
save

Now move each subkey to the YubiKey:

gpg --edit-key <KEYID>
key 1
keytocard
key 2
keytocard
key 3
keytocard
save

🔒 Step 3: Change PINs

gpg --card-edit
admin
passwd

Change both the user and admin PINs (default are 123456 and 12345678).

✋ Step 4: Enable touch requirement (optional but recommended)

ykman openpgp set-touch sig on
ykman openpgp set-touch enc on
ykman openpgp set-touch aut on

This makes the YubiKey require a physical tap before signing, encrypting, or authenticating.

🧩 Step 5: Configure for SSH

Enable SSH via GPG agent:

echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent

Export your SSH public key:

gpg --export-ssh-key <KEYID> > ~/.ssh/id_yubikey.pub

Then add that public key to your GitHub or remote servers.

♻️ 9. Clean up and remove keys

gpg --delete-secret-key <KEYID>
gpg --delete-key <KEYID>

🧩 10. Common reference commands

ActionCommand
List keysgpg --list-keys
List private keysgpg --list-secret-keys
Export private keygpg --export-secret-keys --armor <KEYID>
Export public keygpg --export --armor <KEYID>
Import keygpg --import key.asc
Backup ownertrustgpg --export-ownertrust > trust.txt
Restore ownertrustgpg --import-ownertrust trust.txt
Delete keysgpg --delete-secret-key <KEYID> then gpg --delete-key <KEYID>

💡 Pro Tips

  • Always back up your private keys and revocation certificates offline.
  • Protect backups with encryption: 
    gpg -c private.asc
  • For YubiKey setups, keep your master key offline and only move subkeys to the device.
  • Add this to your shell startup file to avoid GPG TTY errors: 
    export GPG_TTY=$(tty)
  • Use pinentry-mac for clean macOS password prompts.

🧠 Summary:
Managing multiple GPG keys — and securing them on a YubiKey — ensures strong cryptographic identity and portability.
With this workflow, you can safely back up, rotate, and use your keys for Git signing, SSH auth, or file encryption with confidence.

You might also like

Managing Multiple GPG Keys and YubiKey Setup

security

A practical guide to managing multiple GPG private keys — exporting, importing, backing up, and securely storing them on a YubiKey for signing, encryption, and SSH authentication.

Configuring Cross-Origin Resource Sharing (CORS) for Amazon S3 Buckets

tech

SSH Tunnel (SSH Port forwarding)

ssh

Guide to SSH tunnels including local, remote, and dynamic port forwarding, plus server and client configuration.