From ef527abef4886e8ab5d242618be39047b9c5ca77 Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Thu, 13 Nov 2025 16:49:39 -0500
Subject: [PATCH] expand yubikey docs to include gpg

---
 active/device_yubikey/yubikey.md | 92 ++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)

diff --git a/active/device_yubikey/yubikey.md b/active/device_yubikey/yubikey.md
index 4f2b460..66ca91e 100644
--- a/active/device_yubikey/yubikey.md
+++ b/active/device_yubikey/yubikey.md
@@ -1,7 +1,99 @@
 # Yubikey
 
+- [Yubikey](#yubikey)
+  - [Configuration](#configuration)
+  - [Software](#software)
+  - [GPG](#gpg)
+    - [Saving GPG key to card](#saving-gpg-key-to-card)
+    - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
+    - [Factory Reset](#factory-reset)
+
 ## Configuration
 
 1. You will likely need the [udev
    rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux)
    to use the AppImage configuration tool on linux even if your udev version is above 244.
+
+## Software
+
+The [Yubikey Manager](https://www.yubico.com/support/download/yubikey-manager/) is deprecated.
+
+Use the [Yubikey Authenticator](https://www.yubico.com/products/yubico-authenticator/) for GUI.
+
+## GPG
+
+### Saving GPG key to card
+
+<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
+
+On Fedora you'll need to add the following polkit rules to access your smart card.
+
+```bash
+export MY_USER=ducoterra
+echo <<EOF > /etc/polkit-1/rules.d/10-pcsc-custom.rules
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+        subject.user == "${MY_USER}") {
+            return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_card" &&
+        action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
+        subject.user == "${MY_USER}") {
+            return polkit.Result.YES;
+    }
+});
+EOF
+```
+
+Now you can add your key to your card.
+
+```bash
+gpg --edit-key 1234ABC
+
+# Save both the signature and authentication keys
+> keytocard
+
+# Do not save or your key will be deleted locally
+> quit
+```
+
+Check the keys on the yubikey with
+
+```bash
+gpg --card-status
+```
+
+Once your keys have been loaded, change the pin.
+
+```bash
+gpg --change-pin
+```
+
+### Using the GPG key on a Yubikey
+
+<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
+
+```bash
+export GPG_EMAIL='myemail@example.com'
+
+# Import the public key. Without this the key won't show up.
+gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL}
+
+# Trust the key
+gpg --quick-set-ownertrust ${GPG_EMAIL} full
+
+# Yubikey should now show up
+gpg --list-secret-keys
+```
+
+### Factory Reset
+
+```bash
+gpg --edit-card
+
+> admin
+> factory-reset
+```