I have been using a CSPN certified YubiKey 5 NFC running Firmware Version 5.4.2 for some time now. The only thing I haven't been able to properly set up are my OpenPGP keys. At first I assumed that the issue must be related to my local System Setup. I tried playing around with the config, tried swapping out the default scdaemon for something else, and spent lots of time researching potential issues.
Today I met with a friend who also uses a YubiKey, but without CSPN certification and running Firmware Version 5.4.3. I asked him to try my YubiKey on his setup, and surprisingly he got the same Error Messages as I did. Conversely I tried his YubiKey on my System, and it seemed to work properly. Also 'ykman info' yields 'Not available' for OpenPGP for my key, but says 'Enabled' for his. (Same thing for 'YubiHSM Auth' btw.)
Is it possible that Yubico removed those functionalities for the CSPN certified variant, am I facing some kind of Configuration issue I am overlooking, or is my YubiKey simply broken? If it's the first thing - is there any specific reason for this?
I do not think the difference in Firmware Version is the issue, as I've seen articles discussing OpenPGP functionality for even earlier YubiKey versions.
Any ideas? Help would be greatly appreciated. :)
Some more Information on Error Messages:
While my friend's Yubikey yields the expected result for gpg --card-status with standard scdaemon, I get:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
When replacing the standard setup with gnupg-pkcs11-scd, I get (partially redacted):
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.2.40)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: //REDACTED MANUALLY
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: //REDACTED MANUALLY
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
With the second setup I can at least launch gpg --edit-key REDACTED, but cannot use keytocard properly.
For my YubiKey ykman info yields:
Device type: YubiKey 5 NFC
Serial number: //REDACTED MANUALLY
Firmware version: 5.4.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Not available Not available
OpenPGP Not available Not available
PIV Enabled Enabled
I would have expected to be able to use OpenPGP with this YubiKey. Why is this not the case? :(
UPDATE 1:
Since writing this post I have found this recent Reddit thread linked here discussing differences between the CSPN, FIPS and CC Version of YubiKeys. Here it is mentioned, that "the FIPS version at one point didn't support GPG, and was only recently added in firmware v5.4.3". Although the post only mentions this with regards to the FIPS certified version, it may well be possible that the same applies to the CSPN certified variant. Since my YubiKey's Firmware Version is listed as 5.4.2, my YubiKey may simply be incapable of dealing with OpenPGP keys. :(
Note that I have not yet been able to confirm this from official sources, but all signs seem to point in that direction, which is really unfortunate. Also I am currently unaware wether there's a variant of CSPN certified YubiKeys with a newer Firmware version already. Feel free to let me know if you have any more Information with regards to this.
