Generate PGP for Yubikey

On Windows

1. Open a command prompt and execute the following command:
   gpg --expert --full-gen-key
2. Choose the first (default) option RSA and RSA (default) by pressing 1.
3. When asked, create a key with the length of 4096 bits for the main and subkeys.
4. Enter an expiration date. (for example 1y).

I recommend to always set an expiration date for security purposes and to choose a date between 1 and 2 years. longer than or exactly 1 year to keep it usable but shorter than 2 years for security purposes. When the key almost expires (set the date in your calendar!) you can change the expiration date and (if you have published / shared your public key) publish/share your new key with the edited expiration date. This way, when you have lost your key, it won't be 'active' till the end of time, and you may use the same key indefinitely or untill you revoke your key (for whatever reason).

1. Enter your real name.
2. Enter your E-mail address.
3. Enter a comment (if desired).
4. Press O if you are satisfied.
5. Enter a strong Passphrase to secure your private key. This is not your pin/puk/admin code or your management key, but a new passphrase which you should keep safe.
6. Now you can see that two keys have been added, the main key with usage SC and a subkey with usage E. SC is for 'signing and certifying' while E stands for 'Encryption'. The yubikey has support for three keys named: Signing, Encryption and Authentication. C is essentially your digital identity and is the only key capable of certifying subkeys, revoke them and alter the expiration date or certify other peoples certificates (Do you know if I can trust this other person?). E however, will grant you the possibility to encrypt or decrypt data (pssst, f7738t@#%wyfi7awy79238eug). A is used as authentication key (who are you?) while s will be used to sign data (did you send that?).
7. Next, you need to edit the key to create a authentication and/or a signing key:
   gpg --expert --edit-key [key id]
8. Run the command addkey to create a new key and choose option 8 to create a new RSA key with your own capabilities. This way, we may choose which capabilities we want to have for this key (signing, authentication, certify, etc.).
9. The mainkey already has Signing and Certifying enabled (Usage: SC) and one subkey already exists with Usage: E Encryption capabilities. Now we only need to create the Usage: A Authentication key. Because the 'Current allowed actions: Sign Encrypt' are enabled, We first need to toggle those to 'off' by pressing S and E to make sure the actions are empty. Now we toggle Authenticate by pressing A and finish the key creation (when verified) by pressing Q.
10. Create the key with 4096 bits and again an expiration date between 1 and 2 years.
11. You'll be asked to enter the passphrase you just created to be able to use the private key.
12. Now you have 3 keys: SC, E and A.
13. To quit the current session, type save.
14. Now we need to create an export which we need to keep safe in a secure location. when using the export method, the passphrase will remain on the exported secret key, you'll still need it(!) when you want to recover the secret/private key:
    gpg --export-secret-key --armor [keyid] > c:\secure\location\for\the\backup.txt .
15. Open the edit-key prompt again:
    gpg --expert --edit-key [keyid]
16. Now we can safely move the key to the Yubikey smartcard:
    keytocard
17. By default the main key (SC) is selected which can be stored in the signing and (1) and authenticating slot (3). Choose 1 Signature slot for this first key.
18. Enter your passphrase, and then enter the Yubikey admin pin (default = 12345678).
19. Select the next key by typing key 1 and again run keytocard followed by the selection where you want to store the key (for E it is slot 2) the same passphrase and admin pin.
20. Now you have to deselect the first key by running key 1 again and then select the second key by running key 2. You can verify which key is selected with the * after the ssb in the list of keys which is shown on screen whenever you run the key # command.
21. Again, you have to run keytocard, select the correct slot (for A authentication it is slot 3), enter your passphrase and admin pin.
22. If you are done, run save to save your changes and quit gpg.

You are now done with creating an OpenPGP key, creating a backup if your secret key and move your key to your Yubikey smartcard. If you have not done so, please remember to change the default pin, puk and admin codes! You can do this using the Yubikey Manager, by using the Kleopatra GUI or using the GPG command line tool gpg --change-pin.

_{Photo from: @towfiqu999999}