Gpg does not see my yubikey

JenniferDarlene · March 31, 2025, 2:20am

Seems I am having the same problem here: https://discourse.nixos.org/t/gpg-selecting-card-failed-service-is-not-running/44974 and that I should edit

LD_LIBRARY_PATH pointing to pcsclite

NOTE: here you see that pcsclite I did not have in my config, in my solution below I ended up adding it to the system packages.

I can edit environment variables but am unsure what to set that to…

I have a YubiKey 5 which I am trying to use CLI such as gpg commands to access and edit.
gpg --card-status indicates no such device. I am unsure why. One of the topics here seemed to indicate yubikey-agent is a user level service. And that there were problems for them when using systemctl to start up the service which created a symlink to something not existing in the store so I did not do that command.

I have a config that follows:

{ config, lib, pkgs, ... }:

{
  # YubiKey
  environment.systemPackages = with pkgs; [
    yubikey-personalization  # CLI tools for configuring YubiKey
    yubikey-manager          # Manage YubiKey settings
    yubikey-manager-qt       # GUI for managing YubiKey
    yubikey-agent
    libfido2                 # Support for FIDO2/WebAuthn
    opensc                   # Smart card support
    gnupg                     # If using GPG with YubiKey
  ];

  services = {
    udev.packages = with pkgs; [ yubikey-personalization ];
    pcscd.enable = true;
    yubikey-agent.enable = true;

  };

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-curses;
  };

}

It seems that journalctl shows:

Mar 30 20:34:17 nixos kernel: usb 1-7.3: Product: YubiKey OTP+FIDO+CCID
Mar 30 20:34:17 nixos kernel: input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7.3/1-7.3:1.0/0003:1050:0407.0180/input/input378
Mar 30 20:34:17 nixos kernel: hid-generic 0003:1050:0407.0180: input,hidraw4: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-7.3/input0
Mar 30 20:34:17 nixos kernel: hid-generic 0003:1050:0407.0181: hiddev99,hidraw7: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:14.0-7.3/input1

and previously only errors from the ykman-gui which I kind of expected given what I have been reading. Yesterday I was able to use yubikey-personalization-gui I belive it was, and it showed the YubiKey just fine. So it seems the system sees it and if I touch the key while in the terminal it outputs a string as I have come to expect.

Searching YubiKey Nixos leads to many results, not only are there topics here on it, but also there is the nixos.wiki article on YubiKey, a nixos flake from github:drduh/YubiKey-Guide and a few other references to this. I have tried to combine what I have learned from various references to YubiKey on NixOS and the above configuration is what I currently have. I am using flakes and home-manager. My version of the nixpkgs is 24.11

Any guidance on how I can get my key to work with the gpg tools in CLI so that I can update my gpg and ssh keys that I have previously added to the YubiKey a few years back. Thank you.

hyperparabolic · March 31, 2025, 4:05am

There’s a flake in the drduh repo that builds a bootable usb with gnupg and all of the yubikey tools installed and configured. It works great, and I always use it for key updates / rotations in a clean / minimal environment. It might be worth checking out:

github.com

drduh/YubiKey-Guide/blob/466649f72863d9e834cb98d92da8e797820cfd69/flake.nix

{
  description = "A Nix Flake for an xfce-based system with YubiKey setup";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    drduhConfig.url = "github:drduh/config";
    drduhConfig.flake = false;
  };

  outputs = {
    self,
    nixpkgs,
    drduhConfig,
  }: let
    mkSystem = system:
      nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
          "${nixpkgs}/nixos/modules/profiles/all-hardware.nix"
          "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix"

This file has been truncated. show original

Otherwise you might be able to try to diff your config with it if you aren’t interested in using it directly.

JenniferDarlene · April 1, 2025, 12:27am

I had looked over that flake and borrowed stuff from it for my configuration previously. I was not wanting to spin up a air gaped system on USB to make the changes so I never did try using that flake. Last night I added pcsclite to my yubikey.nix as well as creating ~/.gnupg/scdaemon.conf with disable-ccid and adding hardware.gpgSmartcards.enable = true; to yubikey.nix while initially this did not seem to solve the problem either, I decided to reboot, and afterwards gpg --card-status sprang to life. I am unsure if it was one or a combination of the changes or the system reboot that did the trick but I was happy to finally have it working. Seems some research indicated that gpg gets card information differently than pcscd thus the need for disable-ccid The idea of adding pcsclite came from research here from the first post I mentioned , it seemed that a library file may come from that.

Either case, not sure what it was but here is my full yubikey.nix and my recomendation to others, remember to reboot your system, dont rely on nixos-rebuild to use the new config.


{
  # YubiKey
  environment.systemPackages = with pkgs; [
    yubikey-personalization  # CLI tools for configuring YubiKey
    yubikey-manager          # Manage YubiKey settings
    yubikey-manager-qt       # GUI for managing YubiKey
    yubikey-agent
    libfido2                 # Support for FIDO2/WebAuthn
    opensc                   # Smart card support
    gnupg                     # If using GPG with YubiKey
    pcsclite
  ];

  hardware.gpgSmartcards.enable = true;

  services = {
    udev.packages = with pkgs; [ yubikey-personalization ];
    pcscd.enable = true;
    yubikey-agent.enable = true;

  };

  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-curses;
  };


}