The ultimate guide to Yubikey on WSL2 [Part 1]

There are already a few tutorials on the Internet with topic “how to make Yubikey work on WSL”. But when I followed them I had to do a lot of troubleshooting anyway. Therefore I decided to write down a complete guide to the setup (up to date in 2021).

We are going to go through a couple of use cases:

  1. Setup OpenGPG with Yubikey
  2. Access your YubiKey in WSL2
  3. Authenticate against Git server via GPG & Signing git commits with GPG
  4. Managing secrets in WSL with Yubikey

Other parts will be added in the future

Setup of Yubikey and connect it with WSL2

In this part we are going to take a look on how to get Yubikey connected to WSL2. Because WSL does not have access to USB devices, we have to make it connect to our Windows host and then forward the connection to WSL.

First, we are going to need a YubiKey that supports OpenPGP (Security Key Series or YubiKey FIPS Series are not sufficient)


To make our Smart key work with windows we are going to need GnuPG and Putty. You can either download it here:

or get it via chocolate:

choco install gnupg putty.install

Configure GnuPG

mkdir %HOMEPATH%\AppData\Roaming\gnupg
echo enable-putty-support◙enable-ssh-support > %HOMEPATH%\AppData\Roaming\gnupg\gpg-agent.conf

You can connect your Yubikey now. Open Kleopatra (you have to open it from system tray) and go to Smartcards.

If you don’t see your Yubikey go to Settings -> Configure Kleopatra -> GnuPG System -> Smartcards and set Connect to reader at port N to Yubico YubiKey OTP+FIDO+CCID 0. Save it, reconnect Yubikey and restart Kleopatra. Now you should be able to see it.
You can also verify it in CMD via:
gpg --card-status

A Brand new or Wiped out Yubi key should show up like this
Output of gpg — cart-status

Setting up a new YubiKey

In case you already have an OpenPGP key on your YubiKey, please skip this part and go directly to part 2.

I personaly found generating the keys in Kleipatra GUI the most straightforward. Although it doesn’t give you that many configuration possibilities.

If you’re setting up Your Yubikey for the first time, don’t forget to change your PIN and Admin PIN. Both operations can be done in Kleopatra -> Smartcards -> Change PIN and Change Admin PIN. Default PINs can be found here.

  1. Generate GPG keys

In Kleopatra -> Smartcards click at Generate New Keys. A dialog will pop up. Enter your name, email and as algorithm choose the highest available.

Generating Your GPG Keys

Now enter your PIN, then your Admin PIN (pay attention to what the modal window wants) — it’s going to need your PIN several times. In case you encounter with an issue, you can always reset your YubiKey. At the end enter password for the GPG key.

In case you’re more comfortable with terminal interface, please use this official tutorial. Just make sure, you are generating keys and/or subkeys for Signing, Encryption and Authorization.

Now you should be able to see your keys.

Generated Keys

2. Export your public key

In Kleopatra go to Cartificates -> Right click at your newly created certificate and choose Export. This will save your public key to an asc file

3. Publish your public key

This step is not necessary, but I found it helpful when using GPG key in real life.

Go to, choose your public key and click Upload.

Uploading Public key to

Click Send Verification Email, check your e-mail Inbox (or Spam) folder and click the verification link.

To get link to your published Public key go to, search for your email and copy the URL it shows.

YubiKey has a nice handy space for storing this URL. Go to Kleopatra -> Smartkeys -> Publickey URL and edit it.

In case you don’t see your keys or card in WSL after restart of your PC. Please start Kleopatra first and then restart wsl via wsl — shutdown

We’ll continue in the part 2.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Our digital profile and its online privacy

New Privacy Regulations in California: the Biggest Risks and How to Get Ready

Changming Liu, Stellar Cyber: hackers target remote workers to obtain access to corporate networks

Ducato Protocol Token (DUCATO) now listed on Coinmarketcap and CoinGecko

These Smartphone Apps Passively Earn You Money — SO EASY!

Rightcharge sees 100% rise in the number of requests for charge point installs from Brits as the…

Refer a Project to Lossless, Claim your $1,000 Bounty

PolyNetwork post-mortem: was there a way to prevent the $600 million damage?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jaroslav Živný

Jaroslav Živný

More from Medium

[Technical Article] Deepin Music — CD Playback

“The Nonsense Filter” and other new MS Teams features?

OFAC Checker: Best OFAC checking tool to screen individuals & entities against the OFAC sanctions…

Half of the Internet died yesterday, what happened?