Comment on page

YubiKey Provisioning


Our provisioning client allows you to easily populate the OpenPGP application on a YubiKey, and share its public information inside Defguard.
It's completely safe, we are not storing private keys. Every key is provisioned inside an encapsulated session so any gpg related files are deleted right after the process ends successfully or not. Only public PGP and SSH keys are sent to Defguard so you can access them at any time.


Currently, we provide Linux .rpm and .deb packages alongside Docker image, but provisioning clients can also be compiled and run under Windows and MacOS.
Note that if you decide to use Docker make sure your container has access to host machine devices, otherwise, you will encounter No keys detected error.


All of the available options are described in help:
yubikey-provision -h

CLI options and configuration

Configuration can be provided in CLI with options, in environment variables, or via .env file.
CLI option
Environment variable
Default value
Provisioner ID
Shown in Defguard UI
Log level
Sets logging level
GRPC Endpoint
Url of your Defguard instance GRPC endpoint
Authorization Token
Authorization Token found in Defguard UI on Provisioners page.
Detection retries
How many times provisioner will check for YubiKey presence in system before abandoning the process.
Retry interval
How long between retries provisioner will wait ( in seconds )
GPG debug level
Sets debug level for gpg command during gpg operations

Client access token

To register a new provisioning client you will need an access token provided by your instance. You can find it in the info card on the "Provisioners" page.

Example of use

You can see available clients in Defguard web-application under "provisioners" tab.
To provision the key:
  1. 1.
    select the user from "Users" page in Defguard web application (or go to "My Profile" if you're provisioning a key for yourself)
  2. 2.
    insert a YubiKey to machine that is running the provisioner client.
  3. 3.
    select "Provision YubiKey" from the actions menu for a User in list.
  4. 4.
    select your provisioner and click the "Provision YubiKey" button
The service will take a short moment to prepare and provision your keys. Once that's done you'll see a modal with your public keys that are now stored in Defguard. If the process fails for some reason you will see a short error reason returned by the provisioner.

Common problems

YubiKey is not detected by the client

If the client will not detect your YubiKey, it may work if you unplug and plug it back into your machine. If you are running on Linux, try to restart the pcscd service. If you are using docker image, make sure the container has access to your host devices.