PGP Card and "kdf-setup"

I tried setting up a PGP Card in Librem5 and found a serious issue: After command “kdf-setup” I cannot do anything, because PINs are no longer accepted. I tried few times thinking I initially screwed something up, or made a typo while entering PIN, but no.

Steps to reproduce:

  • run gpg --card-edit
  • admin
  • factory-reset
  • kdf-setup (it asks for admin pin, which by default is 12345678)
  • passwd
  • default pins are no longer accepted.

I do use the PGP Card in my L5 and without mayor issues. What does the mentioned cmd kdf-setup?

According to (of course this applies to any pgp smartcard, not only yubikey):

Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text.

You can check if it’s enabled using gpg --card-status | grep "KDF setting"

It’s off for me.