OpenPGP NFC smartcards that support ECC key generation. PGPony validated this end-to-end on YubiKey 5 NFC and Token2. The card generates an Ed25519 signing/certification key and a Curve25519 encryption subkey.

Does this work the same on Android and iPhone?

The flow is the same; the NFC tap differs slightly by platform. On Android you may need to hold the card to the back of the phone where the NFC antenna sits; on iPhone, hold it near the top. Follow the on-screen prompt.

What if I already have a key?

You can still move an existing key onto a card by importing it, instead of generating a new one. On-card generation is specifically for creating a fresh key that is born on the token.

Do I need a PIN every time?

Yes. Card operations (sign, decrypt) are authorized by your card PIN and a tap. You can change the PIN, unblock a locked PIN, or factory-reset the card from the key's detail screen.

// guide / generate-pgp-key-on-yubikey

How to generate a PGP key on a YubiKey.

Create an Ed25519 + Curve25519 keypair on the card itself over NFC. The private key is born on the YubiKey (or Token2) and never touches your phone — the strongest version of the hardware-key promise.

~5 minutes iOS / Android Hardware key + NFC required

// at a glance

Confirm NFC + an ECC OpenPGP card
Choose generate-on-card in PGPony
Enter name and email
Set the card PINs
Tap the card to generate
Export the public key

Prerequisites

PGPony installed on a phone with NFC
An OpenPGP NFC smartcard that supports ECC key generation (YubiKey 5 series, Token2)
A few minutes and a quiet surface to rest the card on while it generates

// step 01

Check NFC and your card.

Make sure NFC is on and that your card is an OpenPGP smartcard with ECC support. PGPony's on-card generation was validated on the YubiKey 5 NFC and Token2. RSA-only cards can't hold the Ed25519 / Curve25519 keys PGPony generates.

Tip If your card has never been set up, the default factory PINs apply until you change them. You'll set your own PINs during this flow.

// step 02

Start on-card generation.

In PGPony, choose to add a key on a hardware card, then pick the generate on card option (as opposed to importing an existing key onto the card). This tells the card to create the key internally rather than receiving one from the phone.

// step 03

Enter your identity.

Provide the name and email to bind to the key. These go into the public key so others can identify you. They don't have to be your legal name — use whatever you want associated with this identity.

// step 04

Set the card PINs.

Set and confirm a user PIN (used for everyday sign / decrypt operations) and an admin PIN (used for management like changing PINs or resetting the card). Choose PINs you'll remember — a blocked PIN requires the admin PIN to unblock, and too many wrong admin PIN attempts can lock the card permanently.

Important Write the PINs down somewhere safe before you continue. There is no recovery path that bypasses them.

// step 05

Tap the card to generate.

Hold the card to the phone's NFC area and keep it still. The card computes the Ed25519 certification/signing key and the Curve25519 encryption subkey internally. Generation can take a few seconds — keep the card in place until PGPony says it's done.

On Android, the NFC antenna is usually on the upper back of the phone; on iPhone, near the top edge. If the tap drops, follow the on-screen prompt and try again.

// step 06

Confirm and back up the public key.

The new key appears in your keyring, marked as a hardware key. From the Exchange tab, export or publish the public key so others can encrypt to you and verify your signatures.

The private key cannot be exported — it lives only on the card. That's the whole point, and it's also the catch: there is no private-key backup. If the card is lost or reset, this key is gone. Plan accordingly.

Verify it worked.

The new key shows in your keyring with a hardware-key indicator.
You can export the public key but not the private key (export offers public only).
Signing or decrypting with the key prompts for the card PIN and a tap.
Importing the exported public key into GnuPG on a desktop shows the matching Ed25519 + Curve25519 fingerprint.

Common questions.

Can I back up an on-card key?

No — the private key can't leave the card. If the card is lost or reset, the key is gone. Use on-card generation when you want non-extractability; otherwise generate on-device with an encrypted backup.

Which cards work?

OpenPGP NFC smartcards with ECC support — validated on YubiKey 5 NFC and Token2.

Same on Android and iPhone?

Yes, with a slightly different NFC tap location. Follow the on-screen prompt.

I already have a key — do I have to generate a new one?

No. You can import an existing key onto a card instead. On-card generation is for creating a fresh, born-on-card key.

Next steps.

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store

Get it on Google Play

How to generate a PGP key on a YubiKey.

Check NFC and your card.

Start on-card generation.

Enter your identity.

Set the card PINs.

Tap the card to generate.

Confirm and back up the public key.

Verify it worked.

Common questions.

Next steps.

On-card key generation

Hardware security key

Publish your public key

Verify a downloaded file

Get PGPony