[fragmede]

That's a side effect of the GPG being the back end technology that the Yubikey-based SSH keys are based on.

If you don't want to have to learn gpg (because why should you?) the master/sub keys, PINs, keyservers, and all that can be dumped, just like ssh-keygen is able to create keys without passphrases - not exactly recommended, but still better than the alternative.

[lvh]

FWIW: if you really, really don't want to learn GPG: Yubikeys will also speak PKCS11, it's a separate applet, and they ship PKCS11 libs for every major platform. We've used it for OpenVPN in the past (before we had wireguard).

If that's better... I dunno :-)