1. Insert Yubikey on machine M1 that has OpenGPG
2. rm -rf .gnupg
3. gpg --card-edit, admin, generate
>. AFAIK this installs a "stub" private key in the OpenGPG keychain, which I can now see.
4. Encrypt something with the new public key and send to machine M1
5. Eject Yubikey
6. Insert Yubikey into a totall different machine M2
7. Attempt to decrypt
> Arrg! The OpenGPG Keychain on M2 doesn't have the "stub" private key, I can't do anything!
I do know ways to get that stub into the keychain, but they are really sucky:
- Add a step 3.1: from the GPG keychain, export the secret key. Since it's just a stub, send it to M2, and import into the keychain on M2.
> Sucky because of having to mess with an extra file.
- Or, Add a step 3.1: upload the public key to a server. Then on machine M2, do: Code:
gpg --card-edit, fetch, quit;
followed by Code:
gpg --card-status.
> Sucky because what if machine M2 is offline/airgapped, then this won't work.
What I want is to be able to walk up to any machine that has OpenGPG installed, insert my Yubikey, access some ciphertext either online or from a USB, and decrypt.
I don't want to have to mess with some file or key server (Steps 3.1 above) or arcane commands too. I just want to insert the Yubikey and start decrypting.
Is there a way?
TMIA, /rbStatistics: Posted by rbondi — Mon Apr 20, 2015 3:32 am
]]>