Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:23 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Feb 19, 2016 2:32 am 
Offline

Joined: Sat Feb 13, 2016 10:44 pm
Posts: 4
I purchased an additional Yubico 4 that I plan on locking away. I've added it to everywhere I'm using U2F as a second device. That part is trivial.

What I'd like to do is be able to copy the GPG subkey I created onto my backup device so I can SSH from either yubikey. The problem is I get something like this:

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg: secret key already stored on a card

It makes sense that the key was copied to the card and cannot be copied to another Yubico. I do have all of the subkeys/masterkeys backed up to offline USB storage.

Is it at all possible to somehow get the same subkey onto my backup Yubikey so I can use pubkey/ssh auth using just one public key from either yubikey?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Feb 19, 2016 3:10 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
I haven't personally attempted this before, but it should be possible. Take a look at this excerpt from a gnupg.org thread

> The problem you are having is because the secret key still exists,
> even after it is transferred to a card. There are no secret bits any
> longer, but the "stub" of the key is still there, and it contains the
> serial number of the card (so GPG knows which card to look at for the
> secret bits). If you delete the secret key stub, you can re-import it
> and transfer it to other smartcards.
>
> Something like this:
>
> 1. Generate your key and save a copy of the secret part (gpg
> --export-secret-key ...)
> 2. Transfer the secret key to your production card
> 3. Delete the whole key from your keyring (gpg
> --delete-secret-and-public ...)
> 4. Import the secret key again (gpg --import ...)
> 5. Transfer the secret key to your backup card
> 6. Repeat #3
> 7. Repeat #4
> 8. Transfer the secret key to your offsite card.
> 9. Repeat #3.
> 10. Import the public part of the key
> 11. Insert the card you want to use regularly, and do a "gpg
> --card-status" (this re-creates the stub for the card you use regularly)
>
> If you ever want to use a different smartcard, you will need to delete
> your secret key, insert the card, and do a "gpg --card-status" to
> recreate the stub for that card.

Source - https://lists.gnupg.org/pipermail/gnupg ... 37362.html

If that doesn't work for you, let me know and I'll check with the devs.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 19, 2016 4:39 am 
Offline

Joined: Sat Feb 13, 2016 10:44 pm
Posts: 4
Hi Chris,

The part that confuses me is I thought I had already deleted the secret key which would contradict what's in the aforementioned post. gpg --list-secret-keys shows the following:

sec# 4096R/B3559E07 2016-02-15 [expires: 2018-02-14]

the # in front of the sec should indicate that the secret key has been deleted (and stored offline).


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 19, 2016 11:05 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Hey,

What you said is correct, the "#" at the end of a key means that it's not available, but keep in mind that what you're also after the subkeys.

I don't know your setup, i.e., if you have an airgapped laptop where you operate from (which is a good idea) or not, but generally what you want to do is to re-import all your keys in your keyring and do the keytocard from there. Typically I find that to make this a bit less painful, the easiest thing is not to save the edits to your keyiring after you've moved your keys (again, this is depends on your setup and assumes that you have a separate keyring file for doing management operations). In this way the keys will be exported onto the YubiKey but they won't be deleted from the keyring, allowing you to program as many YubiKeys as you want.

To summarize, what Chris posted is correct, just make sure that before you do a keytocard, all the keys are present. That is, if you do gpg -K there must be no "#" and no ">" next to a secret key or a subkey.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group