| Yubico Forum https://forum.yubico.com/ |
|
| Cannot move 4096 bit GnuPG key to YubiKey 4 https://forum.yubico.com/viewtopic.php?f=35&t=2690 |
Page 1 of 1 |
| Author: | patrickkox79 [ Mon Aug 21, 2017 6:04 pm ] |
| Post subject: | Cannot move 4096 bit GnuPG key to YubiKey 4 |
A few weeks ago I purchased the YubiKey 4 bundle (1 white and 1 black YubiKey 4). I have written 2 different 4096 bit GPG keys to them without problem. Today I received another bundle I ordered (to have spare/replacements) but I cannot move my 4096 bit keys to them. When I check with the YubiKey Personalization tool I see my "old" keys have firmware 4.3.4 and the "new" have firmware 4.3.5, so I would guess this should be possible since the firmware is even newer. When I run gpg2 --card-status I get the card information and the key attributes are set to 2048 I tried to generate a new keypair on the YubiKey and when I select 4096 and getting a warning that this might not work, the newly generated key seems to be a 4096 bit one. when I check again the key attributes are now set to 4096 but I still cannot move a new key (keytocard) to the YubiKey. The only key that I can move to the YubiKey is a 2048 one but I need my 4096 bit key not a 2048 bit one or a new one. Here is the output from gpg when I do keytocard: Quote: gpg> keytocard Really move the primary key? (y/N) y Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 3 gpg: WARNING: such a key has already been stored on the card! Replace existing key? (y/N) y gpg: KEYTOCARD failed: Onbruikbare geheime sleutel gpg> The error in Dutch is : "Unusable secret key" I've found a post here with a similar problem, but that person had an error after entering a PIN, this is before the PIN is asked. Anyone have an Idea ? Patrick |
|
| Author: | nesos [ Sun Sep 10, 2017 9:51 am ] |
| Post subject: | Re: Cannot move 4096 bit GnuPG key to YubiKey 4 |
i also have a new key and it has firmware 4.3.5 but here everything works. one difference is that i generated the key on my pc and moved to the card/yubikey instead of generating it diretly there (never tried). from what i have understood the fact that it says 2048 is normal as it is a default value but it doesn't mean that you can't push a 4096 bit key. i'm not gpg expert but another thing: have you issued toggle command before using key to card? according to the gpg manual toggle switches between public and private key so i guess you are trying to push public key and thus the error "no private key usable" this is what i followed to store the key on the yubikey: https://developers.yubico.com/PGP/Importing_keys.html i understand that you might prefer to generate it directly on the yubikey but in that way you have no way of making a backup, also an "evil pc" could try wrong pins and destroy your keys. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|