Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:10 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Sep 21, 2017 3:38 pm 
Offline

Joined: Thu Sep 21, 2017 2:50 pm
Posts: 2
Pardon me if this topic is a duplicate but I haven't found the answers to all my questions in another topic so I decided to start my own. By all means simply refer me to any master thread if these questions have all been covered elsewhere.

I am primarily interested in using my YubiKey4's OpenPGP features for encryption of my own data. To this end I started by following Eric Severance's guide to PGP and SSH Keys on a Yubikey and have successfully configured my card exactly as described in that tutorial. After doing so my process seems to be something like the following:

1. Remove my master keys from all locations except for my safe storage
2. Install GPG on any system I need to use for encrypt/sign.
3. Insert YubiKey
4. Run gpg2 --card-edit
5. admin
6. fetch to pull down public key from keyserver
7. Encrypt files using Kleopatra on Windows or whatever
8. Decrypt files if my key is inserted
9. Can't decrypt files if my key is not inserted

My questions start with the "fetch" process. I'm assuming this is a kind of "import" that is bringing down the public keys from my chosen keyserver. After the "fetch" I can see my keys in programs like Kleopatra on Windows. That is just a public key so no worries there about security.

However, after the fetch I can now decrypt messages when my YubiKey is inserted. Based on the tutorial, I believe this is because the private key of my encryption subkey is present on the Yubikey even though the private key of the master key is not. So in that case why is it necessary to do the fetch at all? And just to be clear, this encryption subkey private key is not stored anywhere in my local GPG installation after this process correct? Additionally, Eric Severance refers to "stubs" in the tutorial. Can anyone explain this concept or refer me to more information on that subject?

Also, what best practices should I be following for the local gpg "caches"? After I fetch and encrypt/decrypt should I be deleting those keys from local "caches" or are they completely harmless because of the usage I've described?

I know that is a lot of questions. Thanks for any guidance.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Sep 21, 2017 4:47 pm 
Offline

Joined: Thu Sep 21, 2017 2:50 pm
Posts: 2
One more question if I may.

After completing the described process, and fetching the public key I show the following output from gpg2 --card-edit which is supposed to be indicative that the master key private key is not present.

sec# 4096R/5B33C464 created: 2017-09-20 expires: never
ssb> 4096R/D3FB05BA created: 2017-09-20 expires: never
card-no: 0006 05225603
ssb> 4096R/ED826B38 created: 2017-09-20 expires: never
card-no: 0006 05225603
ssb> 4096R/776D0CD1 created: 2017-09-20 expires: never
card-no: 0006 05225603

However, if exit and then go to gpg2 --edit-key $KEY_ID, I get the following:

U:\>gpg2 --edit-key 5B33C464
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

Is the secret key really available or is this message related to "stubs" that I see reference to? I am trying to be 100% positive that I am protecting my private keys. How can I confirm this?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group