trent wrote:
Hi,
I've got a couple of Yubikey 4s, which I'm trying to use as PGP smartcards.
I've largely followed the directions
here, and all has gone OK, up to the point of reimporting the public key stubs.
The keys are pointing to a card with a specific serial number - which means that if I put a different key in, despite them being loaded with the same subkeys, I get a card error. Enigmail is a little bit more transparent and asks for the smart card with the serial number they were first imported from.
Is there a way of getting GPG to look for the subkeys on any key, rather than just the one they were reimported from?
There is not, and this is something that's come up a few times if you search the forums. GPG needs to know what card it's on so it's not just having you pass your privkey to random cards (and so that it knows which card if multiple are connected.) The closest to a workaround you'll get with this would be in the scenario of particular tokens being used with particular machines (e.g. a nano on a laptop and a normal size one for your desktop); in this scenario you would go through normal procedures to strip the master key, and on the keytocard phase you'd use the token you want to use with that particular machine.
There really isn't a good way to handle it, because at the end of the day it's not actually an advisable implementation. The same key on multiple tokens means increased risk of compromise. A normal scenario would involve different subkeys on each token (at least for signing; there's unfortunately no good way to handle the encryption key if you want multiple tokens except to just keep it on the local machine). This way if a token is lost you only need to revoke those keys affected, and still have good keys available for use.
Login
FAQ
Search
