Yubico Forum
https://forum.yubico.com/

Yubikey NEO and gpg4win
https://forum.yubico.com/viewtopic.php?f=26&t=1036
Page 1 of 1

Author:  babb517 [ Sat Apr 13, 2013 11:59 pm ]
Post subject:  Yubikey NEO and gpg4win

I've just received my Yubikey NEO in the mail and have been experimenting with its functionality.

I'm currently attempting to set up and use a GPG identity and have encountered a strange problem after following the guide posted to the Yubico blog. As a preface, I'm attempting to do this on Windows 8 x64 and have received a Yubikey NEO v3.1.2.

I've successfully installed gpg4win and generated a new set of keys on the NEO using it, following this I was able to see my key in Kleopatra as was mentioned in the blog (and was able to successfully encrypt/decrypt a file with it). After removing the key and plugging it back in I'm now unable to interface with the yubikey neo through the gpg command line interface. Initially, running 'gpg --verbose --card-status' displays the expected output:

Code:
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
...


But running 'gpg --card-edit' followed by an administration command, such as 'admin' -> 'sex' -> 'M', or any other command which directly interfaces with the card displays a "Card Error". Attempting to encrypt/decrypt via kleopatra simply yields a failure. Looking at my device manager I see the exepcted devices (at least one other forum thread had multiple card readers) (image attached).

Furthermore, it appears that what I'm seeing is a phantom of sorts, as killing all gpg-agent and scdaemon and attempting 'gpg --verbose --card-status' yields

Code:
gpg: no running gpg-agent - starting one
gpg: waiting 5 seconds for the agent to come up
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


indicating it simply refuses to see the NEO after it's been disconnected/reconnected.

Ultimately it seems the only way to continue to use my Yubikey NEO for GPG operations is to kill gpg-agent and scdaemon, disconnect/reconnect the Yubikey (now that I think about it, rerun 'gpg --verbose --card-status' (relaunching gpg-agent) and then continue use with Kleopatra. (

I'm not sure if I'm doing something wrong, if this is a bug in gpg4win, or if this has something to do with Yubikey NEO, but I figured here would be a good place to start =).

As a side question: The blog post mentioned that the private key on the Yubikey NEO could never be recovered (which is the whole point!), but it seems that Kleopatra indicates that the secret key is "available" and it even lets me export it (right click on the cert -> export secret key) producing what looks like a valid PGP private key block; what exactly am I seeing? Is Kleopatra able to extract the private key from the Yubikey NEO?

Thanks!

Author:  Klas [ Mon Apr 15, 2013 7:30 am ]
Post subject:  Re: Yubikey NEO and gpg4win

Hello,

In these situations it should be enough to kill any scdaemon processes and try again. I believe this to be an issue with scdaemon but it's not tracked down that I know of.
Yes, Kleopatra and other tools will list that there is a secret key available, this should only be a "stub" though. I'm unsure about what you get if you try to export it.

/klas

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/