Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Feb 05, 2016 4:22 pm 
Offline

Joined: Mon Feb 01, 2016 8:53 pm
Posts: 5
I have just bought a Neo4, since it can hold 4096 bit RSA. My primary key is 4096 bits, and is the only key that can sign other keys, which is called "certify" in GPG language (_and_ sign key as well, just to make the confusion complete).

What I have done is put my secret part of my primary key to the signing slot of the Yubikey. I now try to use it to sign other keys, but GPG2 cannot find the secret part. So apparently it cannot link the public part of the key to the secret part, which is on the Yubikey. I thought "gpg2 --card-status" would fix this, but apparently not.

What might confuse GPG is that some of the secret keys are on one Yubikey (a Neo3), while the primary secret key is on another Yubikey (Neo4). Could this cause confusion?

$ gpg2 --list-keys
/home/mats/.gnupg/pubring.gpg
-----------------------------
pub 4096R/AEA6A954 2015-10-18
uid [ unknown] Mats G. Liljegren <mats@mexit.se>
uid [ unknown] Mats G. Liljegren (Enea Software AB) <mats.liljegren@enea.com>
uid [ unknown] Mats G. Liljegren <liljegren.mats@gmail.com>
sub 2048R/667841C4 2015-10-18 [expires: 2020-10-16]
sub 2048R/98DEC8A5 2015-10-18 [expires: 2020-10-16]
sub 2048R/81DA6635 2015-10-18 [expires: 2020-10-16]

$ gpg2 --list-secret-keys
/home/mats/.gnupg/secring.gpg
-----------------------------
sec# 4096R/AEA6A954 2015-10-18
uid Mats G. Liljegren (Enea Software AB) <mats.liljegren@enea.com>
uid Mats G. Liljegren <mats@mexit.se>
uid Mats G. Liljegren <liljegren.mats@gmail.com>
ssb> 2048R/667841C4 2015-10-18
ssb> 2048R/98DEC8A5 2015-10-18
ssb> 2048R/81DA6635 2015-10-18


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Feb 06, 2016 10:16 pm 
Offline

Joined: Tue Feb 02, 2016 9:23 pm
Posts: 58
What the heck is a "neo 4" ?
There is thw yubikey 4 and the yubikey 4 nano (which is just a small version of the nano)
Then there's the neo which has nfc and there's the neo-n which is basically a small neo without nfc.


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 08, 2016 10:03 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
I assume you're talking about a YubiKey 4, as there is no such thing as a NEO 4 and the NEO does not support 4096 keys.

Moving your master key to the YubiKey will work and will allow you to sign other people's keys, however if you already have subkeys belonging to the same master key to a YubiKey, gpg will get a bit confused, usually it will look for the wrong device (you should be able to see this by looking at the serial number that gpg asks for).

To solve this issue you want to replace your ~/.gnupg/private-keys-v1.d directory.
You can find more info about this directory in the man page of gpg-agent.

You can do this in one of several things:
- rename the directory;
- use different keyring files by setting the GNUPGHOME environment variable;
- use different keyring files by using the --keyring flag with the command.

Depending on your situation, one solution might be better then another.
Keep in mind that the directory will be recreated by gpg if it's not there and that for key moved to a YubiKey will only contain stubs. Keep also in mind that you might have to revert these changes if you want to go back to using the other keys.

I hope this helps.


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 21, 2016 8:30 pm 
Offline

Joined: Mon Feb 01, 2016 8:53 pm
Posts: 5
You're right about the naming, I was just assuming that if there's a Neo 3, then the next generation would be Neo 4. Assumptions are not always correct...

Thanks for the hint about the error. I haven't had an opportunity to test it yet, but it might explain why my old key suddenly stopped working once I got the new key working. Oh well, the intention is that the new key would only be used a couple of times per year, so I might be able to live with the hassle of renaming that directory.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group