Yubico Forum

I purchased an additional Yubico 4 that I plan on locking away. I've added it to everywhere I'm using U2F as a second device. That part is trivial.

What I'd like to do is be able to copy the GPG subkey I created onto my backup device so I can SSH from either yubikey. The problem is I get something like this:

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg: secret key already stored on a card

It makes sense that the key was copied to the card and cannot be copied to another Yubico. I do have all of the subkeys/masterkeys backed up to offline USB storage.

Is it at all possible to somehow get the same subkey onto my backup Yubikey so I can use pubkey/ssh auth using just one public key from either yubikey?

I haven't personally attempted this before, but it should be possible. Take a look at this excerpt from a gnupg.org thread

> The problem you are having is because the secret key still exists,
> even after it is transferred to a card. There are no secret bits any
> longer, but the "stub" of the key is still there, and it contains the
> serial number of the card (so GPG knows which card to look at for the
> secret bits). If you delete the secret key stub, you can re-import it
> and transfer it to other smartcards.
>
> Something like this:
>
> 1. Generate your key and save a copy of the secret part (gpg
> --export-secret-key ...)
> 2. Transfer the secret key to your production card
> 3. Delete the whole key from your keyring (gpg
> --delete-secret-and-public ...)
> 4. Import the secret key again (gpg --import ...)
> 5. Transfer the secret key to your backup card
> 6. Repeat #3
> 7. Repeat #4
> 8. Transfer the secret key to your offsite card.
> 9. Repeat #3.
> 10. Import the public part of the key
> 11. Insert the card you want to use regularly, and do a "gpg
> --card-status" (this re-creates the stub for the card you use regularly)
>
> If you ever want to use a different smartcard, you will need to delete
> your secret key, insert the card, and do a "gpg --card-status" to
> recreate the stub for that card.

Source - https://lists.gnupg.org/pipermail/gnupg ... 37362.html

If that doesn't work for you, let me know and I'll check with the devs.

Hi Chris,

The part that confuses me is I thought I had already deleted the secret key which would contradict what's in the aforementioned post. gpg --list-secret-keys shows the following:

sec# 4096R/B3559E07 2016-02-15 [expires: 2018-02-14]

the # in front of the sec should indicate that the secret key has been deleted (and stored offline).

Hey,

What you said is correct, the "#" at the end of a key means that it's not available, but keep in mind that what you're also after the subkeys.

I don't know your setup, i.e., if you have an airgapped laptop where you operate from (which is a good idea) or not, but generally what you want to do is to re-import all your keys in your keyring and do the keytocard from there. Typically I find that to make this a bit less painful, the easiest thing is not to save the edits to your keyiring after you've moved your keys (again, this is depends on your setup and assumes that you have a separate keyring file for doing management operations). In this way the keys will be exported onto the YubiKey but they won't be deleted from the keyring, allowing you to program as many YubiKeys as you want.

To summarize, what Chris posted is correct, just make sure that before you do a keytocard, all the keys are present. That is, if you do gpg -K there must be no "#" and no ">" next to a secret key or a subkey.