Yubico Forum

Pardon me if this topic is a duplicate but I haven't found the answers to all my questions in another topic so I decided to start my own. By all means simply refer me to any master thread if these questions have all been covered elsewhere.

I am primarily interested in using my YubiKey4's OpenPGP features for encryption of my own data. To this end I started by following Eric Severance's guide to PGP and SSH Keys on a Yubikey and have successfully configured my card exactly as described in that tutorial. After doing so my process seems to be something like the following:

1. Remove my master keys from all locations except for my safe storage
2. Install GPG on any system I need to use for encrypt/sign.
3. Insert YubiKey
4. Run gpg2 --card-edit
5. admin
6. fetch to pull down public key from keyserver
7. Encrypt files using Kleopatra on Windows or whatever
8. Decrypt files if my key is inserted
9. Can't decrypt files if my key is not inserted

My questions start with the "fetch" process. I'm assuming this is a kind of "import" that is bringing down the public keys from my chosen keyserver. After the "fetch" I can see my keys in programs like Kleopatra on Windows. That is just a public key so no worries there about security.

However, after the fetch I can now decrypt messages when my YubiKey is inserted. Based on the tutorial, I believe this is because the private key of my encryption subkey is present on the Yubikey even though the private key of the master key is not. So in that case why is it necessary to do the fetch at all? And just to be clear, this encryption subkey private key is not stored anywhere in my local GPG installation after this process correct? Additionally, Eric Severance refers to "stubs" in the tutorial. Can anyone explain this concept or refer me to more information on that subject?

Also, what best practices should I be following for the local gpg "caches"? After I fetch and encrypt/decrypt should I be deleting those keys from local "caches" or are they completely harmless because of the usage I've described?

I know that is a lot of questions. Thanks for any guidance.

One more question if I may.

After completing the described process, and fetching the public key I show the following output from gpg2 --card-edit which is supposed to be indicative that the master key private key is not present.

sec# 4096R/5B33C464 created: 2017-09-20 expires: never
ssb> 4096R/D3FB05BA created: 2017-09-20 expires: never
card-no: 0006 05225603
ssb> 4096R/ED826B38 created: 2017-09-20 expires: never
card-no: 0006 05225603
ssb> 4096R/776D0CD1 created: 2017-09-20 expires: never
card-no: 0006 05225603

However, if exit and then go to gpg2 --edit-key $KEY_ID, I get the following:

U:\>gpg2 --edit-key 5B33C464
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

Is the secret key really available or is this message related to "stubs" that I see reference to? I am trying to be 100% positive that I am protecting my private keys. How can I confirm this?