Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:13 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sun Aug 21, 2016 8:55 am 
Offline

Joined: Sun Aug 21, 2016 8:38 am
Posts: 1
Hi,

I've got a couple of Yubikey 4s, which I'm trying to use as PGP smartcards.

I've largely followed the directions here, and all has gone OK, up to the point of reimporting the public key stubs.

The keys are pointing to a card with a specific serial number - which means that if I put a different key in, despite them being loaded with the same subkeys, I get a card error. Enigmail is a little bit more transparent and asks for the smart card with the serial number they were first imported from.

Is there a way of getting GPG to look for the subkeys on any key, rather than just the one they were reimported from?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Sep 01, 2016 12:04 am 
Offline
User avatar

Joined: Fri Aug 26, 2016 5:44 pm
Posts: 25
Location: Rochester, New York, USA
trent wrote:
Hi,

I've got a couple of Yubikey 4s, which I'm trying to use as PGP smartcards.

I've largely followed the directions here, and all has gone OK, up to the point of reimporting the public key stubs.

The keys are pointing to a card with a specific serial number - which means that if I put a different key in, despite them being loaded with the same subkeys, I get a card error. Enigmail is a little bit more transparent and asks for the smart card with the serial number they were first imported from.

Is there a way of getting GPG to look for the subkeys on any key, rather than just the one they were reimported from?

There is not, and this is something that's come up a few times if you search the forums. GPG needs to know what card it's on so it's not just having you pass your privkey to random cards (and so that it knows which card if multiple are connected.) The closest to a workaround you'll get with this would be in the scenario of particular tokens being used with particular machines (e.g. a nano on a laptop and a normal size one for your desktop); in this scenario you would go through normal procedures to strip the master key, and on the keytocard phase you'd use the token you want to use with that particular machine.

There really isn't a good way to handle it, because at the end of the day it's not actually an advisable implementation. The same key on multiple tokens means increased risk of compromise. A normal scenario would involve different subkeys on each token (at least for signing; there's unfortunately no good way to handle the encryption key if you want multiple tokens except to just keep it on the local machine). This way if a token is lost you only need to revoke those keys affected, and still have good keys available for use.

_________________
Keybase User: sporkwitch
PGP Public Key: B54A 454A 2B29 9D83 0201 CB1B C136 07BD 83A9 E927


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 07, 2018 9:41 am 
Offline

Joined: Sun Jan 07, 2018 9:31 am
Posts: 1
Not sure it will help the OP, but given I found this thread when looking for an answer:

Running

gpg-connect-agent "scd serialno" "learn --force" /bye

will update the secret key stubs for the PGP keys on the currently inserted key. So running that after key insertion will cause gpg to use the currently inserted key.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group