Yubico Forum

Hi, I'm trying to move keys from backup storage onto a new NEO. I've configured the NEO with new admin / users passwords, etc.

But because I've already sharded my key with a previous NEO (still in my possession, no need to generate new keys), I get this response when executing the gpg> keytocard command:

gpg: secret key already stored on a card.

So now what? Do I delete the secring.gpg file on my hard drive and re-import the keys? Do I do that every time I configure a new NEO with my PGP keys?

Help much appreciated! Thanks.

In short, you don't need to delete whole keyring, just the key that is marked as exported to smartcard (Neo). You first need to delete the secret key from keyring with gpg --delete-secret-key. Then you import the full key (how it was before you moved it to smartcard).

Then you use the classic keytocard, etc.

Note: new Yubikey will have different serial number from the old Yubikey (you can see that when using gpg --list-secret-keys). So you will be able to use only one Yubikey at a time, even if both have identical RSA keys on them.

Therefore it may be good idea to use --export-secret-key before using --delete-secret-key. You can import it later if you need to use the original Yubikey as a backup (I have it set up this way).