Yubico Forum
https://forum.yubico.com/

[Q?] Use PGP keys on multiple yubikeys
https://forum.yubico.com/viewtopic.php?f=35&t=2400
Page 1 of 1

Author:  trent [ Sun Aug 21, 2016 8:55 am ]
Post subject:  [Q?] Use PGP keys on multiple yubikeys

Hi,

I've got a couple of Yubikey 4s, which I'm trying to use as PGP smartcards.

I've largely followed the directions here, and all has gone OK, up to the point of reimporting the public key stubs.

The keys are pointing to a card with a specific serial number - which means that if I put a different key in, despite them being loaded with the same subkeys, I get a card error. Enigmail is a little bit more transparent and asks for the smart card with the serial number they were first imported from.

Is there a way of getting GPG to look for the subkeys on any key, rather than just the one they were reimported from?

Author:  SporkWitch [ Thu Sep 01, 2016 12:04 am ]
Post subject:  Re: [Q?] Use PGP keys on multiple yubikeys

trent wrote:
Hi,

I've got a couple of Yubikey 4s, which I'm trying to use as PGP smartcards.

I've largely followed the directions here, and all has gone OK, up to the point of reimporting the public key stubs.

The keys are pointing to a card with a specific serial number - which means that if I put a different key in, despite them being loaded with the same subkeys, I get a card error. Enigmail is a little bit more transparent and asks for the smart card with the serial number they were first imported from.

Is there a way of getting GPG to look for the subkeys on any key, rather than just the one they were reimported from?

There is not, and this is something that's come up a few times if you search the forums. GPG needs to know what card it's on so it's not just having you pass your privkey to random cards (and so that it knows which card if multiple are connected.) The closest to a workaround you'll get with this would be in the scenario of particular tokens being used with particular machines (e.g. a nano on a laptop and a normal size one for your desktop); in this scenario you would go through normal procedures to strip the master key, and on the keytocard phase you'd use the token you want to use with that particular machine.

There really isn't a good way to handle it, because at the end of the day it's not actually an advisable implementation. The same key on multiple tokens means increased risk of compromise. A normal scenario would involve different subkeys on each token (at least for signing; there's unfortunately no good way to handle the encryption key if you want multiple tokens except to just keep it on the local machine). This way if a token is lost you only need to revoke those keys affected, and still have good keys available for use.

Author:  wteiken [ Sun Jan 07, 2018 9:41 am ]
Post subject:  Re: [Q?] Use PGP keys on multiple yubikeys

Not sure it will help the OP, but given I found this thread when looking for an answer:

Running

gpg-connect-agent "scd serialno" "learn --force" /bye

will update the secret key stubs for the PGP keys on the currently inserted key. So running that after key insertion will cause gpg to use the currently inserted key.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/