Yubico Forum

I have just bought a Neo4, since it can hold 4096 bit RSA. My primary key is 4096 bits, and is the only key that can sign other keys, which is called "certify" in GPG language (_and_ sign key as well, just to make the confusion complete).

What I have done is put my secret part of my primary key to the signing slot of the Yubikey. I now try to use it to sign other keys, but GPG2 cannot find the secret part. So apparently it cannot link the public part of the key to the secret part, which is on the Yubikey. I thought "gpg2 --card-status" would fix this, but apparently not.

What might confuse GPG is that some of the secret keys are on one Yubikey (a Neo3), while the primary secret key is on another Yubikey (Neo4). Could this cause confusion?

$ gpg2 --list-keys
/home/mats/.gnupg/pubring.gpg
-----------------------------
pub 4096R/AEA6A954 2015-10-18
uid [ unknown] Mats G. Liljegren <mats@mexit.se>
uid [ unknown] Mats G. Liljegren (Enea Software AB) <mats.liljegren@enea.com>
uid [ unknown] Mats G. Liljegren <liljegren.mats@gmail.com>
sub 2048R/667841C4 2015-10-18 [expires: 2020-10-16]
sub 2048R/98DEC8A5 2015-10-18 [expires: 2020-10-16]
sub 2048R/81DA6635 2015-10-18 [expires: 2020-10-16]

$ gpg2 --list-secret-keys
/home/mats/.gnupg/secring.gpg
-----------------------------
sec# 4096R/AEA6A954 2015-10-18
uid Mats G. Liljegren (Enea Software AB) <mats.liljegren@enea.com>
uid Mats G. Liljegren <mats@mexit.se>
uid Mats G. Liljegren <liljegren.mats@gmail.com>
ssb> 2048R/667841C4 2015-10-18
ssb> 2048R/98DEC8A5 2015-10-18
ssb> 2048R/81DA6635 2015-10-18

What the heck is a "neo 4" ?
There is thw yubikey 4 and the yubikey 4 nano (which is just a small version of the nano)
Then there's the neo which has nfc and there's the neo-n which is basically a small neo without nfc.

I assume you're talking about a YubiKey 4, as there is no such thing as a NEO 4 and the NEO does not support 4096 keys.

Moving your master key to the YubiKey will work and will allow you to sign other people's keys, however if you already have subkeys belonging to the same master key to a YubiKey, gpg will get a bit confused, usually it will look for the wrong device (you should be able to see this by looking at the serial number that gpg asks for).

To solve this issue you want to replace your ~/.gnupg/private-keys-v1.d directory.
You can find more info about this directory in the man page of gpg-agent.

You can do this in one of several things:
- rename the directory;
- use different keyring files by setting the GNUPGHOME environment variable;
- use different keyring files by using the --keyring flag with the command.

Depending on your situation, one solution might be better then another.
Keep in mind that the directory will be recreated by gpg if it's not there and that for key moved to a YubiKey will only contain stubs. Keep also in mind that you might have to revert these changes if you want to go back to using the other keys.

I hope this helps.

You're right about the naming, I was just assuming that if there's a Neo 3, then the next generation would be Neo 4. Assumptions are not always correct...

Thanks for the hint about the error. I haven't had an opportunity to test it yet, but it might explain why my old key suddenly stopped working once I got the new key working. Oh well, the intention is that the new key would only be used a couple of times per year, so I might be able to live with the hassle of renaming that directory.