Hi, Recently I have been working with GPG and 2 smartcards (Yubikey). Despite some information here an there on internet, some things are still not clear to me.
My setup has 1 master key with 6 subkeys, twice 3 keys for different purposes(A,E,S). So each smartcard will receive 3 keys. It works fine with Thunderbird and also with other tools: passwordstore (unix pass). Here some questions about particular situations: 1. In the passwordstore, I encrypted a few passwords, which are in fact just GPG files that store the passwords. When I want to decrypt them with the Yubikey, I receive the message: Please insert card with serial number. But what if I don't have that smartcard2 at hand? And how do I know that smartcard1 then really works , if it is never asked to insert smartcard1? I found a way to encrypt with smartcard1 via the option: -r <putkeyidofsmartcard1here>! . Smartcard1 seems to work fine. But then the question remains, suppose GPG asks for smartcard2 and smartcard2 is stolen. I can only provide smartcard1 and GPG asks for smartcard2. What to do? 2. Then some people suggest to use a different master key, but the goal was that both smartcards back each other up, in case one is broke. So that idea is not going to work, correct? 3. Also with different master keys, if I have sent a bunch of e-mails with smartcard1 and smartcard2. When one of the smartcards is broke , I will not be able to open those e-mails with the working smartcard? 4. Another approach is that I could for example have created just 3 subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2. I thought that having those subkeys separately is ideal, specially in a occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys and keep on using the smartcard1 until I have ordered a new backup smartcard. Because some e-mails are sent encrypted (not so many), am I sure then when I revoke the subkey of smartcard2 that all e-mail will open with smartcard1? 5. What is at the end the best way to setup 2 smartcards that can be used in encryption, signing and decryption? And additionally both smartscard should work, I have 2 smartcards for redundancy. On internet there are many blogs etc, but they rarely deal with the complete picture. Thanks in advance for your help. All the best! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
