Public bug reported:
Gnugpg does not offer the option to store the private and public keys
on two different keycards.
I have followed the official yubikey guide as follows, but it might
apply to similar smart cards and USB tokens:
To import the key on your YubiKey:
Insert the YubiKey into the USB port if it is not already plugged
in.
Enter the GPG command: gpg --edit-key 1234ABC (where 1234ABC is the
key ID of your key)
Enter the command: keytocard
When prompted if you really want to move your primary key, enter y
(yes).
When prompted where to store the key, select 1. This will move the
signature subkey to the PGP signature slot of the YubiKey.
Enter the command: key 1
Enter the command: keytocard
When prompted where to store the key, select 2. This will move the
encryption subkey to the YubiKey.
Enter the command: key 1
Enter the command: key 2
Enter the command: keytocard
When prompted where to store the key, select 3. This will move the
authentication subkey to the YubiKey.
Enter the command: quit
When prompted to save your changes, enter y (yes). You have now saved your
keyring to your YubiKey.
The issue with that is that it permanently moves the secret keys to the
yubikey or similar, and that causes issues later if one wants to create
backup keys.
If one saves the changes and tries to make a separate identical key card
at a later date, one gets the "gpg: KEYTOCARD failed: Unusable secret
key." error.
I have read that if one presses control and c ( on Linux ) it after the last
keytocard and option 3, the secret keys will not be deleted from the computer,
only copied.
One then can start forward again at this step: gpg --edit-key 1234ABC (where
1234ABC is the key ID of your key). Another possible but tedious workaround is
to backup the secret keys and public keys,
and import those back into gpg, then move they keys to a physical backup key.
( Note: Key 0 is the primary signature subkey. Key 1is the encryption
subkey. key 2 is the authentication subkey .)
** Affects: gnupg (Ubuntu)
Importance: Undecided
Status: New
** Tags: gnupg gpg keytocard openpgp
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1950201
Title:
Gnugpg does not offer the option to store the private and public keys
on two different keycards.
Status in gnupg package in Ubuntu:
New
Bug description:
Gnugpg does not offer the option to store the private and public keys
on two different keycards.
I have followed the official yubikey guide as follows, but it might
apply to similar smart cards and USB tokens:
To import the key on your YubiKey:
Insert the YubiKey into the USB port if it is not already plugged
in.
Enter the GPG command: gpg --edit-key 1234ABC (where 1234ABC is
the key ID of your key)
Enter the command: keytocard
When prompted if you really want to move your primary key, enter y
(yes).
When prompted where to store the key, select 1. This will move the
signature subkey to the PGP signature slot of the YubiKey.
Enter the command: key 1
Enter the command: keytocard
When prompted where to store the key, select 2. This will move the
encryption subkey to the YubiKey.
Enter the command: key 1
Enter the command: key 2
Enter the command: keytocard
When prompted where to store the key, select 3. This will move the
authentication subkey to the YubiKey.
Enter the command: quit
When prompted to save your changes, enter y (yes). You have now saved
your keyring to your YubiKey.
The issue with that is that it permanently moves the secret keys to
the yubikey or similar, and that causes issues later if one wants to
create backup keys.
If one saves the changes and tries to make a separate identical key
card at a later date, one gets the "gpg: KEYTOCARD failed: Unusable
secret key." error.
I have read that if one presses control and c ( on Linux ) it after the last
keytocard and option 3, the secret keys will not be deleted from the computer,
only copied.
One then can start forward again at this step: gpg --edit-key 1234ABC (where
1234ABC is the key ID of your key). Another possible but tedious workaround is
to backup the secret keys and public keys,
and import those back into gpg, then move they keys to a physical backup key.
( Note: Key 0 is the primary signature subkey. Key 1is the encryption
subkey. key 2 is the authentication subkey .)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1950201/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
