Question about redundant smartcard setup

kho skaainet at skynet.be
Fri Aug 19 14:48:06 CEST 2022


Hi,

Recently I have been working with GPG and 2 smartcards (Yubikey).
Despite some information here an there on internet, some things are
still not clear to me.

My setup has 1 master key with 6 subkeys, twice 3 keys for different
purposes(A,E,S). So each smartcard will receive 3 keys. It works fine
with Thunderbird and also with other tools: passwordstore (unix pass).

Here some questions about particular situations:

1. In the passwordstore, I encrypted a few passwords, which are in fact
just GPG files that store the passwords. When I want to decrypt them
with the Yubikey, I receive the message: Please insert card with serial
number. But what if I don't have that smartcard2 at hand? And how do I
know that smartcard1 then really works , if it is never asked to insert
smartcard1? I found a way to encrypt with smartcard1 via the option: -r
<putkeyidofsmartcard1here>! . Smartcard1 seems to work fine. But then
the question remains, suppose GPG asks for smartcard2 and smartcard2 is
stolen. I can only provide smartcard1 and GPG asks for smartcard2. What
to do?

2. Then some people suggest to use a different master key, but the goal
was that both smartcards back each other up, in case one is broke. So
that idea is not going to work, correct?

3. Also with different master keys, if I have sent a bunch of e-mails
with smartcard1 and smartcard2. When one of the smartcards is broke , I
will not be able to open those e-mails with the working smartcard?

4. Another approach is that I could for example have created just 3
subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2.
I thought that having those subkeys separately is ideal, specially in a
occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys
and keep on using the smartcard1 until I have ordered a new backup
smartcard. Because some e-mails are sent encrypted (not so many), am I
sure then when I revoke the subkey of smartcard2 that all e-mail will
open with smartcard1?

5. What is at the end the best way to setup 2 smartcards that can be
used in encryption, signing and decryption? And additionally both
smartscard should work, I have 2 smartcards for redundancy.

On internet there are many blogs etc, but they rarely deal with the
complete picture.

Thanks in advance for your help.

All the best!




More information about the Gnupg-users mailing list