Storing key on multiple smartcards
Frederick Zhang
frederick888 at tsundere.moe
Wed Apr 10 16:22:28 CEST 2019
Well, while it's good to know that keytocard does not update the file
immediately, I genuinely didn't expect that keytocard would replace the
keygrip in the first place (although it's clearly stated in man page,
yeah, lazy me :P). No idea whether I'm the one who's got a weird
mindset, I believed it meant "copying the key to a smart card and store
some metadata about the card somewhere else" without the slightest
doubt. I actually kinda want to blame the setup instruction from Yubico
<https://support.yubico.com/support/solutions/articles/15000006420>.
They suggest having a backup card but mentioned absolutely nothing about
the behaviour of keytocard, and it clearly says "enter y (yes)" to save
the changes after "quit"... Only when I was to copy the same keys to the
backup card after done configuring the primary one, I realised I may
have screwed up. Thank goodness I backed up the keys when I started
using GPG, but the authentication keys I generated during the setup are
never gonna settle themselves in a different nest :'(
So I strongly agree keytocard should, even by default, leave the
originals untouched, and perhaps instruct users to move the keygrip to a
safe place afterwards.
On 10/4/19 7:55 pm, Peter Lebbing wrote:
> (This went wrong! For some reason, gnupg-devel had dropped from the
> recipients while I was writing the message. I must have accidentally
> pressed some key or mouse button. I noticed this and added
> gnupg-users to the recipients instead of the intended gnupg-devel. Here
> is the message again on the right list)
>
> I agree that GnuPG would benefit from preferring keys that are
> available, both in the sense of different subkeys and different
> smartcards with copies of the same subkey, in the sense you describe.
> But let me pick out one detail you mentioned that is a different issue.
>
> On 10/04/2019 09:38, Frederick Zhang via Gnupg-devel wrote:
>> Currently "keytocard" replaces the keygrip with a shadow key (which I
>> don't think works pretty intuitively in case of multiple smart cards,
>> as it requires users to manually back up the subkey beforehand to
>> transfer the same key to multiple cards)
>
> It's less difficult than that. After a "keytocard", simply exit the
> --edit-key interaction without saving, and the key will still be
> on disk as well. So use "quit" or Ctrl-D rather than "save", and
> confirm that you wish to exit without saving changes.
>
> Not really intuitive, but less bothersome than backups and restores. I
> think maybe "keytocard" should have an option to just leave it on disk
> as well. And then you can just insert all your smartcards you want the
> key on and "keytocard" them one after the other without exiting the
> --edit-key menu.
>
> HTH,
>
> Peter.
>
--
Best Regards,
Frederick Zhang
Email: frederick888 at tsundere.moe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190411/7487b752/attachment.sig>
More information about the Gnupg-devel
mailing list