Multiple Smartcards - Signing

Matthew Monaco matt at
Thu Apr 30 23:49:28 CEST 2015


I've been happily using a yubikey neo for a while now, but I'm starting to have
two problems with it:

 1) I mostly use a desktop, but when I'm on my laptop it comes loose too easily
 2) On either desktop or laptop, my now ever-curious 1-year-old can easily grab
it. In fact, it's one of his favorite targets.

So I bought a neo-n that slips completely into the USB port. I'd like to leave
the -n in my desktop and carry the regular one around with me. I'd also like to
start experimenting with the NFC interface for signing from k-9 on android.

[A] I have a separate auth key for SSH on each smartcard. In fact, I don't even
pair these with my OpenPGP master as I don't see an advantage at this time for
doing so

[E] This I rarely use, but I have the same key on each card because I took a
backup before keytocard. (Otherwise, I lose data if I lose the key).

[S] This is the sore point. Do I try to keep the same key on both cards? The
shadow copy in private-keys-v1.d is tied to a specific card, but it seems easy
to update, in fact I think it updates itself. I'd have to generate a new key
though because I never took a backup of my signing key as the public portion
would always be available for verification in the future.

[2] Alternatively, and my preference, I'd like to have separate signing keys for
each card. The problem is then I need to start mucking with -u <id>!. My home
directory is rsync'd across all my computers and I'd rather not add an exception
for .gnupg/gpg.conf because there are other settings in there that I want to
replicate. Also -u <id>! is even more of a pain with Enigmail, where most of my
signing takes place.

Why isn't gpg smarter about selecting only from the /available/ keys at the time
of signing? BTW, I'm using 2.1.3

Thought, comments?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150430/4593821f/attachment.sig>

More information about the Gnupg-users mailing list