Multiple Smartcards - Signing
matt at monaco.cx
Thu Apr 30 23:49:28 CEST 2015
I've been happily using a yubikey neo for a while now, but I'm starting to have
two problems with it:
1) I mostly use a desktop, but when I'm on my laptop it comes loose too easily
2) On either desktop or laptop, my now ever-curious 1-year-old can easily grab
it. In fact, it's one of his favorite targets.
So I bought a neo-n that slips completely into the USB port. I'd like to leave
the -n in my desktop and carry the regular one around with me. I'd also like to
start experimenting with the NFC interface for signing from k-9 on android.
[A] I have a separate auth key for SSH on each smartcard. In fact, I don't even
pair these with my OpenPGP master as I don't see an advantage at this time for
[E] This I rarely use, but I have the same key on each card because I took a
backup before keytocard. (Otherwise, I lose data if I lose the key).
[S] This is the sore point. Do I try to keep the same key on both cards? The
shadow copy in private-keys-v1.d is tied to a specific card, but it seems easy
to update, in fact I think it updates itself. I'd have to generate a new key
though because I never took a backup of my signing key as the public portion
would always be available for verification in the future.
 Alternatively, and my preference, I'd like to have separate signing keys for
each card. The problem is then I need to start mucking with -u <id>!. My home
directory is rsync'd across all my computers and I'd rather not add an exception
for .gnupg/gpg.conf because there are other settings in there that I want to
replicate. Also -u <id>! is even more of a pain with Enigmail, where most of my
signing takes place.
Why isn't gpg smarter about selecting only from the /available/ keys at the time
of signing? BTW, I'm using 2.1.3
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users