Primary and Signing Key on Different Smart Cards

Arthur Ulfeldt arthur at ulfeldt.com
Thu Nov 17 19:45:25 CET 2016


I have a similar setup and have been doing it successfully. I have two
yubikey neos with signing keys. I found that because of bugs in gpg 2.1 I
had to put the same signing key onto both neos. Once I did that it worked
smoothly. It would be preferable to use different keys and I'll do that if
these problems are fixed (and I haven't checked in a while, perhaps they
have been)

PS: the bug is that gpg will only use the newest signing key, rather than
the newest signing key that is available now.

Den 17. nov. 2016 11.14 AM skrev "Peter Lebbing" <peter at digitalbrains.com>:

> On 17/11/16 15:02, Anton Marchukov wrote:
> > Now based on my review I have found the situation in gpg2 to be the
> following:
>
> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the
> desired
> outcome without difficulty, even if it might be a bit non-standard.
>
> > 1. Using multiple smartcards at the same time is not properly
> > supported. As I have found using homedir hacks you can essentially
> > have two gpg profiles each of them using different cards, but
>
> Separate homedirs is not necessary for 2.0 either. But you need to do some
> "packet surgery" on the private key files as GnuPG 2.0 cannot update
> private
> keys. It has been described before at least in this[1] and this[2] thread.
>
> > Anything that I have missed or thoughts?
>
> Can we first get out of the way which exact version of GnuPG you're using?
> If
> you're using 2.0, start with the threads linked above, and feel free to
> report
> back if you're unclear about something. For 2.1, if time permits, I can
> outline
> the steps for you. You will need to have the private key on-disk for both
> versions, I'm afraid. Then again, by doing the alternative, on-card key
> generation, you're forced to use the on-card random number generator. I'd
> much
> rather trust GnuPG's random number generator than the one on a cheap
> smartcard
> (or any smartcard for that matter). So I would recommend to not use the
> on-card
> key generation feature anyway.
>
> I think I worked with the on-disk keys by pulling all hard drives from my
> computer, booting Knoppix from USB stick and using the DVD writer to save
> backups. I verified Knoppix had only opened stuff from the stick in
> read-only
> mode, and decided to trust Knoppix in not saving any persistent stuff.
> However,
> since you don't want backups, you could simply burn Knoppix to DVD and do
> away
> with writable media altogether (ignoring writing DVD's for a moment;
> that's not
> something you accidentally leave on). Unless you don't have a DVD writer,
> of
> course :-).
>
> > Does this request make sense?
>
> Yes, I've used a key with the primary key on one smartcard and the subkeys
> on
> another for 7 years.
>
> HTH,
>
> Peter.
>
> [1] https://lists.gnupg.org/pipermail/gnupg-users/2013-June/046784.html
> [2] https://lists.gnupg.org/pipermail/gnupg-users/2013-
> September/047412.html
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161117/4e379db9/attachment-0001.html>


More information about the Gnupg-users mailing list