Primary and Signing Key on Different Smart Cards

Anton Marchukov anton at
Mon Jan 16 22:58:06 CET 2017

> readers. I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees. To mitigate this I had to always remove the reader along with
> the card. And then of cause have to reinsert it back. May it be that
> gpg expects cards to be in the same reader?

So far I was not able to have gpg working with subkey generated on
card  due to above mentioned problem. However you can use secure
machine (I used the Tails distribution on a write protected flash
drive) and generate subkeys on file and then transfer them to
individual cards/tokens. This somehow worked well, with the few only

1. Between loading the next card I sometimes had to wipe ~/.gnupg
completely and reload public key there following "gpg2 --card-status".
But anyway it is also a good way to check your keys before wiping
memory off. I also uploaded public keys to the keyserver right from
the tails once I verified they are ok.
2. You need to use "--local-user" to specify which subkey to use for
signing, e.g. "local-user 0x29240005AAD6C87A!". Exclamation mark is
essential here. Otherwise gpg will try to choose the latest available
subkey as I understood or complain it is not available.  I put it to
my ~/.gnupg/gpg.conf

Overall after those manipulations I have a primary plastic card and 2
separate YubiKey tokens for signing only. Tokens are permanently
installed in each of system I use. Besides that after additional
configuration [1] YubiKey requires to touch its sensor as a presence
check each time a crypto operation is done using secret key material.

I have some empty cards left along with few readers, so can continue
troubleshooting it further. Maybe we can make it work with cards in
separate readers.



More information about the Gnupg-users mailing list