Is limit-card-insert-tries a working option?

Chip Senkbeil chip.senkbeil at gmail.com
Tue Jun 4 14:42:47 CEST 2019


Hey Ángel, thanks for the reply!

My setup is that I have multiple computers: two work laptops, a personal laptop, a desktop, and a cell phone.

I'd originally used a private key to purely do encryption of my passwords on one of my work laptops, replacing lastpass with the pass utility from passwordstore.org.

The pass tool stores each of your passwords in a separate, encrypted file on your computer, where the recipients are whatever encryption IDs you provide. Originally, this was just the one encryption subkey I had.

When I wanted to use my password manager on other computers, I needed to have an appropriate subkey available. Initially, I was just going to copy around the same subkey, but I had the problem that the password manager utility on my phone would also need the subkey and I didn't want to copy over a private subkey onto my phone directly.

Then I learned that smart cards could store encryption, authentication, and signing keys. I already had one Yubikey at work for one-touch passwords, so figured I'd give that a go.

>From what I've read from others' experiences, you generally put a unique subkey on a smartcard and copying the same subkey around isn't well supported. At least, not to my knowledge.

https://dev.gnupg.org/T2291 highlights the main issue with copying keys in that the stub generated also has the card's ID associated with it and - presently - gnupg doesn't support multiple card IDs or anything like that. So you'd be prompted for a different smart card even if you had a smart card with the same encryption subkey, right? Just want to make sure I understand that issue properly.

I've been using the authentication subkeys just fine for SSH and the signing subkeys also work for signing my git commits, but that's all I've used so far.

I hadn't taken a look at encrypting my email just yet, although it was something on my backlog to do with neomutt eventually. There may be some issues with my approach and mail encryption, as you mentioned earlier.

At this point, each of my computers ONLY has a single stub available with all of the other subkeys listed as offline (pound symbol), yet the gpg utility still selects the latest subkey (rather than the only one available) if I don't including the exclamation mark on the keys when encrypting with recipients. Here's an example now of what `gpg -K` outputs for me, minus a couple of additional subkeys I've generated for other devices.

--------------------------------------
sec#  rsa4096/0x6CA6A08DBA640677 2019-03-01 [SC]
      2C8160E6AF1166154CDAED266CA6A08DBA640677
uid                   [ultimate] Chip Senkbeil (My mail & pass key) <chip at senkbeil.org>
ssb>  rsa4096/0x588B4B090695884C 2019-03-01 [E]
ssb#  rsa4096/0x8A6B3DB2C23EB74B 2019-05-08 [E]
ssb#  rsa4096/0x95B67753BA414327 2019-05-08 [E]
ssb>  rsa4096/0x231C4CB425985243 2019-05-28 [S] [expires: 2024-05-26]
ssb#  rsa4096/0x1F3D585E398D11B1 2019-05-28 [S] [expires: 2024-05-26]
ssb#  rsa4096/0x5487424ABA6BDDDB 2019-05-28 [S] [expires: 2024-05-26]
ssb>  rsa4096/0x68F5987A509841B2 2019-05-28 [A] [expires: 2024-05-26]
ssb#  rsa4096/0x70B8AA34DA9D2413 2019-05-28 [A] [expires: 2024-05-26]
ssb#  rsa4096/0xDD69ABE5B8BCF75C 2019-05-28 [A] [expires: 2024-05-26]
--------------------------------------

How would you approach my setup? Thinking about it now, I really should have asked for advice on this mailing list before I got started to see what other people would do! Would love to know what you and others would do to leverage a unique smartcard per device (I've got one per laptop/desktop/phone) for encryption, etc.

On Sun, Jun 02, 2019 at 11:46:57PM +0200, Ángel wrote:
> I would say, why are you encrypting to the three subkeys?
>
>
> In your original mail this stood up:
> > The annoyance comes from the pinentry prompt I'm using with the gpg
> > agent. When needing to refresh the cache, the agent prompts me
> > multiple times to insert my other smart cards before it reaches the
> > smart card that is currently plugged into my device. This happens on
> > both OSX and Fedora using version 2.2.15 of gpg and gpg-agent.
>
> as it should be asking just for the needed key.
>
>
> However, since for encryption you are using:
> >   gpg2 -e -r keyid1! -r keyid2! -r keyid3! -o content.gpg --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent /path/to/content.txt
>
> and you do have those three keys, it is asking for all of them.
>
> So I would recommend you to use just one of them.
>
> Or, if you really want to encrypt to the three subkeys (for backup?),
> not to use the three of them on the same computer. So that you would
> only have imported one of the secret keys (imported as in known by the
> secret keyring that it it there on a smartcard)
>
> Having three sets of subkeys on your key is weird
> > --------------------------------------
> > sec   rsa4096/0x6CA6A08DBA640677 2019-03-01 [SC]
> >       2C8160E6AF1166154CDAED266CA6A08DBA640677
> > uid                   [ultimate] Chip Senkbeil (My mail & pass key) <chip at senkbeil.org>
> > ssb>  rsa4096/0x588B4B090695884C 2019-03-01 [E]
> > ssb>  rsa4096/0x8A6B3DB2C23EB74B 2019-05-08 [E]
> > ssb>  rsa4096/0x95B67753BA414327 2019-05-08 [E]
> > ssb>  rsa4096/0x231C4CB425985243 2019-05-28 [S] [expires: 2024-05-26]
> > ssb>  rsa4096/0x1F3D585E398D11B1 2019-05-28 [S] [expires: 2024-05-26]
> > ssb>  rsa4096/0x5487424ABA6BDDDB 2019-05-28 [S] [expires: 2024-05-26]
> > ssb>  rsa4096/0x68F5987A509841B2 2019-05-28 [A] [expires: 2024-05-26]
> > ssb>  rsa4096/0x70B8AA34DA9D2413 2019-05-28 [A] [expires: 2024-05-26]
> > ssb>  rsa4096/0xDD69ABE5B8BCF75C 2019-05-28 [A] [expires: 2024-05-26]
> > --------------------------------------
>
> and it is likely to confusing when people write you (per Murphy's law
> they will probably use for encryption the one you don't have with you).
>
> You know you could have the same subkeys on three different yubikeys, do
> you?
>
>
> Kind regards
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list