Use multi-usage key in authentication slot on HW-key for encryption

[Ingo Klöcker]

On Samstag, 16. April 2022 09:10:58 CEST Felix Mayr via Gnupg-users wrote:
> So, I decided to use a Yubikey to store my GPG-subkeys. Using the
> smartcard functionality I can store 3 different subkeys and so thought
> that I could actually store some multi-usage key
> (authentication/encryption) there so I can have per-key-encryption for
> private-data (notably passwords with pass). However, while I can use the
> main encrpytion key in "slot 2" just fine, I can't decrypt with the
> "multi"-purpose key stored in the yubikey anymore (yes, I'm using
> --try-all-secrets).
> 
> Is this a limitation of the smartcard standard or just an opioniated
> choice in GPG or am I doing something wrong? If it's not possible with
> the smartcard: can I use the PIV-mode of the yubikey for that purpose?

The OpenPGP card standard offers three slots. Each slot is single usage. The 
key in the first slot is used for signing (data and keys) exclusively, the key 
in the second slot is used for encryption exclusively, and the key in the 
third slot is used for authentication (i.e. with ssh) exclusively.

If your Yubikey supports PIV then you can store more keys with PIV. You need 
GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV) 
support.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220416/2bd0ad39/attachment.sig>