Question with Subkeys and Yubikeys

Brandon Anderson brandon753.ba at gmail.com
Mon May 16 11:43:03 CEST 2022


Hello,
I have a gpg key that was generated on a yubikey with the gpg card 
generate command. I now have a second yubikey, and I would like to 
generate and store a signature and authentication subkey on this second 
yubikey, but I am running into some issues. Ideally, I would like to be 
able to type in `gpg --expert --edit-key KeyID` and then go `addcardkey` 
with the secondary yubikey attached. This starts to work and generates a 
key on the secondary yubikey, but then it will ask me to insert the 
primary yubikey presumably to sign the change; however, even after I 
insert the primary yubikey, GPG does not recognize it, and if I remove 
the secondary yubikey the process is aborted. The other thing I tried 
was to run `generate` on the secondary yubikey so that it would generate 
its key slots and then once again run `gpg --expert --edit-key KeyID`, 
but this time called `addkey` and select option 13 to add an existing 
key hoping that it would just need the primary yubikey to sign off on 
the changes. Still, even after it asks for the pin of the primary 
yubikey, it then asks for the secondary yubikey and runs into the same 
issue. What is the best way to do this where the subkeys are generated 
on the yubikey and then signed by the primary yubikey?
Also, unrelated question, but I could not find much information on this; 
on the Yubico website, it says if you call generate on the smartcard
 >When prompted, specify if you want to make an off-card backup of your 
encryption key.
  >Note: This is a shim backup of the private key, not a full backup, 
and cannot be used to restore to a new YubiKey.
What exactly is a shim backup? Is this just the private encryption key 
but nothing else, or does it not actually include any private encryption 
key? Is there a way to generate this key where the encryption key is 
never exposed outside the yubikey?

-- Brandon Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x255837AEF812E87E.asc
Type: application/pgp-keys
Size: 15480 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220516/7c4b0d6d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220516/7c4b0d6d/attachment.sig>


More information about the Gnupg-users mailing list