"gpg --card-edit" with multiple card readers (Yubikey)

Werner Koch wk at gnupg.org
Fri Jul 7 14:53:06 CEST 2023

On Fri,  7 Jul 2023 14:22, Juanjo said:

> This works fine with a single Yubikey, but we wanted to have more than
> one connected at the same time in order to batch-configure them and
> even to try to use multiple SSH key authentication in specific target

Most of the time I am using several Yubikeys and other smardcards.  Some
even remotely.  For example I use an SSH connection with socket
forwarding to out build server.  Over that connection I provide access
to an Authenticode token, my release key and ssh keys on tokens.

I should eventually describe the environment.  As a starter:
"no-autostart" in common.conf on the build box, gpg-card with "verify"
to unlock keys on the desktop for remote use by the build process
(Authenticode), and some keywords in the private key files (Use-for-p11,

To create keys, use gpg-card which can easily be scripted.  Examples:

   $ gpg-card list D2760001240100000006154932830000  \
     -- yubikey disable nfc all \
     -- yubikey disable usb otp u2f piv oath fido2 \
     -- yubikey list
   OTP          no     no 
   U2F          no     no 
   OPGP         yes    no 
   PIV          no     no 
   OATH         no     no 
   FIDO2        no     no

   $ gpg-card
   gpg/card> help generate 
   GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
   Create a new key on a card.
   Use --force to overwrite an existing key.
   Use "help" for ALGO to get a list of known algorithms.
   For OpenPGP cards several algos may be given.
   Note that the OpenPGP key generation is done interactively
   unless a single ALGO or KEYREF are given.
   [Supported by: OpenPGP, PIV]



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230707/4aaf5ed7/attachment.sig>

More information about the Gnupg-users mailing list