"gpg --card-edit" with multiple card readers (Yubikey)
Andrew Gallagher
andrewg at andrewg.com
Tue Jul 18 11:11:46 CEST 2023
On 17 Jul 2023, at 18:36, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
>
> Andrew Gallagher <andrewg at andrewg.com> wrote:
>>> Juanjo via Gnupg-users <gnupg-users at gnupg.org> wrote:
>>>
>>> "Keys stored on YubiKey are non-exportable (as opposed to file-based
>>> keys that are stored on disk) and are convenient for everyday use. "
>>>
>>> In my case, I want the same key on multiple devices, which 3 to 5 core
>>> members of an open source project will hold. (I am also considering
>>> if we want a higher security key which would be secret split across
>>> those keys, but we aren't building a CA here, but..)
>>>
>>> Is that possible with these devices?
>>>
>>> In some cases keys can be transfered in an encrypted form for another
>>> device, but not recovered by outsiders.
>
>> This is not possible with a Yubikey. If you want the same (sub)keys on
>> multiple devices you must generate them on your laptop and copy them to
>> each device in turn, remembering not to delete until you’re done.
>
> okay, so in this case we are using the Yubikey only as a storage, equivalent
> essentially to a USB storage? Or does it still do crypto on the device?
The yubikey performs cryptography on the device, but does have a small amount of flash memory to store the private key material. The yubikey does not provide any method to copy the private key material back off that storage, it can only be overwritten or used by the yubikey’s own processor.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230718/803f9113/attachment-0001.sig>
More information about the Gnupg-users
mailing list