Adding one ADSK to multiple keys

Robin Krahl | Nitrokey robin at nitrokey.com
Tue May 23 09:58:28 CEST 2023 

Hi,

I want to setup one backup key as an ADSK for multiple keys.  After 
adding the ADSK to the first key, further attempts to add the same ADSK 
to other keys fail with the error message:

     gpg: key "44883766ABE65F20453E6FC046D03490A60D7131" not found: 
Wrong key usage
     gpg: Did you specify the fingerprint of a subkey?

My guess is that the fingerprint is resolved to the ADSK of the first 
key with key usage R instead of the original subkey with key usage SEAR. 
  If I delete the key with the first ADSK and try to add the ADSK to a 
second key, gpg can no longer find the original subkey:

     gpg: key "44883766ABE65F20453E6FC046D03490A60D7131" not found: No 
public key

How can I configure the same subkey as an ADSK for multiple other keys?

Regards,
Robin

Full log:

$ gpg --list-keys --with-subkey-fingerprint 

[keyboxd] 
 

--------- 

pub   rsa2048 2023-05-23 [SCEAR] 
 

       0D040E3B31CD2165952E0B2D2630CA1F4CFEC737
uid           [ultimate] Employee 2 (Department A) <e2 at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       A1EE8DAA2FFA67B2963CF9A44C27B306EF295300

pub   rsa2048 2023-05-23 [SCEAR]
       41CED1E71F2F05362BE79793EEAEB08CFA452DAE
uid           [ultimate] Employee 1 (Department A) <e1 at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       55810101E92C4C4ED311BCA94C3578A761AEB703

pub   rsa2048 2023-05-23 [SCEAR]
       6DF5F1752B66B225853F107AA5D29205F3B6E803
uid           [ultimate] Manager (Department A) <ma at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       44883766ABE65F20453E6FC046D03490A60D7131

$ gpg --quick-add-adsk 41CED1E71F2F05362BE79793EEAEB08CFA452DAE 
44883766ABE65F20453E6FC046D03490A60D7131

$ gpg --quick-add-adsk 0D040E3B31CD2165952E0B2D2630CA1F4CFEC737 
44883766ABE65F20453E6FC046D03490A60D7131
gpg: key "44883766ABE65F20453E6FC046D03490A60D7131" not found: Wrong key 
usage
gpg: Did you specify the fingerprint of a subkey?

$ gpg --list-keys --with-subkey-fingerprint
[keyboxd]
---------
pub   rsa2048 2023-05-23 [SCEAR]
       0D040E3B31CD2165952E0B2D2630CA1F4CFEC737
uid           [ultimate] Employee 2 (Department A) <e2 at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       A1EE8DAA2FFA67B2963CF9A44C27B306EF295300

pub   rsa2048 2023-05-23 [SCEAR]
       41CED1E71F2F05362BE79793EEAEB08CFA452DAE
uid           [ultimate] Employee 1 (Department A) <e1 at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       55810101E92C4C4ED311BCA94C3578A761AEB703
sub   rsa2048 2023-05-23 [R]
       44883766ABE65F20453E6FC046D03490A60D7131

pub   rsa2048 2023-05-23 [SCEAR]
       6DF5F1752B66B225853F107AA5D29205F3B6E803
uid           [ultimate] Manager (Department A) <ma at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       44883766ABE65F20453E6FC046D03490A60D7131

$ gpg --delete-secret-key 41CED1E71F2F05362BE79793EEAEB08CFA452DAE

$ gpg --delete-key 41CED1E71F2F05362BE79793EEAEB08CFA452DAE

$ gpg --list-keys --with-subkey-fingerprint 

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
[keyboxd]
---------
pub   rsa2048 2023-05-23 [SCEAR]
       0D040E3B31CD2165952E0B2D2630CA1F4CFEC737
uid           [ultimate] Employee 2 (Department A) <e2 at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       A1EE8DAA2FFA67B2963CF9A44C27B306EF295300

pub   rsa2048 2023-05-23 [SCEAR]
       6DF5F1752B66B225853F107AA5D29205F3B6E803
uid           [ultimate] Manager (Department A) <ma at example.com>
sub   rsa2048 2023-05-23 [SEAR]
       44883766ABE65F20453E6FC046D03490A60D7131

$ gpg --quick-add-adsk 0D040E3B31CD2165952E0B2D2630CA1F4CFEC737 
44883766ABE65F20453E6FC046D03490A60D7131
gpg: key "44883766ABE65F20453E6FC046D03490A60D7131" not found: No public key

$ gpg --version
gpg (GnuPG) 2.4.1
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
         CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x34F47D2F044B8F17.asc
Type: application/pgp-keys
Size: 1002 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230523/cb5aa9ad/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230523/cb5aa9ad/attachment.sig>

More information about the Gnupg-users mailing list