Use local GPG key only as a backup when keycard is not available



  • My question is essentially the same as this one: How to force GPG to use a Keycard when it is available which asks how to force GPG to use a keycard when one is available. That question was asked in 2018 however (3 years ago) with less details, and no answer was given. Also see Create backup Yubikey with identical PGP keys in which no solution was found (OP ends up creating separate subkeys which does not answer their own question).

    The problem I have is this: I want to use a keycard (specifically two YubiKeys) as a replacement for the local GPG keychain that I've been sharing around the computers I use (office, home, laptop, etc). Despite the simple goal, GPG/OpenPGP seems to make this a unreasonably difficult task.

    First, I do not want to use separate subkeys for the two YubiKeys because when I distribute the public keys, gpg will by default encrypt for the last subkey generated-- i.e. only one of the two YubiKeys. I want to be able to use any of my local keys, YubiKey #1 or YubiKey #2 in order to encrypt or authenticate with any server. It seems that the only way I can do this is by sharing Encryption [E], Authentication [A] and Signing [S] subkeys between my local machine(s) and the YubiKeys.

    GPG seems to not want you to do this, as keytocard moves the key to the keycard (YubiKey) and leaves behind a stub on the local machine indicating that the key is present on a keycard. Eventually I worked around this though, and copied the same triplet of E,A,S subkeys to both my YubiKeys and to my local keyring.

    Now I have an issue that gpg will only use the local keyring, even when the YubiKey is available. I want gpg to prefer a keycard when it is available. I learned from this answer that I can tell gpg-agent to refresh its knowledge on the available keys on keycards with this command: gpg-connect-agent "scd serialno" "learn --force" /bye. Now the YubiKey works, but the local keyring now lists the subkeys with ssb> ``` , suggesting the keys are stored on an external card, and gpg-agent can no longer sign with those subkeys with the local keyring when I remove the YubiKey! The private keys may have been deleted from the local machine. (I have a backup).

    It's quite a simple and obvious thing I'm trying to do: allow either the YubiKeys or the local keyring to be used for signature, authentication or signing, and prefer the YubiKeys when available. Yet I can't seem to find a way to make this work. In fact gpg it seems will stubbornly not acknowledge the existence of a private key on both a keycard and in the local keyring. I can only have one working at a given time.



  • The intended purpose of hardware tokens like the yubikey when used with PGP keys is to avoid having private keys lying around on disk which is why the scenario you envisage isn't supported.

    If it was easy to set things up this way then people might think they had secured their keys by moving them into they card when they had really just made a copy.

    I think the only way to do what you are trying to do would be to have two copies of your keyring on each machine. One with the full key and one with the stubs and have something external to gpg switch which one is active when the yubikey is plugged in/unplugged. How you do that would do that depends on your OS.

    I've tried to avoid speculating as to why you might want to do this but the only valid reason I can think of is to avoid typing a long password when you have a yubikey available. If you have something else in mind you might want to ask a question focussed on that end goal rather than the mechanics.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2