Merge pull request #110 from Benvii/master

Using multiple YubiKey with same GPG keys
2019-06-01 18:42:10 +00:00 · 2019-06-01 18:42:10 +00:00 · 59923197f7
parent 1b9fc107c0 46601736f6
commit 59923197f7
1 changed files with 39 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -48,6 +48,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d
      - [WSL configuration](#wsl-configuration)
      - [Remote host configuration](#remote-host-configuration)
      - [Final test](#final-test)
 - [Using multiple YubiKey with same GPG keys](#Using-multiple-YubiKey-with-same-GPG-keys)
 - [Email](#email)
 - [Notes](#notes)
 - [Troubleshooting](#troubleshooting)
@ -717,8 +718,8 @@ Command (m for help): n
 Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
-Select (default p): 
+Select (default p):
-Partition number (1-4, default 1): 
+Partition number (1-4, default 1):
 First sector (2048-62980095, default 2048):
 Last sector, +sectors or +size{K,M,G,T,P} (2048-62980095, default 62980095): +10M
@ -1794,6 +1795,42 @@ And reload the SSH daemon (e.g., `sudo service sshd reload`).
 **Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host.
 # Using multiple YubiKey with same GPG keys
 If you want to store your keys on multiple YubiKey, you will see that GnuPG doesn't store the serial number of the first key it has seen.
 This is a know issue [#T2291](https://dev.gnupg.org/T2291). For now if you lost one of your keys and want to use another one the only workaround
 is to delete GnuPG's shadowed key (this is where the serial number is stored).
 To do so, first of all you need to find the `Keygrip` number of each key :
 ```
 gpg2 --with-keygrip -k $KEYID
 pub   rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
      Key fingerprint = 011C E16B D45B 27A5 5BA8  776D FF3E 7D88 647E BCDB
      Keygrip = 7A20855980A62C10569DE893157F38A696B1300E
 uid                  [  ultime ] Dr Duh <doc@duh.to>
 sub   rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
      Keygrip = 85D44BD52AD45C0852BD15BF41161EE9AE477398
 sub   rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
      Keygrip = A0AA3D9F626BDEA3B833F290C7BCA79216C8A996
 sub   rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
      Keygrip = 7EF25A1115294342F451BC1CDD0FA94395F2D074
 ```
 Then delete all the shadow keys using their `Keygrip` number :
 ```
 cd .gnupg/private-keys-v1.d
 rm 85D44BD52AD45C0852BD15BF41161EE9AE477398.key \
 A0AA3D9F626BDEA3B833F290C7BCA79216C8A996.key \
 7EF25A1115294342F451BC1CDD0FA94395F2D074.key
 ```
 Insert the new YubiKey simply run a card-status this will re-generate the shadow-keys :
 ```
 gpg2 --card-status
 ```
 Then try to use your key, it should work, without serial number error.
 # Email
 GPG keys on YubiKey can be used with ease to encrypt or sign email messages and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions.