Multiple Yubikey with same GPG Keys, serial number issue, GnuPG workaround to switch to another key

This commit is contained in:
Benjamin BERNARD 2019-05-26 19:03:41 +02:00
parent 1b9fc107c0
commit b101259a27
1 changed files with 38 additions and 2 deletions

View File

@ -1794,6 +1794,42 @@ And reload the SSH daemon (e.g., `sudo service sshd reload`).
**Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host. **Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host.
# Using multiple YubiKey with same GPG keys
If you want to store your keys on multiple YubiKey, you will see that GnuPG doesn't store the serial number of the first key it has seen.
This is a know issue [#T2291](https://dev.gnupg.org/T2291). For now if you lost one of your keys and want to use another one the only workaround
is to delete GnuPG's shadowed key (this is where the serial number is stored).
To do so, first of all you need to find the `Keygrip` number of each key :
```
gpg2 --with-keygrip -k $KEYID
pub rsa4096/0xFF3E7D88647EBCDB 2017-10-09 [C]
Key fingerprint = 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
Keygrip = 7A20855980A62C10569DE893157F38A696B1300E
uid [ ultime ] Dr Duh <doc@duh.to>
sub rsa4096/0xBECFA3C1AE191D15 2017-10-09 [S] [expires: 2018-10-09]
Keygrip = 85D44BD52AD45C0852BD15BF41161EE9AE477398
sub rsa4096/0x5912A795E90DD2CF 2017-10-09 [E] [expires: 2018-10-09]
Keygrip = A0AA3D9F626BDEA3B833F290C7BCA79216C8A996
sub rsa4096/0x3F29127E79649A3D 2017-10-09 [A] [expires: 2018-10-09]
Keygrip = 7EF25A1115294342F451BC1CDD0FA94395F2D074
```
Then delete all the shadow keys using their `Keygrip` number :
```
cd .gnupg/private-keys-v1.d
rm 85D44BD52AD45C0852BD15BF41161EE9AE477398.key \
A0AA3D9F626BDEA3B833F290C7BCA79216C8A996.key \
7EF25A1115294342F451BC1CDD0FA94395F2D074.key
```
Insert the new YubiKey simply run a card-status this will re-generate the shadow-keys :
```
gpg2 --card-status
```
Then try to use your key, it should work, without serial number error.
# Email # Email
GPG keys on YubiKey can be used with ease to encrypt or sign email messages and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions. GPG keys on YubiKey can be used with ease to encrypt or sign email messages and attachments using [Thunderbird](https://www.thunderbird.net/) and [Enigmail](https://www.enigmail.net). Thunderbird supports OAuth 2 authentication and can be used with Gmail. See [this guide](https://ssd.eff.org/en/module/how-use-pgp-linux) from EFF for detailed instructions.