Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Use multi-usage key in authentication slot on HW-key for encryption
gnupg-users at gnupg
Apr 16, 2022, 12:10 AM
Post #1 of 4 (406 views)
Permalink
So, I decided to use a Yubikey to store my GPG-subkeys. Using the
smartcard functionality I can store 3 different subkeys and so thought
that I could actually store some multi-usage key
(authentication/encryption) there so I can have per-key-encryption for
private-data (notably passwords with pass). However, while I can use the
main encrpytion key in "slot 2" just fine, I can't decrypt with the
"multi"-purpose key stored in the yubikey anymore (yes, I'm using
--try-all-secrets).

Is this a limitation of the smartcard standard or just an opioniated
choice in GPG or am I doing something wrong? If it's not possible with
the smartcard: can I use the PIV-mode of the yubikey for that purpose?


Regards,

Felix

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use multi-usage key in authentication slot on HW-key for encryption [ In reply to ]
kloecker at kde
Apr 16, 2022, 3:44 AM
Post #2 of 4 (406 views)
Permalink
On Samstag, 16. April 2022 09:10:58 CEST Felix Mayr via Gnupg-users wrote:
> So, I decided to use a Yubikey to store my GPG-subkeys. Using the
> smartcard functionality I can store 3 different subkeys and so thought
> that I could actually store some multi-usage key
> (authentication/encryption) there so I can have per-key-encryption for
> private-data (notably passwords with pass). However, while I can use the
> main encrpytion key in "slot 2" just fine, I can't decrypt with the
> "multi"-purpose key stored in the yubikey anymore (yes, I'm using
> --try-all-secrets).
>
> Is this a limitation of the smartcard standard or just an opioniated
> choice in GPG or am I doing something wrong? If it's not possible with
> the smartcard: can I use the PIV-mode of the yubikey for that purpose?

The OpenPGP card standard offers three slots. Each slot is single usage. The
key in the first slot is used for signing (data and keys) exclusively, the key
in the second slot is used for encryption exclusively, and the key in the
third slot is used for authentication (i.e. with ssh) exclusively.

If your Yubikey supports PIV then you can store more keys with PIV. You need
GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV)
support.

Regards,
Ingo

Attached Files:

Re: Use multi-usage key in authentication slot on HW-key for encryption [ In reply to ]
gnupg-users at gnupg
Apr 16, 2022, 4:10 AM
Post #3 of 4 (406 views)
Permalink
> The OpenPGP card standard offers three slots. Each slot is single usage. The
> key in the first slot is used for signing (data and keys) exclusively, the key
> in the second slot is used for encryption exclusively, and the key in the
> third slot is used for authentication (i.e. with ssh) exclusively.
Well, and I reckon this is relatively hardcoded into GnuPG?

> If your Yubikey supports PIV then you can store more keys with PIV. You need
> GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV)
> support.
That sounds great! Is there any documentation on how to use both the PGP
and PIV-card simultaneously?

Regards,

Felix

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use multi-usage key in authentication slot on HW-key for encryption [ In reply to ]
gnupg-users at gnupg
Apr 16, 2022, 9:14 AM
Post #4 of 4 (406 views)
Permalink
>> If your Yubikey supports PIV then you can store more keys with PIV.
>> You need
>> GnuPG 2.3 for full multi-card and multi-card-app (e.g. OpenPGP _and_ PIV)
>> support.
> That sounds great! Is there any documentation on how to use both the PGP
> and PIV-card simultaneously?

So, it looks like it picks up both automatically and it works seamlessly
- only thing missing now is how to push EEC-P 384 keys onto the device
(so that I can keep a backup, sadly only 2048bit RSA and ECC-P 384 is
supported in the PIV-slots). Still looks very nice for now. I hope the
next email will be signed ;)!

Regards

Felix

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal