Hello,
I have a gpg key that was generated on a yubikey with the gpg card
generate command. I now have a second yubikey, and I would like to
generate and store a signature and authentication subkey on this second
yubikey, but I am running into some issues. Ideally, I would like to be
able to type in `gpg --expert --edit-key KeyID` and then go `addcardkey`
with the secondary yubikey attached. This starts to work and generates a
key on the secondary yubikey, but then it will ask me to insert the
primary yubikey presumably to sign the change; however, even after I
insert the primary yubikey, GPG does not recognize it, and if I remove
the secondary yubikey the process is aborted. The other thing I tried
was to run `generate` on the secondary yubikey so that it would generate
its key slots and then once again run `gpg --expert --edit-key KeyID`,
but this time called `addkey` and select option 13 to add an existing
key hoping that it would just need the primary yubikey to sign off on
the changes. Still, even after it asks for the pin of the primary
yubikey, it then asks for the secondary yubikey and runs into the same
issue. What is the best way to do this where the subkeys are generated
on the yubikey and then signed by the primary yubikey?
Also, unrelated question, but I could not find much information on this;
on the Yubico website, it says if you call generate on the smartcard
>When prompted, specify if you want to make an off-card backup of your
encryption key.
>Note: This is a shim backup of the private key, not a full backup,
and cannot be used to restore to a new YubiKey.
What exactly is a shim backup? Is this just the private encryption key
but nothing else, or does it not actually include any private encryption
key? Is there a way to generate this key where the encryption key is
never exposed outside the yubikey?
-- Brandon Anderson
I have a gpg key that was generated on a yubikey with the gpg card
generate command. I now have a second yubikey, and I would like to
generate and store a signature and authentication subkey on this second
yubikey, but I am running into some issues. Ideally, I would like to be
able to type in `gpg --expert --edit-key KeyID` and then go `addcardkey`
with the secondary yubikey attached. This starts to work and generates a
key on the secondary yubikey, but then it will ask me to insert the
primary yubikey presumably to sign the change; however, even after I
insert the primary yubikey, GPG does not recognize it, and if I remove
the secondary yubikey the process is aborted. The other thing I tried
was to run `generate` on the secondary yubikey so that it would generate
its key slots and then once again run `gpg --expert --edit-key KeyID`,
but this time called `addkey` and select option 13 to add an existing
key hoping that it would just need the primary yubikey to sign off on
the changes. Still, even after it asks for the pin of the primary
yubikey, it then asks for the secondary yubikey and runs into the same
issue. What is the best way to do this where the subkeys are generated
on the yubikey and then signed by the primary yubikey?
Also, unrelated question, but I could not find much information on this;
on the Yubico website, it says if you call generate on the smartcard
>When prompted, specify if you want to make an off-card backup of your
encryption key.
>Note: This is a shim backup of the private key, not a full backup,
and cannot be used to restore to a new YubiKey.
What exactly is a shim backup? Is this just the private encryption key
but nothing else, or does it not actually include any private encryption
key? Is there a way to generate this key where the encryption key is
never exposed outside the yubikey?
-- Brandon Anderson
Attached Files:
-
OpenPGP_0x255837AEF812E87E.asc (15.1 KB)
-
OpenPGP_signature (0.22 KB)