Skip to content

Instantly share code, notes, and snippets.

Created November 15, 2022 13:00
What would you like to do?
Using 2 Yubikey for GPG Idea

I have 2 Yubikeys which support the OpenPGP card capability. I want to have a robust GnuPG solution which allows me to store one of the keys in a safe place and to carry the other key with me daily on my physical keychain. I want to be able to fairly easily survive having the daily carry Yubikey be stolen, lost, or simply fail, by revoking those keys. I also want to be able to survive having the safely stored key fail by revoking those keys.

My original plan was to create a main key pair and 2 sets of encryption and authentication subkeys (4 total, 2 enc and 2 auth). The main key pair and one set of the encryption and authentication keys would be transferred to each Yubikey, so each Yubikey would share the common main key pair but have a different set of encryption and authentication subkeys. This turns out to be quite difficult to implement in a secure way due to how GnuPG's key-to-card functionality works. GnuPG expects if you transfer a key to a card that you want that key to only live on that card and it tries very hard to prevent you from being able to still access that key once it's transferred to the card. There are ways around this, but they are all quite a bit hacky. And it feels like if GnuPG wants to work this way, it's likely for a good reason. So I've abandoned trying to do this.

Simply having the safely stored Yubikey be the "main" key pair holder and then generating and signing 3 subkeys (signing, encryption, and authentication) for the daily carry Yubikey is one option. But then a failure of the safely stored Yubikey would be a bit of a problem as I'd need to revoke everything. This would be easier if I could just do the generic generatation of keys on the safely stored Yubikey and then while still having it installed into the PC to then generate specific subkeys on the daily carry card. I wonder if this is possible...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment