Below is a step-by-step guide to test whether I could get a secret PGP key off of my YubiKey.
- On Computer 1, generate a GPG key pair.
- More your secret key to a YubiKey, following the instructions on this wedpage under "Generating the key on your local system"
- On computer 2, import the public key of the key pair.
- Still on computer 2, insert your YubiKey. Then create a stub for the secret key by running
gpg --card-statussource - Unplug YubiKey.
- On computer 2, run
gpg --export-secret-keys -a KEYID > secret.asc, filling in the KEYID with the key id. - A private key is now in the file
secret.asc
Question: is the key in secret.asc the private key of the key pair? Did we just successfully get a secret key off of a YubiKey without it even being plugged in? Or is the key in the secrets.asc merely some "stub" placeholder?
In an attempet to answer these questions, I took the following steps. I never plugged the YubiKey into the computer.
- On computer 2, with the YubiKey unplugged, run
mkdir export && cd export gpg --export -a KEYID > public.ascgpg --export-secret-keys -a KEYID > secret.asc- Using a GUI application, delete key pair from this computer
- Import key pair from
exportfolder - Encrypt a test file for this key pair:
gpg -e test.txt, then when prompted, enter KEYID - Attempt to decrypt this file:
gpg -d test.txt.gpg
Thankfully, step 14 seems to fail with the following error:
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret keywhich seems to mean the secret key we exported in step 6 is not the real secret key contained on the YubiKey.