Re: "gpg --card-edit" with multiple card readers (Yubikey)
Andrew Gallagher wrote: >> Juanjo via Gnupg-users wrote: >> >>> This may be a good starting point: >>> https://github.com/drduh/YubiKey-Guide >> >> "Keys stored on YubiKey are non-exportable (as opposed to file-based >> keys that are stored on disk) and are convenient for everyday use. " >> >> In my case, I want the same key on multiple devices, which 3 to 5 core >> members of an open source project will hold. (I am also considering >> if we want a higher security key which would be secret split across >> those keys, but we aren't building a CA here, but..) >> >> Is that possible with these devices? >> >> In some cases keys can be transfered in an encrypted form for another >> device, but not recovered by outsiders. > This is not possible with a Yubikey. If you want the same (sub)keys on > multiple devices you must generate them on your laptop and copy them to > each device in turn, remembering not to delete until you’re done. okay, so in this case we are using the Yubikey only as a storage, equivalent essentially to a USB storage? Or does it still do crypto on the device? -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On 15 Jul 2023, at 20:36, Michael Richardson wrote: > > Juanjo via Gnupg-users wrote: > >> This may be a good starting point: >> https://github.com/drduh/YubiKey-Guide > > "Keys stored on YubiKey are non-exportable (as opposed to file-based keys > that are stored on disk) and are convenient for everyday use. " > > In my case, I want the same key on multiple devices, which 3 to 5 core > members of an open source project will hold. > (I am also considering if we want a higher security key which would be secret > split across those keys, but we aren't building a CA here, but..) > > Is that possible with these devices? > > In some cases keys can be transfered in an encrypted form for another device, > but not recovered by outsiders. This is not possible with a Yubikey. If you want the same (sub)keys on multiple devices you must generate them on your laptop and copy them to each device in turn, remembering not to delete until you’re done. A signature.asc Description: Message signed with OpenPGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
Juanjo via Gnupg-users wrote: >> should eventually describe the environment. >> > >> > Yes please. > Could it go into a wiki page or something that people >> can comment on and/or > amend? >> >> feel free to open a page with the info that Werner has already given >> on https://wiki.gnupg.org > This may be a good starting point: > https://github.com/drduh/YubiKey-Guide "Keys stored on YubiKey are non-exportable (as opposed to file-based keys that are stored on disk) and are convenient for everyday use. " In my case, I want the same key on multiple devices, which 3 to 5 core members of an open source project will hold. (I am also considering if we want a higher security key which would be secret split across those keys, but we aren't building a CA here, but..) Is that possible with these devices? In some cases keys can be transfered in an encrypted form for another device, but not recovered by outsiders. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg --card-edit" with multiple card readers (Yubikey)
On Sat, Jul 15, 2023 at 9:36 PM Michael Richardson wrote: > > > Juanjo via Gnupg-users wrote: > >> should eventually describe the environment. > >> > > >> > Yes please. > Could it go into a wiki page or something that people > >> can comment on and/or > amend? > >> > >> feel free to open a page with the info that Werner has already given > >> on https://wiki.gnupg.org > > > This may be a good starting point: > > https://github.com/drduh/YubiKey-Guide > > "Keys stored on YubiKey are non-exportable (as opposed to file-based keys > that are stored on disk) and are convenient for everyday use. " > > In my case, I want the same key on multiple devices, which 3 to 5 core > members of an open source project will hold. > (I am also considering if we want a higher security key which would be secret > split across those keys, but we aren't building a CA here, but..) > > Is that possible with these devices? > > In some cases keys can be transfered in an encrypted form for another device, > but not recovered by outsiders. We use keys generated into the yubikey, but I think the wiki YubiKey-Guide in my previous e-mail just covers your use case: generate GPG keys outside the Yubikey, backup them, and then transfer the generated keys to a single or multiple Yubikeys. Regards, Juanjo ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
