Re: Keyring management with multiple smart cards
On 17.12.2018 03:28, Louis Opter wrote: > Where is the procedure to remove shadow files documented? I found this to be > confusing to do, hence why I favored different subkeys for different > smartcards. Uhm, this is kind of internal GnuPG details so I guess it's not documented anywhere. But it's something like this: $ gpg --with-keygrip -K You get keygrip from one of your subkeys and look for a file named the same in ~/.gnupg/private-keys-v1.d. Removing, well, just use "rm" (or "mv" just in case;). Note that this is implementation detail so it may change in the future. > Thank you very much for your feedback Wiktor! No problem, one thing I forgot to mention - as far as I know RFC 4880 (OpenPGP) doesn't precise which encryption subkey to use and some implementations (e.g. OpenKeychain) use all valid encryption subkeys (so a scheme of using one encryption subkey per token would work). Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyring management with multiple smart cards
On Sat, Dec 15, 2018, at 12:53 AM, Wiktor Kwapisiewicz wrote: > 1. I use one smartcard as a primary device so T2291 isn't that critical, if > that > one fails I can just remove shadow files and --card-status a new card, it will > work. That doesn't happen frequently so manual removal of shadow file is not a > big problem (but it would be nice if the shadow files supported multiple card > serial numbers!). Where is the procedure to remove shadow files documented? I found this to be confusing to do, hence why I favored different subkeys for different smartcards. > One signing subkey per smartcard is fine as they're bound to the same primary > key (but if you're not using expiration users can get some interesting > behavior > like [1]). > > [1]: https://www.reddit.com/r/tails/comments/9rchgi/ Thanks for the tip! I have an expiration date set on all my keys. Thank you very much for your feedback Wiktor! -- Louis Opter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyring management with multiple smart cards
Hi Louis, I have a very similar setup. After working with several different options and encountering the same problems as you have (GPG does not encrypt to all encryption subkeys, not possible to have the same subkeys on different smartcards) I observed the following facts: 1. I use one smartcard as a primary device so T2291 isn't that critical, if that one fails I can just remove shadow files and --card-status a new card, it will work. That doesn't happen frequently so manual removal of shadow file is not a big problem (but it would be nice if the shadow files supported multiple card serial numbers!). 2. As GnuPG does not encrypt to all encryption subkeys you *need* to have the same encryption subkeys on different smartcards anyway, but it's not a problem in practice because of 1. So, load the same encryption subkey on all devices and in case your main one is lost just remove the corresponding shadow file (this can be dangerous if you don't know what you're doing e.g. using private keys generated locally on GnuPG). One signing subkey per smartcard is fine as they're bound to the same primary key (but if you're not using expiration users can get some interesting behavior like [1]). Hope this helps! Kind regards, Wiktor [1]: https://www.reddit.com/r/tails/comments/9rchgi/ On 14.12.2018 23:37, Louis Opter wrote: > Hello, > > I have a certify-only master keypair in an air-gapped machine. I only > use that machine to create subkeys and sign other people keys. The > subkeys are copied onto smartcards which I use in daily life. > > Assuming that smartcards aren't indestructible and can be lost I always > have a backup smartcard handy. Because you can't really share a subkey > with multiple smartcards [1], I took the approach of generating subkeys > for each smartcard. This means that I have multiple sign/enc/auth > subkeys that are used in lockstep, but I have a single $GNUPGHOME and > it is really easy for me to use any of my smartcards: data that I care > about is encrypted for all the smartcards and all the smartcards are > authorized for ssh logins. > > On the other hand, having multiple sign subkeys doesn't really make > sense to publish data (e.g: software releases). Moreover my ring of enc > subkeys is not useable for people who are trying to communicate with me: > it's not really reasonable to ask people to encrypt data for all my > subkeys, and GPG is designed to use the most recent key for the > requested (sign/enc/auth) usage anyway. > > To alleviate that problem I was wondering if it was possible to create > another sign/enc subkey and publish (to keyservers) that subkey only? > (along with my master public key of course). > > In other words I would have two views of the same keyring: one with all > my subkeys for my own use with my smartcards, and one for use by other > people with only my master key and my sign/enc subkey so that there is > no ambiguity on the subkey to use when communicating with me or > verifying my signatures. > > I hope this intelligible and I am curious about how other people > approached that problem. > > Thank you & have a nice week-end, > > [1] https://dev.gnupg.org/T2291 > -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Keyring management with multiple smart cards
Hello, I have a certify-only master keypair in an air-gapped machine. I only use that machine to create subkeys and sign other people keys. The subkeys are copied onto smartcards which I use in daily life. Assuming that smartcards aren't indestructible and can be lost I always have a backup smartcard handy. Because you can't really share a subkey with multiple smartcards [1], I took the approach of generating subkeys for each smartcard. This means that I have multiple sign/enc/auth subkeys that are used in lockstep, but I have a single $GNUPGHOME and it is really easy for me to use any of my smartcards: data that I care about is encrypted for all the smartcards and all the smartcards are authorized for ssh logins. On the other hand, having multiple sign subkeys doesn't really make sense to publish data (e.g: software releases). Moreover my ring of enc subkeys is not useable for people who are trying to communicate with me: it's not really reasonable to ask people to encrypt data for all my subkeys, and GPG is designed to use the most recent key for the requested (sign/enc/auth) usage anyway. To alleviate that problem I was wondering if it was possible to create another sign/enc subkey and publish (to keyservers) that subkey only? (along with my master public key of course). In other words I would have two views of the same keyring: one with all my subkeys for my own use with my smartcards, and one for use by other people with only my master key and my sign/enc subkey so that there is no ambiguity on the subkey to use when communicating with me or verifying my signatures. I hope this intelligible and I am curious about how other people approached that problem. Thank you & have a nice week-end, [1] https://dev.gnupg.org/T2291 -- Louis Oper ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
