Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two Yubikeys with unique subkeys are causing conflict #112

Closed
burnedfaceless opened this issue Jun 8, 2019 · 7 comments
Closed

Two Yubikeys with unique subkeys are causing conflict #112

burnedfaceless opened this issue Jun 8, 2019 · 7 comments

Comments

@burnedfaceless
Copy link

I have 2 Yubikey 5Cs.

I followed the guide creating a master key pair. Then I created six subkeys (S E A) and put 3 of each on two Yubikeys.

When I got to the part where it asked me to encrypt and decrypt a message I put in my backup Yubikey first. It decrypted the message successfully.

When I put in my regular Yubikey and tried to decrypt the message I got an error "Please insert the card with serial number xxxxx".

Does anyone know how to resolve this issue?

@niallm90
Copy link

niallm90 commented Jun 8, 2019

Its my understanding is that GPG will only encrypt for the latest encryption sub-key. See https://wiki.debian.org/Subkeys

One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising.

But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys.

@drduh
Copy link
Owner

drduh commented Jun 9, 2019

That's correct - you can only encrypt to a single sub-key at a time. I recommend and use multiple identities and keys, then encrypt to all of them for redundancy.

@Benvii
Copy link

Benvii commented Jun 9, 2019

This is a know issue in GnuPG.

I added a workaround to the documentation, use it when you want to switch from your main key to your backup key : https://github.com/drduh/YubiKey-Guide#multiple-keys

@drduh drduh closed this as completed in 09f3822 Jun 9, 2019
@the2nd
Copy link

the2nd commented Aug 7, 2019

Hi,
after switching to a new yubikey (old one was broken) and running the command "gpg-connect-agent "scd serialno" "learn --force" /bye" i can successfully use the key for SSH and to decrypt data via "gpg2 -d test.txt.gpg". But signing via "gpg2 --detach-sign test.txt" does still ask for the old yubikey. Do i missing something?

Best regards
the2nd

@carlolars
Copy link

I added a workaround to the documentation, use it when you want to switch from your main key to your backup key : https://github.com/drduh/YubiKey-Guide#multiple-keys

I'm using two Yubikeys with identical gpg-keys, WSL and GnuPG for Windows (version 2.2.17) and I have to first kill the gpg-agent before running the command or else it will still "discover" the old Yubikey:

$ gpg-connect-agent.exe killagent /bye
$ gpg-connect-agent.exe "scd serialno" "learn --force" /bye

@darconeous
Copy link

I've found this script to be quite useful:

https://github.com/darconeous/shattings/blob/master/bin/gpg-card-change

@meramsey
Copy link

Add this to like your ~/.bashrc or ~/.zshrc to easily be able to just fix the issue by typing yubikeyrestart or whatever alias name you prefer.

# GPG Yubikey restart relearn when switching keys and stubbed.
alias yubikeyrestart='gpg-connect-agent killagent /bye && gpg-connect-agent "scd serialno" "learn --force" /bye && gpg --card-status'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants