Primary and Signing Key on Different Smart Cards

[Anton Marchukov]

> readers. I found that gpg is not able to locate card if more than one
> reader is present and somehow always default to some first card it
> sees. To mitigate this I had to always remove the reader along with
> the card. And then of cause have to reinsert it back. May it be that
> gpg expects cards to be in the same reader?

So far I was not able to have gpg working with subkey generated on
card  due to above mentioned problem. However you can use secure
machine (I used the Tails distribution on a write protected flash
drive) and generate subkeys on file and then transfer them to
individual cards/tokens. This somehow worked well, with the few only
exceptions:

1. Between loading the next card I sometimes had to wipe ~/.gnupg
completely and reload public key there following "gpg2 --card-status".
But anyway it is also a good way to check your keys before wiping
memory off. I also uploaded public keys to the keyserver right from
the tails once I verified they are ok.
2. You need to use "--local-user" to specify which subkey to use for
signing, e.g. "local-user 0x29240005AAD6C87A!". Exclamation mark is
essential here. Otherwise gpg will try to choose the latest available
subkey as I understood or complain it is not available.  I put it to
my ~/.gnupg/gpg.conf

Overall after those manipulations I have a primary plastic card and 2
separate YubiKey tokens for signing only. Tokens are permanently
installed in each of system I use. Besides that after additional
configuration [1] YubiKey requires to touch its sensor as a presence
check each time a crypto operation is done using secret key material.

I have some empty cards left along with few readers, so can continue
troubleshooting it further. Maybe we can make it work with cards in
separate readers.

[1] https://gist.github.com/a-dma/797e4fa2ac4b5c9024cc

Anton.