Using Yubikey only to encrypt/sign

Peter Lebbing peter at digitalbrains.com
Tue Feb 19 11:23:52 CET 2019


On 18/02/2019 22:39, Farhan Khan via Gnupg-users wrote:
> $ gpg --list-secret-keys farhan at farhan.codes
> sec>  rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]

Ah, well, there's your problem.

You should not use your primary key for encryption; they invented
subkeys for that.

And with the smartcard, you come into the uncomfortable situation that
the smartcard will decline to decrypt with what it knows is a signature
key, and likewise decline to sign with what it knows is an encryption
key. But both those usages are this key, and there will only be one stub
in GnuPG, which will refer to either a smartcard signature key or a
smartcard encryption key, but not both.

The most straightforward solution is to create an RSA primary key that
does certification and signatures (usage: SC), and an RSA subkey that
does encryption (usage: E). My --full-gen-key calls this option "RSA and
RSA (default)".

You can then upload those keys to the correct slots in the smartcard (it
will decline to pick the wrong slot). But if you wish to use the on-disk
keys after that, and the smartcard somewhere else, you should "Quit
without save", because as you have experienced, it will *delete* the
on-disk key when you "Save and quit" and only use the smartcard key from
then on.

As an aside, I'll note that you could also create a primary key that can
only certify, and a separate subkey that does signatures. That way, you
can have only subkeys on your smartcard, and compromise of the system
you use the smartcard on will only allow the attacker to issue
signatures on documents, but not edit your key or issue signatures on
other /keys/. But this might not be necessary for you, it depends on
what threat model you envision.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190219/e7d3eb52/attachment-0001.sig>


More information about the Gnupg-users mailing list