gpg cards

ಚಿರಾಗ್ ನಟರಾಜ್ mailinglist at chiraag.me
Thu Jan 28 21:54:31 CET 2021


12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt <philipp at knutschmidt.de> ಬರೆದರು:
> Hello Everybody!
> 
> I have tried to something in the docs about this, but without success. For
> quite a while now, I am using a yubikey as gpg card and that is working really
> good. Since it is risky to have only one Key, I just purchased another one to
> create a clone of the first. So I went ahead and copied the very same keys from
> the backup to the second. But trying to actually use does not work, I get an
> error like: 'please insert card: […]' So.
> 
> What can I do to make gpg use the card as well (if possible) ?

Sorry, I don't know the answer to this one, since I've never tried it. One option is simply creating a separate key and encrypting to two distinct (sub)keys, which is what I would do. You don't want to have to get rid of _both_ keys if one is compromised in some way, and having two copies of the key makes it more likely that it will be compromised or lost or whatever.

> Another thing I would really love to know is: Is it possible to use the gpg
> card as smartcard for the system login as well? Right now I am using the PIV
> functionality of the yubikey, but would really prefer to use one system.
> Does anybody know if that is possible?

What I do is use my Yubikey for U2F so it functions as a secondary form of authorization. I do this for both login and screen unlocking using the libpam-u2f module. It looks like you can use libpam-poldi (http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key for primary authentication, but YMMV.

> Last but not least I am still on a quest for a setup to use Full Disk
> Encryption and Security Token to actually decrypt the Disk on boot.
> 
> Does anybody know if that is possible with a gpg card?

Possibly, but I haven't really looked into it.

> Thanks ahead for any kind of help.

Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I wouldn't use my GPG key to unlock my hard drive, log in, and decrypt _everything_ without having a foolproof way to get back in. In my case, for example, I use my Yubikey for everything as follows:

1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from memory and use the yubikey for the rest. The data hard drive has a backup passphrase I never use since it's primarily unlocked by a keyfile stored in /root. The system hard drive has a backup passphrase that I don't ever use, but I also don't care since I can easily re-install the system.
2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I can always de-activate the U2F module to be able to get back in if my Yubikey fails.
3. I use my Yubikey as the primary key for pass, my password manager. I encrypt to a backup key that never leaves my laptop so I can still access the passwords should my Yubikey fail.

At *minimum*, you should have backup options for each thing you use the Yubikey for (assuming you don't want data loss). It's like with OTP codes - *always* save the backup codes :)

Sincerely,

Chiraag
-- 
ಚಿರಾಗ್ ನಟರಾಜ್
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 659 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210128/56278219/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 233 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210128/56278219/attachment.sig>


More information about the Gnupg-users mailing list