If you put the subkeys on the YubiKey, you still should keep the primary private key around somewhere -- it is the only entity that can be used to revoke the keys, create new subkeys, modify user IDs, certify other's keys, ...
- How do I check that all 3 subkeys and no master-key is on the Yubikey 4?
- How do I check that no sensitive key-material is on the Computer?
To verify what's on the card, run gpg --card-status, which should print several lines of information including three called "Signature key", "Encryption key" and "Authentication key". These should print your subkey's fingerprints, not your primary key's fingerprint. Don't bother for the "General key info", which is a reference to your primary (public) key, and not stored on the card.
To verify the keys are not stored on your computer, run gpg --list-secret-keys. Secret keys stored on your computer are marked with sec or ssb for subkeys, secret keys not available (for example, when your exported only secret subkeys running gpg --export-secret-subkeys are marked with sec#, secret key stubs only available on an OpenPGP smartcard (like the YubiKey also implements) with ssb>. Key stubs are simple references that a key is not available or is stored on a smartcard, and do not include the actual private key.
- How can I use the same Yubikey on my 2nd machine (Linux) - do I have to import any certificates to GnuPG/GPA there?
To use the keys on another computer, you need to export the "secret subkey stubs" to this machine, which you can do running gpg --export-secret-subkeys [key-id] (listing the primary key's ID). After importing on your new machine, you should not see a sec or ssb, but only sec# for the primary private key stub and ssb> for the subkey key stubs.
- I first tried to create the keys with a live-cd as suggested from various sources, but back in Windows Kleopatra didn't let me use my Yubikey. So I used Windows to create the keys and it worked - now I'm worried that secret-keys are on the harddrive somewhere. lol If someone can point me to the right direction how to get it working with key-creation on live-cd and using on normal system, would be awesome.
This reads like you didn't run --export-secret-subkeys like described above, so the GnuPG setup on the "regular" setup didn't know about the private keys at all. The public keys are not stored on the card, anyway.
When using a live CD, be sure to create some persistent copy of the primary master key stored in a safe place (you'll still need it!) and additionally a revocation certificate easily accessible for you in case you need to revoke the whole key, and lost access to the primary private key.
