2

I have created an offline MASTER key along with sub keys. The sub keys were sent to the Yubikey smartcard via the gpg 'keytocard'. The gpg --card-status command correctly identifies the information showing the masterkey id as well as the sub keys.

I want to use this via Windows. So I downloaded Gpg4win. It installed a GUI Kleopatra.

In Kleopatra I IMPORTED my PUBLIC key. However, I am unable to encrypt/sign anything as it states that I am required to import a private key. I'm a bit confused, isn't that the point of the Yubikey (NOT having the private key on a hard drive that is online)? Isn't the Yubikey THE PRIVATE KEY, again so that I don't have to have the private key on the hard drive?

I redid this all testing with another Yubikey and imported the private key (that was suppose to be offline) and it works, but it also decrypts WITHOUT REQUIRING THE YUBIKEY.

Ideally what I want to have happen is that it is a REQUIREMENT to have the Yubikey inserted into the machine to be able to encrypt or decrypt a file or clipboard.

I further note that this test one when I imported the private key it asks me for the passphrase rather than inserting the Yubikey. Once I imported the private key the Yubikey is all but worthless.

Any suggestions specific to gpg for Windows / Kleopatra GUI?

user3330299
  • 51
  • 2
  • 5

1 Answers1

0

I had this same issue a few days ago. You'll need to export a stub of your private key to your PC. Basically, the stub tells your box that the private key is on a card and it should look for it there, then Kleopatra/GPG4Win will be able to utilize the private key properly.

EDIT:

This answer says it better than I did.

EDIT(2): Seems that link wasn't all I needed to accomplish this, in my setup it won't get stubs from the Yubikey so I had to get them from a machine that already had stubs for those subkeys (the one I created them on). I'll detail my steps here.

  1. Generate PGP master key (using Guybrush Threepwood as the real name)

    gpg2 --full-gen-key

  2. Generate subkeys to sign, encrypt, and authenticate.

    gpg2 --expert --edit-key Guybrush
addkey (follow prompts, repeat for all subkeys)

  3. Move sub keys to card (still inside --edit-key menu) (Note: this step actually removes the subkeys from your system)

    key1
keytocard
key 1
key 2
keytocard
key 2
key 3
keytocard
save

  4. Now that the subkeys are only on your Yubikey, export private key stubs for them.

    gpg2 -a -o subkeys.sec.asc --export-secret-subkeys Guybrush

  5. Securely move subkeys.sec.asc from your generating machine to your client machine (scp/sneakernet etc).

  6. From your client machine

    gpg --import subkeys.sec.asc

Now Kleopatra ought to show an entry for Guybrush Threepwood as a private key you control, and shouldn't allow you to sign/decrypt as him unless your Yubikey is inserted and PIN entered.

You might also find this Github README useful.

Disclaimer: I'm no expert on this, so if any comments arrive disputing my advice you ought to listen to them.

user8675309
  • 525
  • 3
  • 13
  • I read through that link that you provided and I don't understand how it is telling GPP4Win to look at the Yubikey. I tried running that --list-packets -verbose command and it doesn't work (it just says "processing message failed: unknown system error" I also want to add that I can EXPORT from Kleopatra my PRIVATE KEY. I confirmed it is my private sub key as I reviewed over the contents of the Kleopatra private key ASCII export with the one I did on the offline computer. They match identically. It didn't even prompt me for a PIN (and my Yubikey was not plugged into the machine). – user3330299 Dec 05 '17 at 18:29
  • Updated my answer, hopefully it's more useful now. – user8675309 Dec 05 '17 at 22:07
  • Very useful. One key thing is that the stubs are loaded when running 'gpg --card-status' which I didn't know. Awesome! – user3330299 Dec 08 '17 at 16:26