3

I have switched from a YubiKey 4 to a YubiKey 5. Both have the same GPG keys stored. After storing the key on the first YubiKey, I fetched my public key so GPG knows where to look for the private key. Now I cannot fetch the key from the new YubiKey because the public key is already there.

How can I configure GPG so that it will find my private key on the new YubiKey? And, if it's possible, can both YubiKeys configured at the same time so I can use them both?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Felix Stupp
  • 43
  • 5

3 Answers3

1

I have found a working solution with the help of the other answers.

I removed the "secret keys" (the link to the old YubiKey) with gpg --delete-secret-keys <ID> and then linked GPG to my new YubiKey with gpg --card-status while only the new one is attached. But I think this solution is only working as expected if no secret subkey is stored at the maschine / if all subkeys are managed by the YubiKey.

Felix Stupp
  • 43
  • 5
1

Expanding on this answer: It looks like the private keys stored on a smart card are shadowed (explanation of the format, which contains the card number) in the ~/.gnupg/private-keys-v1.d subfolder.

The files contained in ~/.gnupg/private-keys-v1.d have the name of the keygrip of the subkeys. I deleted them and at the next execution of gpg --card-status they got recreated, and now GPG expects the new smart card.

To summarize:

  1. Identify the keygrip of the keys you need to move, e.g. with

    gpg --with-keygrip -k
pub   rsa4096 2020-03-21 [SC]
B7FF63C625A1B25AFE61C54B2E81C65179077A0A
[...]
sub   rsa4096 2020-03-21 [E] [expires: 2025-03-20]
Keygrip = A69CB750D1E4B7F3CE063031AED8C13AA2E8E7CB

  2. Make a backup of the ~/.gnupg folder, just for safety.

    cp -r ~/.gnupg ~/.gnupg.bak

  3. remove the corresponding .key files:

    rm ~/.gnupg/private-keys-v1.d/A69CB750D1E4B7F3CE063031AED8C13AA2E8E7CB.key

  4. regenerate the shadowed keys with:

    gpg --card-status

Then test it by encrypting and decrypting something. For instance:

echo Success | gpg --encrypt --recipient <yourself> | gpg --decrypt

Tested on gpg 2.2.19 (Mint)

Pietro Saccardi
  • 126
  • 2
0

GPG stores files called key stubs that tell it on which card to search for a particular key. I've never seen a way to reference the same key on two different cards, but you should be able to delete the key stubs from your machine (check your gpg home directory) and, with only the new Yubikey inserted, check gpg --card-status to create new stubs that point to that gpg key on the new card.

If you're new to this process it wouldn't hurt to have a backup copy of your gpg directory somewhere before you delete anything.

EDIT: Alternate solutions here might be useful.

user8675309
  • 525
  • 3
  • 13
  • Thank you, but I cannot find any key stubs. The post you referenced says that the key stubs are stored inside the ".private-keys-v1.d" directory, but this directory is empty at my machine, but GPG still expects the old smartcard / YubiKey. I am using GPG version 2.1.18 on Debian Stretch btw. – Felix Stupp Mar 07 '19 at 14:54