15

I recently bought a Yubikey Neo which can act as a OpenPGP smart card. I'd like to use this to store my private GnuPG key. I've gone through the initial setup and I am able to use the smart card to sign and encrypt files. After the setup the smart card's key shows up in gpg --list-secret-keys output.

If I lost the GPG keyring (say if my hard-drive died) or I want to use it on multiple machines, how do I get GPG to use the smart card?

wdmssk
  • 31
  • 1
  • 4
Askford
  • 155
  • 1
  • 1
  • 5

5 Answers5

14

You need to run:

gpg --card-status

and gpg will do it for you:

/tmp$ mkdir gpgtmp
/tmp$ chmod go-rwx gpgtmp

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --keyserver pgp.mit.edu --recv F8713BDF 
gpg: sleutelring ‘/tmp/gpgtmp/secring.gpg’ is aangemaakt
gpg: sleutelring ‘/tmp/gpgtmp/pubring.gpg’ is aangemaakt
gpg: opvragen sleutel F8713BDF van hkp sleutelserver pgp.mit.edu
WARNING: gnome-keyring:: couldn't connect to: /run/user/robin/keyring-55e9Rg/pkcs11: No such file or directory
gpg: /tmp/gpgtmp/trustdb.gpg: trustdb created
gpg: sleutel F8713BDF: publieke sleutel “Robin Sheat <robin@kallisti.net.nz>” geimporteerd
gpg: no ultimately trusted keys found
gpg: Totaal aantal verwerkt: 1
gpg:               Geimporteerd: 1  (RSA: 1)

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --list-secret
*nothing here*

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --card-status
*snip boring card info*
General key info..: pub  2048R/F8713BDF 2013-09-24 Robin Sheat <robin@kallisti.net.nz>
sec>  2048R/F8713BDF  aangemaakt: 2013-09-24  vervaldatum: nooit     
*etc*

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --list-secret
/tmp/gpgtmp/secring.gpg
-----------------------
sec>  2048R/F8713BDF 2013-09-24
      Serienummer van de kaart = ....
uid                  Robin Sheat <robin@kallisti.net.nz>
*etc*
Robin Sheat
  • 256
  • 1
  • 3
  • YES! Awesome. The key piece that I was missing was that I needed to import the public key first. Thank you! – Askford Nov 07 '13 at 23:21
9

When you start with a fresh installation, you have two options:

  1. Plug the smart card (Yubikey) and run

    gpg --card-edit
fetch
quit

    Then, running gpg with the --card-status option to create the stubs for the secret keys:

    gpg --card-status

  2. Import your public key from a key server (the fetch command above does the same automatically), then

    gpg --card-status

The methods only differ in the way the public key is imported, i.e. automatically or manually.

Steven Volckaert
  • 1,193
  • 8
  • 15
ARGYROU MINAS
  • 111
  • 1
  • 10
2

When you set up a key-pair on a smart card, all the data needed for both encrypt, decrypt and signing operations is stored on the card. Therefore, even after the loss of your keyring, you will be able to perform these operations by simply having your smart card to hand.

I recommend you don't simply take my word for it, though, and experiment yourself. Reconfigure GPG to look at an empty keyring directory and try to decrypt your important files using the smart card. You may need to import the certificates from the card to your keyring first, those steps depend on what key manager you're using.

deed02392
  • 4,038
  • 1
  • 18
  • 20
  • That's what I thought, but I can't find any documentation on re-importing certificates into gpg from a smartcard. Any suggestions? – Askford Nov 07 '13 at 16:39
  • I'm not following how I get `gpg` to know that the keys on the card are available for use. I would expect to do that somewhere in `--card-edit`, but I haven't been able to figure it out. – Askford Nov 07 '13 at 17:06
  • Can you do a `gpg --card-status` and note whether or not the keys are set? – deed02392 Nov 07 '13 at 17:14
  • Their stubs should appear in a `gpg -k` output. – deed02392 Nov 07 '13 at 17:20
  • `gpg --card-status` shows signature, encryption and authentication keys. But when I set `GNUPGHOME` to an empty directory, `gpg -k` does not show anything. – Askford Nov 07 '13 at 17:43
  • Same problem here, cannot get certificates back from card into the local keyring of a new computer. All the documented solutions involve the key server. What if I don't want to post my certificate online ? – Toluene Nov 24 '17 at 09:55
1

@Askford - I assume after 3 years you managed to resolve this?

For anyone else having similar issues what worked for me is:

gpg2 --import public_key.key

This brought all of my keys back from a fresh install and only the yubikey

This command gave me:

gpg2 --import key.asc 
gpg: key 0AAD23DD518496D1: public key "Lee Fenlan <lee@fenlan.uk>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Then gpg2 -k gave me:

---------------------------------
pub   rsa4096 2016-08-09 [SC]
      7F5F963D411B8E2FC7BB33150AAD23DD518496D1
uid           [ unknown] Lee Fenlan <lee@fenlan.uk>
sub   rsa4096 2016-08-09 [S]
sub   rsa4096 2016-08-09 [E]
sub   rsa4096 2016-08-09 [A]

Now if I try and encrypt / decrypt / sign or ssh to anything that requires my private keys it all works as expected.

Lee
  • 111
  • 3
-2

According to the yubico site, you can't get either public or private keys off of the device, so in addition to having your Neo, you'll need to make sure that your keyring has the corresponding private keys generated during device initialization.

In other words, just having the device is not enough.

mricon
  • 6,238
  • 22
  • 27
  • I don't want to get the private key off the smartcard, I just want to be able to continue to use the keys that are on it. – Askford Nov 07 '13 at 21:00
  • You can use the private keys that are on it, but not their public counterparts -- since they aren't stored on the yubikey. E.g. if you want to encrypt to yourself when sending an email (so you can read it later), you have to have your public key, which is stored in your ~/.gnupg/pubring.gpg. – mricon Nov 07 '13 at 21:58
  • 2
    Sure. The public key will be on keyservers so I'm not worried about that. But I still don't know how to get `gpg` to actually *use* the smartcard from a fresh install without generating new keys. – Askford Nov 07 '13 at 22:05
  • 1
    _Not_ having the private keys in the keyring is the entire point of having a smartcard. – Phil Frost Jan 24 '19 at 15:45