> readers. I found that gpg is not able to locate card if more than one > reader is present and somehow always default to some first card it > sees. To mitigate this I had to always remove the reader along with > the card. And then of cause have to reinsert it back. May it be that > gpg expects cards to be in the same reader?
So far I was not able to have gpg working with subkey generated on card due to above mentioned problem. However you can use secure machine (I used the Tails distribution on a write protected flash drive) and generate subkeys on file and then transfer them to individual cards/tokens. This somehow worked well, with the few only exceptions: 1. Between loading the next card I sometimes had to wipe ~/.gnupg completely and reload public key there following "gpg2 --card-status". But anyway it is also a good way to check your keys before wiping memory off. I also uploaded public keys to the keyserver right from the tails once I verified they are ok. 2. You need to use "--local-user" to specify which subkey to use for signing, e.g. "local-user 0x29240005AAD6C87A!". Exclamation mark is essential here. Otherwise gpg will try to choose the latest available subkey as I understood or complain it is not available. I put it to my ~/.gnupg/gpg.conf Overall after those manipulations I have a primary plastic card and 2 separate YubiKey tokens for signing only. Tokens are permanently installed in each of system I use. Besides that after additional configuration [1] YubiKey requires to touch its sensor as a presence check each time a crypto operation is done using secret key material. I have some empty cards left along with few readers, so can continue troubleshooting it further. Maybe we can make it work with cards in separate readers. [1] https://gist.github.com/a-dma/797e4fa2ac4b5c9024cc Anton. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
