12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt <phil...@knutschmidt.de> ಬರೆದರು: > Hello Everybody! > > I have tried to something in the docs about this, but without success. For > quite a while now, I am using a yubikey as gpg card and that is working really > good. Since it is risky to have only one Key, I just purchased another one to > create a clone of the first. So I went ahead and copied the very same keys > from > the backup to the second. But trying to actually use does not work, I get an > error like: 'please insert card: […]' So. > > What can I do to make gpg use the card as well (if possible) ?
Sorry, I don't know the answer to this one, since I've never tried it. One option is simply creating a separate key and encrypting to two distinct (sub)keys, which is what I would do. You don't want to have to get rid of _both_ keys if one is compromised in some way, and having two copies of the key makes it more likely that it will be compromised or lost or whatever. > Another thing I would really love to know is: Is it possible to use the gpg > card as smartcard for the system login as well? Right now I am using the PIV > functionality of the yubikey, but would really prefer to use one system. > Does anybody know if that is possible? What I do is use my Yubikey for U2F so it functions as a secondary form of authorization. I do this for both login and screen unlocking using the libpam-u2f module. It looks like you can use libpam-poldi (http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key for primary authentication, but YMMV. > Last but not least I am still on a quest for a setup to use Full Disk > Encryption and Security Token to actually decrypt the Disk on boot. > > Does anybody know if that is possible with a gpg card? Possibly, but I haven't really looked into it. > Thanks ahead for any kind of help. Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I wouldn't use my GPG key to unlock my hard drive, log in, and decrypt _everything_ without having a foolproof way to get back in. In my case, for example, I use my Yubikey for everything as follows: 1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from memory and use the yubikey for the rest. The data hard drive has a backup passphrase I never use since it's primarily unlocked by a keyfile stored in /root. The system hard drive has a backup passphrase that I don't ever use, but I also don't care since I can easily re-install the system. 2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I can always de-activate the U2F module to be able to get back in if my Yubikey fails. 3. I use my Yubikey as the primary key for pass, my password manager. I encrypt to a backup key that never leaves my laptop so I can still access the passwords should my Yubikey fail. At *minimum*, you should have backup options for each thing you use the Yubikey for (assuming you don't want data loss). It's like with OTP codes - *always* save the backup codes :) Sincerely, Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his
publickey - mailinglist@chiraag.me - b0c8d720.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
