Re: gpg cards
> ahead and copied the very same keys from the backup to the second. But > trying to actually use does not work, I get an error like: 'please > insert card: […]' So. > > What can I do to make gpg use the card as well (if possible) ? You see the prompt because gpg knows that you aready used the first card and asks for that card. The alternative would be to check whether the currently inserted card can be used, despite that its serial number does not match. IIRC, we have implemented this in 2.3 to be released in th next few weeks. What you can do with 2.2 is to delet the stub file which stores the serial number: gpg --with-keygrip -K shows you the keygrip of the respective file. Now check whether the file ~/.gnupg/private-keys-v1.d/.key has the string "shadowed-private-key". If so, delete this file and run "gpg --card-status". Such a file might look like this: --8<---cut here---start->8--- Token: 276000124010200FFFE372F791 OPENPGP.1 Label: My signing yellow signing yoken Key: (shadowed-private-key (ecc (curve Ed25519)(flags eddsa)(q #40CFBE4795E91CD7A26185F23430A7445712DD93185C3023B4646E963010263697#) (shadowed t1-v1 (#D276000124010200FFFE372F791# OPENPGP.1 --8<---cut here---end--->8--- which can be edited, or it might be some binary gibberish. In any case you should be able to check for the "shadowed-private-key" string. Note that such a file exists for each key. > Another thing I would really love to know is: Is it possible to use > the gpg card as smartcard for the system login as well? Right now I am You can use the poldi PAM module but it is somewhat limited. For proper support we would need to modify the screen locker and the display manager. > Last but not least I am still on a quest for a setup to use Full Disk > Encryption and Security Token to actually decrypt the Disk on boot. I use my card for many years for an encrypted partition. The tool is called g13 but it is not very polished and not easy to install. When building gnupg add --enable-g13 to configure. We have an open task to write a bit of docuemntation: https://dev.gnupg.org/T3423 . What's also missing are features to replace or add OpenPGP keys to a partition so that you can use several cards or an symmetric key for decryption (of the actual dmcrypt key). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg cards
12021/00/27 02:03.62 ನಲ್ಲಿ, Philipp Schmidt ಬರೆದರು: > Hello Everybody! > > I have tried to something in the docs about this, but without success. For > quite a while now, I am using a yubikey as gpg card and that is working really > good. Since it is risky to have only one Key, I just purchased another one to > create a clone of the first. So I went ahead and copied the very same keys > from > the backup to the second. But trying to actually use does not work, I get an > error like: 'please insert card: […]' So. > > What can I do to make gpg use the card as well (if possible) ? Sorry, I don't know the answer to this one, since I've never tried it. One option is simply creating a separate key and encrypting to two distinct (sub)keys, which is what I would do. You don't want to have to get rid of _both_ keys if one is compromised in some way, and having two copies of the key makes it more likely that it will be compromised or lost or whatever. > Another thing I would really love to know is: Is it possible to use the gpg > card as smartcard for the system login as well? Right now I am using the PIV > functionality of the yubikey, but would really prefer to use one system. > Does anybody know if that is possible? What I do is use my Yubikey for U2F so it functions as a secondary form of authorization. I do this for both login and screen unlocking using the libpam-u2f module. It looks like you can use libpam-poldi (http://www.g10code.com/p-poldi.html) if you want to use your Yubikey GPG key for primary authentication, but YMMV. > Last but not least I am still on a quest for a setup to use Full Disk > Encryption and Security Token to actually decrypt the Disk on boot. > > Does anybody know if that is possible with a gpg card? Possibly, but I haven't really looked into it. > Thanks ahead for any kind of help. Here's a bit of (unsolicited) advice: don't put all your eggs in one basket. I wouldn't use my GPG key to unlock my hard drive, log in, and decrypt _everything_ without having a foolproof way to get back in. In my case, for example, I use my Yubikey for everything as follows: 1. To unlock my LUKS-encrypted hard drives, I enter part of the passphrase from memory and use the yubikey for the rest. The data hard drive has a backup passphrase I never use since it's primarily unlocked by a keyfile stored in /root. The system hard drive has a backup passphrase that I don't ever use, but I also don't care since I can easily re-install the system. 2. To login, I use my Yubikey as U2F. Assuming I can get into my system HDD, I can always de-activate the U2F module to be able to get back in if my Yubikey fails. 3. I use my Yubikey as the primary key for pass, my password manager. I encrypt to a backup key that never leaves my laptop so I can still access the passwords should my Yubikey fail. At *minimum*, you should have backup options for each thing you use the Yubikey for (assuming you don't want data loss). It's like with OTP codes - *always* save the backup codes :) Sincerely, Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his publickey - mailinglist@chiraag.me - b0c8d720.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg cards
Hi! Philipp Schmidt writes: I have tried to something in the docs about this, but without success. For quite a while now, I am using a yubikey as gpg card and that is working really good. Since it is risky to have only one Key, I just purchased another one to create a clone of the first. So I went ahead and copied the very same keys from the backup to the second. But trying to actually use does not work, I get an error like: 'please insert card: […]' So. This is a known issue, have a look here [0] What can I do to make gpg use the card as well (if possible) ? You can follow the guide in that repository and move your private key to the Yubikey (be careful, once there the key *cannot* be moved anywhere else) and configure gpg to retrieve the key there (I think by adding `use-agent` in the gpg.conf file). Feel free to have a look here [1] Another thing I would really love to know is: Is it possible to use the gpg card as smartcard for the system login as well? Right now I am using the PIV functionality of the yubikey, but would really prefer to use one system. AFAIK it is possible using the Yubikey PAM module [2] but never tested and I don't know if it works for all use cases. Last but not least I am still on a quest for a setup to use Full Disk Encryption and Security Token to actually decrypt the Disk on boot. Off the top of my head I can think of a setup using LUKS volumes but don't have specific advice on the matter. cheers, [0] https://github.com/drduh/YubiKey-Guide/issues/19#issuecomment-458663857 [1] https://git.sr.ht/~jman/dotfiles/tree/master/item/gnupg/.gnupg [2] https://developers.yubico.com/yubico-pam/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
