Any GPG / PGP experts on here?

TangoEchoAlpha

TangoEchoAlpha

TangoEchoAlpha

Associate
Joined
13 Jun 2016
Posts
1,519
Location
UK
I could use some help please :)

I was previously running Manjaro and had my keys setup with GPG. The keys were stored in ~/.gnupg and I saved the private key to a Yubikey 5 NFC. As a precaution, I exported the private key and public key, then saved them as attachments inside a KeePass database.

Whenever I encrypted a file from the command line my Manjaro setup automatically read the public key from the key database in .gnupg - when I decrypted a file, Plasma would ask me to insert my Yubikey, I'd type in the user PIN and the private key would be read from the Yubikey.

I can't find my notes about how I set this up and I have changed distros to a Gnome based one, so I am trying to get my PGP keys working as before in a new setup, either with the command line or Seahorse.

I also have my old SSD so I have tried copying the .gnupg directory contents to my new ~/.gnupg directory, but this doesn't work.

Could anyone give me any pointers on how to import my keys and replicate my old setup?

Ta :D

EDIT: I have imported my keys now, trusted the old public key. Not sure how I now get GPG/Seahorse to allow me to use the Yubikey as the private key, at the moment the private key is in GPG and I have to enter the passphrase. I'd like to me able to insert the Yubikey and type in the user PIN?
 
Last edited:
Something like using the addtocard command in gpg to transfer them to the yubikey? I believe that only leaves a pointer/stub to the private key on your keyring, telling gpg that the full key is on a certain yubikey, so you'd need the yubikey to provide the private key when needed, and it should prompt for it when needed.

The yubikey needs to be set up to generate the same type and length of key as well, otherwise the transfer will fail. I think it defaults to RSA 2048 bit, so if your private key is anything other than this, you'll need to use this to reprogram the yubikey (i changed mine to elliptic curve, and it works fine): https://docs.yubico.com/software/yubikey/tools/ykman/
 
@lord filbuster Thanks for taking the time to reply. Was able to sort it by running:

Code: 
gpg-connect-agent "scd serialno" "learn --force" /bye

Now when I list the private keys, the secret keys have a > to show they are on an external device. I think I will need to restart the GPG and scdaemon daemons for it to no longer use the private key in the local key ring?
 
TangoEchoAlpha said:
@lord filbuster Thanks for taking the time to reply. Was able to sort it by running:

Code: 
gpg-connect-agent "scd serialno" "learn --force" /bye

Now when I list the private keys, the secret keys have a > to show they are on an external device. I think I will need to restart the GPG and scdaemon daemons for it to no longer use the private key in the local key ring?
Click to expand...
Yeah, I think so. I had to fudge it and force delete the private key on the local keyring, otherwise it just always tried to use the local key. I think the addkey command was supposed to delete the local key, but it never did for some reason. After I did that and ran the same command you did, I got the same result, with the key showing the yubikey serial and the >, and it worked flawlessly after restarting the daemons.
 
lord filbuster said:
Yeah, I think so. I had to fudge it and force delete the private key on the local keyring, otherwise it just always tried to use the local key. I think the addkey command was supposed to delete the local key, but it never did for some reason. After I did that and ran the same command you did, I got the same result, with the key showing the yubikey serial and the >, and it worked flawlessly after restarting the daemons.
Click to expand...
Thanks, after a reboot everything worked swimmingly. Had to insert my Yubikey and enter the user PIN - thanks again :)
 
You must log in or register to reply here.
Back
Top Bottom