Here's my usecase: I've got three gpg card devices (yubikeys)Each of them has got their own set of authentication and signing keys, plus a shared encryption key. And the last one proves not only to be user unfriendly, but outright user abusive
, because you have to jump through hoops to make it work:
- You have to backup encryption's keys private key - because you can only move a key to card (deleting it from the fs in the process), not copy it. So you have to reimport the private key to move it to the next device.
- If you swap your card device, the encryption key won't work, although it's the same on both devices - because gpg stores the card it in a stub key. IF you try to use the encryption key after swapping the devices gpg asks to insert the original key.
- To solve this problem you have to jump though another hoop: get the so-called keygrip of the key (
gpg --with-keygrip --list-key). If you've got it you search for the private key stub in
.gnupg/private-keys-v1.d/, the file is <keygrip>.key. Delete the file. Oh, and don't forget to restart gpg-agent, otherwise you'll get strange errors. After that gpg ist getting the stub from the card device and encryption is working again - till next time you'll change the device.
WTF? Is this really
such an obscure usecase (mulitple card devices)? Why have you do such completely counterintutive and not very well documented steps?