Create backup Yubikey with identical PGP keys

found this blurb which says that theres a command you can run which will essentially tell your local gpg app to scan the new card and use that instead if things gel. so in the case of using a backup card, not the worst case to run an "init" to make it work.

https://forum.yubico.com/viewtopic38a1.html?f=35&t=2400

Running

gpg-connect-agent "scd serialno" "learn --force" /bye

will update the secret key stubs for the PGP keys on the currently inserted key. So running that after key insertion will cause gpg to use the currently inserted key.


After a lot trial and error, I finally found a way to achieve this. Here is an answer to my own question in case it helps someone :

The trick was to not try to export the same subkeys to the two Yubikeys (gpg doesn't like that) but to generate different subkeys. In my keyring I have 6 subkeys : 3 for the main Yubikey (Sign, Encrypt, Auth) and 3 for the backup Yubikey. I exported the corresponding private keys to the Yubikeys, which this time didn't need the hack to restore a backup of .gnupg. Finally, I encrypt my files using both public keys, so I can decrypt them with either Yubikeys :

gpg -e -r [keyid1]! -r [keyid2]! [file]

Don't forget the exclamation mark at the end of each key id. Otherwise, for some reason, gpg will understand that for each recipient you want "some key in the same keyring" and will select the same key twice by default.

Now gpg will accept either private key to decrypt the file. In case of Yubikeys, it will ask you to plug the first one, and if you cancel, it will ask for the second one, so you can use either one. I specified the main key in the first -r so gpg directly ask for the main Yubikey and won't bother me with the backup one. To make things simpler, I aliased the whole gpg command with both keyids to yk_encrypt.


Instead of backing up an entire directory you can export (create a backup copy of) the key using e.g.

gpg -a -o seckey.asc --export-secret-key ABCD1234

and import it again (after moving to first card) with

gpg --import seckey.asc

GPG is asking for the specific card because after it moves the key to the card it stores a key stub on your system, which ties that key to that card. If you delete the key from gpg (e.g. gpg --delete-secret-and-public-key ABCD1234) and the reference (One of potentially many in e.g.

C:\users\someUser\AppData\Roaming\gnupg\private-keys-v1.d or

/home/someUser/.gnupg/private-keys-v1.d

) then you can insert the backup Yubikey and

gpg --card-status

to create a stub referencing that key on the second Yubikey instead of the first.

You could also just keep the exported key secure and use that as your backup, but that wasn't the question asked.

Tags:

Gnupg

Pgp

Yubikey