1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2025-01-23 21:10:55 +00:00

closes #19 Multiple Yubikeys and mac dependencies

* Adding part descriping how to use multiple Yubikey with same keyset.
* Changed from `ykpers` to `ykman` as it is more feature complete.
* Added `pinentry-mac` which is preferable as it works with GUI.
This commit is contained in:
Elias Gabrielsson 2017-11-08 23:50:06 +01:00
parent ed1c2fdfa6
commit a5fd0672dd

View File

@ -34,9 +34,9 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
- [Set card information](#set-card-information) - [Set card information](#set-card-information)
- [Transfer keys](#transfer-keys) - [Transfer keys](#transfer-keys)
- [Signature key](#signature-key) - [Signature key](#signature-key)
- [Encryption key](#encryption-key-1) - [Encryption key](#encryption-key)
- [Authentication key](#authentication-key-1) - [Authentication key](#authentication-key)
- [Check your work](#check-your-work-1) - [Check your work](#check-your-work)
- [Export public key](#export-public-key) - [Export public key](#export-public-key)
- [Finish](#finish) - [Finish](#finish)
- [Using keys](#using-keys) - [Using keys](#using-keys)
@ -55,6 +55,7 @@ If you have a comment or suggestion, please open an [issue](https://github.com/d
- [Copy public key to server](#copy-public-key-to-server) - [Copy public key to server](#copy-public-key-to-server)
- [Connect with public key authentication](#connect-with-public-key-authentication) - [Connect with public key authentication](#connect-with-public-key-authentication)
- [Requiring touch to authenticate](#requiring-touch-to-authenticate) - [Requiring touch to authenticate](#requiring-touch-to-authenticate)
- [Using multiple Yubikeys for same GPG-keyset](#using-multiple-yubikeys-for-same-gpg-keyset)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
- [Yubikey OTP Mode and cccccccc....](#yubikey-otp-mode-and-cccccccc) - [Yubikey OTP Mode and cccccccc....](#yubikey-otp-mode-and-cccccccc)
- [References](#references) - [References](#references)
@ -150,7 +151,9 @@ You will need to install the following software:
1. [Homebrew](https://brew.sh/) package manager 1. [Homebrew](https://brew.sh/) package manager
2. The following brew packages: 2. The following brew packages:
$ brew install gnupg yubikey-personalization ```
$ brew install gnupg yubikey-personalization
```
# Creating keys # Creating keys
@ -1201,6 +1204,27 @@ To require a touch for the signing and encrypting keys as well:
The Yubikey will blink when it's waiting for the touch. The Yubikey will blink when it's waiting for the touch.
## Using multiple Yubikeys for same GPG-keyset
To use multiple Yubikeys (backup etc.) with same GPG-keyset repeat part [Transfer keys](#transfer-keys) for each additional key.
When executing `gpg --card-status` the inserted Yubikeys serial number will be associated to the secret keys and form stub keys. (This can be shown by running `gpg -K`, the # in sec# and the > in ssb> indicate keys are stubs and are stored on a smartcard.) If another Yubikey with different serial number is used after that this error will be shown:
`Please insert the car with serial number: [Assosiated serial number]`
The way around this is to remove the old association by deleting the files holding it and run `gpg --card-status` again. To make this handy use the script below when connecting a new Yubikey. The script needs to be **modified** to match your specific keys and having correct path to the `gpg` executable. The key filenames can be found by using `gpg --with-keygrip -K`, look for "keygrip =" and compare it to files found in `~/.gnupg/private-keys-v1.d/`
```
#!/bin/bash
{
rm -f $HOME/.gnupg/private-keys-v1.d/REPLACE_WITH_YOUR_KEYGRIP_VALUE.key
rm -f $HOME/.gnupg/private-keys-v1.d/ANOTHER_KEY.key
rm -f $HOME/.gnupg/private-keys-v1.d/REPETE_UNTIL_ALL_KEYGRIP_VALUES_ARE_COVERED.key
killall ssh-agent gpg-agent
/usr/local/bin/gpg --card-status
ssh-add -L
} &> log.txt
```
# Troubleshooting # Troubleshooting
- If you don't understand some option, read `man gpg`. - If you don't understand some option, read `man gpg`.