I have a Yubikey from the job and wanted to start signing
without copying my Debian PGP key to the work computer. No, I did not want to
create a second class PGP key just for the work. Here are the instructions for
someone else do the same.
On the master computer
- Create a second home dir for gpg
Because of bug #904596 I recommend to move your GPG home directory out of the way. Copy it into the original directory before starting.
mv ~/.gnupg ~/.gnupg.ref cp -r ~/.gnupg.ref ~/.gnupg
- Create a subkey just for signing.
Create a subkey and take noticy of is id.
gpg --edit-key <KEY ID> addkey list save
- Move into the Yubikey.
Select the new subkey and move it into the Yubikey.
gpg --edit-key <KEY ID> key <SUB KEY ID> keytocard save
- Publish the updated PGP Key
gpg --keyserver http://keyserver.ubuntu.com --send-keys <KEY ID>
- Store the public URL of the key on Yubikey
gpg --edit-card url http://https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=... quit
- Backup both GPG home dir
On your master computer you need to use the old GPG home dir. But need to store both for the future.
mv ~/.gnupg ~/.gnupg.yubikey4 mv ~/.gnupg.ref ~/.gnupg cd ~ tar cf gnupg-homedir.backup.tar .gnupg .gnupg.yubikey4
gpg --armor --sign
Should work without asking for the Yubikey.
- Wait for the Key server to update your public key with the new subkey.
On a new computer
- Plug the Yubikey
- Through Yubikey fetch the public PGP Key
gpg --edit-card fetch quit
gpg -armor --sign
Should ask for the Yubikey.