I have a Yubikey from the job and wanted to start signing git commit without copying my Debian PGP key to the work computer. No, I did not want to create a second class PGP key just for the work. Here are the instructions for someone else do the same.

On the master computer

  • Create a second home dir for gpg

Because of bug #904596 I recommend to move your GPG home directory out of the way. Copy it into the original directory before starting.

mv ~/.gnupg ~/.gnupg.ref
cp -r ~/.gnupg.ref ~/.gnupg
  • Create a subkey just for signing.

Create a subkey and take noticy of is id.

gpg --edit-key <KEY ID>
addkey
list
save
  • Move into the Yubikey.

Select the new subkey and move it into the Yubikey.

gpg --edit-key <KEY ID>
key <SUB KEY ID>
keytocard 
save
  • Publish the updated PGP Key
gpg --keyserver http://keyserver.ubuntu.com --send-keys <KEY ID>
  • Store the public URL of the key on Yubikey
gpg --edit-card
url http://https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=...
quit
  • Backup both GPG home dir

On your master computer you need to use the old GPG home dir. But need to store both for the future.

mv ~/.gnupg ~/.gnupg.yubikey4
mv ~/.gnupg.ref ~/.gnupg
cd ~
tar cf gnupg-homedir.backup.tar .gnupg .gnupg.yubikey4
  • Test
gpg --armor --sign

Should work without asking for the Yubikey.

  • Wait for the Key server to update your public key with the new subkey.

On a new computer

  • Plug the Yubikey
  • Through Yubikey fetch the public PGP Key
gpg --edit-card
fetch
quit
  • Test
gpg -armor --sign

Should ask for the Yubikey.