Commit Graph

1 Commits (d4b3e5215b736827fbe32171bf304ad5b9736f84)

Author SHA1 Message Date
Ian Stanley ffb29e7f01
Script to switch between two Yubikeys with identical keys
Some GitHub users have asked in the issues why can't I use two Yubikeys (one as a backup). It's a question often asked 

The usual answer given across the web is that you can't as GPG replaces the key with key stubs when you quit and save (if you don't save then the Yubikey appears useless as GPG doesn't delete the keys and carries on using them off the keyring.

If once you have run keytocard to transfer your keys to the Yubikey#1 you QUIT WITHOUT SAVING then you can repeat the whole process again and put in your Yubikey#2 and keytocard again. this time QUIT AND SAVE.

GPG will now replace the keys with a key stub pointing to the Yubikey with the card serial number (see Yubikey serial on back of key) when you try to decrypt/sign/authenticate. The first Yubikey will be ignored despite the fact it has a copy of the Yubikey.

However you can use gpg-connect-agent to force read the Yubikey and repoint the key stubs to the keys on the Yubikey inserted.

Just run the script and insert whichever key you have to have (primary or backup) when prompted 

NB once this script has been run GPG will be pointing the stubs at the recently used Yubikey ... to go back to your first Yubikey again switch Yubikeys and re-run script

Simples :)
2021-05-05 00:42:48 +01:00