2021/08/20

YubiKey and GPG: How to add a new e-mail to an existing key

So the recommendation for storing GPG keys with YubiKey is to:

  • Store public keys on the GPG key chain
  • Store the private sub-keys on YubiKey
  • Store the private key offline, in a separate storage location
Hence, in order to edit the master key one first needs to import the master key back:

gpg --import /path/to/offline/master/key/MASTERKEY.priv.asc
gpg --edit-key MASTERKEY
    adduid # Fill out form
    uid n # where n is the new uid number
    primary # To set the new e-mail as the primary e-mail address for the key
    save


This will add the new identity to the existing GPG key. Now the only thing left is to export the new version of the public information (along with the private keys for good measure)


gpg -a --export MASTERKEY > /path/to/offline/master/key/MASTERKEY.pub.asc
gpg -a --export-secret-key MASTERKEY > /path/to/offline/master/key/MASTERKEY.priv.asc
gpg -a --export-secret-subkeys MASTERKEY > /path/to/offline/master/key/MASTERKEY.priv-sub.asc

Now that everything is at a safe place once again, we shall remove the private keys from the machine (and keep using YubiKey whenever they're needed). That can be done by deleting the private keys plus invoking a simple card-edit.

gpg --delete-secret-key MASTERKEY
gpg --card-edit

You'll know that you're successful if you see the # in front of the master key (indicating that the private key is uknown) and the > in front of the ssb entries (indicating that the private keys are stups on the machine and that the actual keys are stored on your YubiKey)

sec#  rsa4096/0xAAAAAAAAAAAAAAAA 2018-07-15 [C] [expires: 2020-06-16]
      Key fingerprint = DDDD AAAA 9999 7777 6666  EEEE 8888 1111 0000 1111
uid                   [ultimate] John Smith <jsmith@corp1.com>
uid                   [ultimate] John Smith <john.smith@corporation.com>
uid                   [ultimate] John Smith <john_smith4@company.com>
ssb>  rsa2048/0xBBBBBBBBBBBBBBBB 2018-07-15 [E] [expires: 2020-06-16]
ssb>  rsa2048/0xCCCCCCCCCCCCCCCC 2018-07-15 [S] [expires: 2020-06-16]
ssb>  rsa2048/0xDDDDDDDDDDDDDDDD 2018-07-15 [A] [expires: 2020-06-16]

No comments:

Post a Comment