Backup Yubikey
OpenPGP Keys
Safe working Environment
To setup a second Yubikey for use with your OpenPGP keys, you need a backup of your private keys, since its not possible to get anything out of your original Yubikey.
Since we created a backup of our OpenPGP private keys on the Safe Storage, residing on your Safe System we boot our workstation with it. Keep the Network cable unplugged and wireless and bluetooth disabled.
Mount the safe storage. The following steps assume, your safe storage is
mounted on /media/$USER/SafeStorage.
Kill all running GnuPG agents, directory managers, etc, as they might interfere:
$ gpgconf --kill all
Set which key we need to move to our backup Yubikey:
$ export GPGKEY=0x0123456789ABCDEF
Create a temporary GnuPG home directory:
$ export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
Import from Backup
Import the backup from the safe storage to the temporary working directory:
# Import your public key
gpg --verbose --import-options restore --armor \
--import /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.asc \
# Import your private key
$ gpg --verbose --import-options restore --armor \
--import /media/${USER}/SafeStorage/OpenPGP/${$GPGKEY}.private.asc \
# Import your personal trust settings
$ gpg --verbose --import-ownertrust \
< /media/${USER}/SafeStorage/OpenPGP/OwnerTrust.db
$ gpg --verbose --check-trustdb
Prepare the Yubikey
$ gpg –card-edit
Set the PIN code, nedded to unlock the private key on the card before use:
gpg/card> admin
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000000012345670000 detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 1
On a new Yubikey the default is set to 123456.
Change the Admin PIN:
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 3
On a new Yubikey the default Admin PIN is 12345678.
Move OpenPGP Key to Yubikey
$ gpg –edit-key $GPGKEY