How to use the key on a new pc?

[ScrambleTheRamble]

This might be a dumb request / question, but how would i go to work with this if I'm ever forced to move to another installation? Let's say i only have the yubikey but after a crash i'm forced to use the key on another computer without the stub file?

[Paraphraser]

No such thing as a dumb question (and particularly not where "security" hocus-pocus is concerned).

The answer is actually buried in the DrDuh guide but it's spread out.

The setup begins at Keyserver. That explains how to send your public key to a keyserver such as keyserver.ubuntu.com.

The same section also explains how to format a URL to be added to your YubiKey. The problem is that, insofar as I'm aware, you can't reference the URL variable directly from within --edit-card, so I do it like this:

$ KEYID=yourKeyIDhere
$ URL="hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0x${KEYID}"
$ echo "$URL"

Tip:

• the leading 0x on the Key ID is important (at least for the Ubuntu server; I don't know about any other servers). If the 0x is already in your KEYID variable then omit it from the URL formation.

Copy what comes back from the echo statement onto the clipboard then, with your YubiKey in a USB port, follow the steps under "Edit YubiKey with gpg --edit-card and the Admin PIN:", as in:

$ gpg --edit-card

…

gpg/card> admin
Admin commands are allowed

gpg/card> url
URL to retrieve public key: hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0x9999999999999999
Please enter the Admin PIN

Number: 99 999 999
Holder: Given Last
Admin PIN: YOUR-ADMIN-PIN-HERE

gpg/card> quit

In words:

1. gpg --edit-card
2. admin command.
3. url sub-command.
4. Paste the URL from the clipboard.
5. Enter your admin PIN.
6. quit command.

The acid test is whether you can see the URL when you run:

$ gpg --card-status

---

Now, assume a disaster and the only thing you have is your YubiKey and a brand new computer which has all the software prerequisites satisfied as per the DrDuh guide:

$ gpg -k && gpg -K
gpg: directory '/home/zot/.gnupg' created
gpg: keybox '/home/zot/.gnupg/pubring.kbx' created
gpg: /home/zot/.gnupg/trustdb.gpg: trustdb created

No keys of any kind but ~/.gnupg has been initialised. Stick your YubiKey into a USB port then run:

$ gpg --edit-card

gpg/card> fetch
gpg: requesting key from 'hkps://keyserver.ubuntu.com:443/pks/lookup?op=get&search=0x 9999999999999999'
gpg: key 9999999999999999: public key "Moi Nom (Nickname) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg/card> quit

If you run gpg -k and gpg -K at that point, you'll find your public key has been downloaded from the keyserver, and the stubs pointing to the private keys on your YubiKey are back in place.

The only thing that hasn't happened is trust being set. Noting that your KeyID appears a couple of times in the above, you can re-establish the variable via copy/paste, so:

$ KEYID=yourKeyIDhere
$ gpg --edit-key $KEYID

gpg> trust

…

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

…

gpg> quit

This stuff is actually mentioned at Using YubiKey but the context of the various headings makes it look like it only applies to OpenBSD. It's not restricted to OpenBSD. It's general.

---

Once you have your public key uploaded to the keyserver and have programmed the URL into your YubiKey, you can test it on an existing system just by moving .gnupg out of the way:

$ cd
$ mv .gnupg .gnupg.off
$ gpg -k && gpg -K
$ gpg --edit-card
gpg/card> fetch
…

Then, when you're done, remove the newly-created .gnupg and rename the .off back to its original name.

Hope this helps.