Smart card + GnuPG: what is stored in my keyring/how to adopt smart card?

@Askford - I assume after 3 years you managed to resolve this?

For anyone else having similar issues what worked for me is:

gpg2 --import public_key.key

This brought all of my keys back from a fresh install and only the yubikey

This command gave me:

gpg2 --import key.asc 
gpg: key 0AAD23DD518496D1: public key "Lee Fenlan <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Then gpg2 -k gave me:

---------------------------------
pub   rsa4096 2016-08-09 [SC]
      7F5F963D411B8E2FC7BB33150AAD23DD518496D1
uid           [ unknown] Lee Fenlan <[email protected]>
sub   rsa4096 2016-08-09 [S]
sub   rsa4096 2016-08-09 [E]
sub   rsa4096 2016-08-09 [A]

Now if I try and encrypt / decrypt / sign or ssh to anything that requires my private keys it all works as expected.

When you start with a fresh installation, you have two options:

1. Plug the smart card (Yubikey) and run

   gpg --card-edit
   fetch
   quit
   

   Then, running gpg with the --card-status option to create the stubs for the secret keys:

   gpg --card-status
   

2. Import your public key from a key server (the fetch command above does the same automatically), then

   gpg --card-status
   

The methods only differ in the way the public key is imported, i.e. automatically or manually.

You need to run:

gpg --card-status

and gpg will do it for you:

/tmp$ mkdir gpgtmp
/tmp$ chmod go-rwx gpgtmp

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --keyserver pgp.mit.edu --recv F8713BDF 
gpg: sleutelring ‘/tmp/gpgtmp/secring.gpg’ is aangemaakt
gpg: sleutelring ‘/tmp/gpgtmp/pubring.gpg’ is aangemaakt
gpg: opvragen sleutel F8713BDF van hkp sleutelserver pgp.mit.edu
WARNING: gnome-keyring:: couldn't connect to: /run/user/robin/keyring-55e9Rg/pkcs11: No such file or directory
gpg: /tmp/gpgtmp/trustdb.gpg: trustdb created
gpg: sleutel F8713BDF: publieke sleutel “Robin Sheat <[email protected]>” geimporteerd
gpg: no ultimately trusted keys found
gpg: Totaal aantal verwerkt: 1
gpg:               Geimporteerd: 1  (RSA: 1)

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --list-secret
*nothing here*

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --card-status
*snip boring card info*
General key info..: pub  2048R/F8713BDF 2013-09-24 Robin Sheat <[email protected]>
sec>  2048R/F8713BDF  aangemaakt: 2013-09-24  vervaldatum: nooit     
*etc*

/tmp$ GNUPGHOME=/tmp/gpgtmp gpg --list-secret
/tmp/gpgtmp/secring.gpg
-----------------------
sec>  2048R/F8713BDF 2013-09-24
      Serienummer van de kaart = ....
uid                  Robin Sheat <[email protected]>
*etc*

According to the yubico site, you can't get either public or private keys off of the device, so in addition to having your Neo, you'll need to make sure that your keyring has the corresponding private keys generated during device initialization.

In other words, just having the device is not enough.

When you set up a key-pair on a smart card, all the data needed for both encrypt, decrypt and signing operations is stored on the card. Therefore, even after the loss of your keyring, you will be able to perform these operations by simply having your smart card to hand.

I recommend you don't simply take my word for it, though, and experiment yourself. Reconfigure GPG to look at an empty keyring directory and try to decrypt your important files using the smart card. You may need to import the certificates from the card to your keyring first, those steps depend on what key manager you're using.