Two Yubikeys with unique subkeys are causing conflict

[burnedfaceless]

I have 2 Yubikey 5Cs.

I followed the guide creating a master key pair. Then I created six subkeys (S E A) and put 3 of each on two Yubikeys.

When I got to the part where it asked me to encrypt and decrypt a message I put in my backup Yubikey first. It decrypted the message successfully.

When I put in my regular Yubikey and tried to decrypt the message I got an error "Please insert the card with serial number xxxxx".

Does anyone know how to resolve this issue?

[niallm90]

Its my understanding is that GPG will only encrypt for the latest encryption sub-key. See https://wiki.debian.org/Subkeys

One might be tempted to have one subkey per machine so that you only need to exchange the potentially compromised subkey of that machine. In case of a single subkey used on all machines, it needs to be exchanged on all machines in case of a compromising.

But this only works for signing subkeys. If you have multiple encryption subkeys, gpg is said to encrypt only for the most recent encryption subkey and not for all known and not revoked encryption subkeys.

[drduh]

That's correct - you can only encrypt to a single sub-key at a time. I recommend and use multiple identities and keys, then encrypt to all of them for redundancy.

[Benvii]

This is a know issue in GnuPG.

I added a workaround to the documentation, use it when you want to switch from your main key to your backup key : https://github.com/drduh/YubiKey-Guide#multiple-keys

[the2nd]

Hi,
after switching to a new yubikey (old one was broken) and running the command "gpg-connect-agent "scd serialno" "learn --force" /bye" i can successfully use the key for SSH and to decrypt data via "gpg2 -d test.txt.gpg". But signing via "gpg2 --detach-sign test.txt" does still ask for the old yubikey. Do i missing something?

Best regards
the2nd

[carlolars]

I added a workaround to the documentation, use it when you want to switch from your main key to your backup key : https://github.com/drduh/YubiKey-Guide#multiple-keys

I'm using two Yubikeys with identical gpg-keys, WSL and GnuPG for Windows (version 2.2.17) and I have to first kill the gpg-agent before running the command or else it will still "discover" the old Yubikey:

$ gpg-connect-agent.exe killagent /bye
$ gpg-connect-agent.exe "scd serialno" "learn --force" /bye

[darconeous]

I've found this script to be quite useful:

https://github.com/darconeous/shattings/blob/master/bin/gpg-card-change

[meramsey]

Add this to like your ~/.bashrc or ~/.zshrc to easily be able to just fix the issue by typing yubikeyrestart or whatever alias name you prefer.

# GPG Yubikey restart relearn when switching keys and stubbed.
alias yubikeyrestart='gpg-connect-agent killagent /bye && gpg-connect-agent "scd serialno" "learn --force" /bye && gpg --card-status'