How to decrypto with Yubikey

Hi everyone. I’ve setup my Yubikey generating the private key using the Kleopatra in my personal computer. I’m able to send the public key (generated on Yubikey), encrypt and then decrypt on my personal computer. But I’m not being able to use the same Yubikey on my wife’s laptop to decrypt the files encrypted with the same Yubikey public key. What should do I do to be able to encrypt files on my personal computer with the Yubikey public key and then decrypt it on another computer with the same Yubikey?

Hi Daniel,
to be able to decrypt you’d need the public and private keys on the machine.

Can you tell in more detail how you have tried to transfer this to the second machine
and what resulting messages you were getting?

Best Regards,
Bernhard

Hi,

It’s probable that on the second computer the private key stubs are missing. You can try to open Kleopatra and look at the smartcard management to get them.

If that does not work. Open a command line (cmd) and execute “gpgsm --learn-card” (works for openpgp, too).

The current development version which will be released with Gpg4win-4 does that automatically but currently you need to do that. GpgOL in the upcoming Gpg4win-3.1.12 will also already do that automatically.

Hi Bernhard.

I’ve generated the key pairs on the prompt directly on the Yubikey, and then imported to Kleopatra in my personal computer. Its working fine on this computer. I’m able to encrypt and then decrypt.

The “problem” is when I try to decrypt it using another computer. As I’ve read the private key never leaves the Yubikey, so I supposed it wouldn’t be needed to import in the new device the private key.

Is the private key stored in the Yubikey exportable? Or how do I export? Is it safe to export the private key? I mean, if the other device I’m trying to decrypt is compromised, the private key would be compromised.

Hi,

No the private key of the yubikey is not exportable, that is a very core security function that is enforced on the hardware level. What happens if you do a gpgsm --learn-card (which newer versions do automatically) on the command line is that GPG stores “key stubs” on the second computer. Which in the GPG System basically say → “I have the private key X it is stored on the smartcard / yubikey with the ID XYZ” These “stubs” are stored under %APPDATA%\gnupg\private-keys-v1.d

But our system needs to know that initially. We don’t yet scan for USB tokens with keys automatically. With the next release at least our Outlook plugin will do such an automatic scan on startup.

Hope this helps and Answers your question.
Best Regards,
Andre

Hi Andre.

Ah, I got it. I thought it would scan automatically, that’s why I was not being able to decrypt.

Thanks for the help. Now it works perfectly.