0

I have a Yubikey with my GPG private keys on it, and public keys in my gpg keyring. I made sure that private keys are not present on my system by running gpg --export-secret-key -a <key id> which returned nothing but gpg --export -a <key id> printed my public key.

Next after setting up my <key id> for signing I noticed that I still get a private key printed on --export-secret-key after unlocking my card and using it to sign something.

This baffled me because I wasn't expecting anything to be printed on --export-secret-key so I am curious what this key is?

To be sure I have also tried deleting this private key --delete-secret-keys <key id> but using the smartcard again, populates the private key for this <key id>.

Improve this question
3
  • I bet it's cached by the gpg agent. However, I'm not well acquainted with that software, so I wouldn't be able to tell for sure. Does gpgconf --kill gpg-agent change anything? Commented Oct 17, 2024 at 18:49
  • @Kusalananda I've posted an answer below. It's not the cache but a key stub. Commented Oct 18, 2024 at 6:45
  • A Yubikey never exposes exposes private keys, so there is no way gpg can cache it. All operations with the private key are performed by the Yubikey itself. Commented Oct 18, 2024 at 12:09

1 Answer 1

Reset to default
0

Turns out this is a key-stub that's providing GPG agent the information to divert the private key request to the smart card. More on here https://security.stackexchange.com/questions/108190/export-secret-key-after-yubikey-is-plugged-in

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.