Changes

Page history
losing grip on gpg reality here authored by anarcat's avatar anarcat
Show whitespace changes
Inline Side-by-side
howto/yubikey.md
View page @ 3968f928
...@@ -1037,6 +1037,10 @@ A possible error is: ...@@ -1037,6 +1037,10 @@ A possible error is:
That could be because of a permission error. Normally, `udev` rules That could be because of a permission error. Normally, `udev` rules
are in place to keep this from happening. are in place to keep this from happening.
See also [drduh's troubleshooting guide](https://github.com/drduh/YubiKey-Guide#troubleshooting).
#### Reseting a YubiKey
If everything goes south and you locked yourself out of your key, you If everything goes south and you locked yourself out of your key, you
can completely wipe the OpenPGP applet with: can completely wipe the OpenPGP applet with:
...@@ -1045,12 +1049,42 @@ can completely wipe the OpenPGP applet with: ...@@ -1045,12 +1049,42 @@ can completely wipe the OpenPGP applet with:
WARNING: that will WIPE all the keys on the device, make sure you have WARNING: that will WIPE all the keys on the device, make sure you have
a backup or that the keys are revoked! a backup or that the keys are revoked!
#### Incorrect TTY
If GnuPG doesn't pop up a dialog prompting you for a password, you If GnuPG doesn't pop up a dialog prompting you for a password, you
might have an incorrect `TTY` variable. Try to kick `gpg-agent` with: might have an incorrect `TTY` variable. Try to kick `gpg-agent` with:
gpg-connect-agent updatestartuptty /bye gpg-connect-agent updatestartuptty /bye
See also [drduh's troubleshooting guide](https://github.com/drduh/YubiKey-Guide#troubleshooting). #### Incorrect key grip
If you somehow inserted your backup key and now GnuPG absolutely wants
nothing to do with your normal key, it's because GnuPG silently
replaced your "key grips". Those are little text files that it uses to
know which physical key has a copy of your private key.
You can see the key grip identifiers in GnuPG's output with:
gpg -K --with-keygrip
They look like key fingerprint, but for some reason (WHY!?) are
not. You can then move those files out of the way with:
cd ~/.gnupg/private-keys-v1.d
mkdir ../private-keys-v1.d.old
mv 23E56A5F9B45CEFE89C20CD244DCB93B0CAFFC73.key 74D517AB0466CDF3F27D118A8CD3D9018BA72819.key 9826CAB421E15C852DBDD2AB15A866CD0E81D68C.key ../private-keys-v1.d.old
We're not instructing you to delete those files because, if you get
the identifier wrong, you can destroy precious private key material
here. But if you're confident those are actual key grips, you can
remove them as well. They should look something like this:
Token: [...] OPENPGP.2 - [SERIAL]
Key: (shadowed-private-key [...]
As opposed to private keys, which start with something like this:
(11:private-key[...]
## FAQ ## FAQ
... ...
......