Changes

I don't believe the previous procedure works...
anarcat · 922ba4cc
--- a/howto/yubikey.md
+++ b/howto/yubikey.md
@@ -758,12 +758,16 @@ let's exercise that disaster recovery by making a new key, completely
 from the backups.

 1. first, go through the [preparation](#install-software-and-preparation) steps above, namely setting
-    the CCID mode, disabling NFC, setting a PIN and so on
+    the CCID mode, disabling NFC, setting a PIN and so on. you also
+    should have a backup of your secret keys at this point, if not
+    (and you still have a copy of your secret keys in some other
+    keyring), follow [the OpenPGP guide](howto/openpgp#backing-up-an-openpgp-key) to export a backup that we
+    assume to be present in`$BACKUP_DIR`.

 1. create a fresh new GnuPG home:
 
-        export GNUPGHOME=${XDG_RUNTIME_DIR:-/nonexistent}/.gnupg-restore
-        mkdir $GNUPGHOME
+        OTHER_GNUPGHOME=${XDG_RUNTIME_DIR:-/nonexistent}/.gnupg-restore
+        ( umask 0077 && mkdir OTHER_GNUPGHOME )

 2. make sure you kill `gpg-agent` and related daemons, they can get
    confused when multiple home directories are involved:
@@ -772,17 +776,20 @@ from the backups.

 2. restore the public key:
 
-        gpg --import $BACKUP_DIR/public.key
+        gpg --homedir=$OTHER_GNUPGHOME --import $BACKUP_DIR/openpgp-backup-public-$FINGERPRINT.key

 3. confirm GnuPG can not see any secret keys:
 
-        gpg --list-secret-keys
+        gpg --homedir=$OTHER_GNUPGHOME --list-secret-keys

    you should not see any result from this command.

 4. then, crucial step, restore the private key and subkeys:

-        gpg --decrypt $BACKUP_DIR/gnupg-backup.tar.pgp | tar -x -f - --to-stdout | gpg --import
+        gpg --decrypt $BACKUP_DIR/gnupg-backup-$FINGERPRINT.tar.pgp | tar -x -f - --to-stdout | gpg --homedir $OTHER_GNUPGHOME --import
+
+    TODO: this procedure needs testing. we need to talk to both
+    GNUPGHOME directories at once and it's unclear if the above works.

 5. confirm GnuPG can see the secret keys:
    you should not see any `Card serial no.`, `sec>`, or `ssb>` in