Done with @lelutin during his onboarding, tpo/tpa/team#41599

howto/yubikey.md

@@ -549,7 +549,11 @@ Then move the two subkeys:
     keytocard
 
 The double `key 1` above is not an error: it deselects the first
-subkey to only select the second subkey.
+subkey to only select the second subkey. (And no, you can't do both at
+once.)
+
+You need to pick the right slot for each key, key 1 is likely the `(2)
+Encryption key` and key 2 is likely the `(3) Authentication key`.
 
 Here's an example run:
 
@@ -785,10 +789,9 @@ from the backups.
 
  4. then, crucial step, restore the private key and subkeys:
 
-        gpg --decrypt $BACKUP_DIR/gnupg-backup-$FINGERPRINT.tar.pgp | tar -x -f - --to-stdout | gpg --homedir $OTHER_GNUPGHOME --import
+        gpg --decrypt $BACKUP_DIR/openpgp-backup-$FINGERPRINT.tar.pgp | tar -x -f - --to-stdout | gpg --homedir $OTHER_GNUPGHOME --import
 
-    TODO: this procedure needs testing. we need to talk to both
-    GNUPGHOME directories at once and it's unclear if the above works.
+    You need the *first*, *main* key to perform this operation.
 
  5. confirm GnuPG can see the secret keys:
     you should not see any `Card serial no.`, `sec>`, or `ssb>` in
@@ -797,16 +800,28 @@ from the backups.
 
  5. then go through the `keytocard` process again, which is basically:
  
-        gpg --edit-key $FINGERPRINT
+        gpg --homedir $OTHER_GNUPGHOME --edit-key $FINGERPRINT
 
-    then:
+    then *remove* the main key and plug in the *backup* yubikey to
+    move the keys to *that* key:
     
         keytocard
         1
         key 1
         keytocard
+        2
+        key 1
         key 2
         keytocard
+        3
+        save
+
+    If that fails with "No such device", you might need to kill
+    gpg-agent again as it's very likely confused:
+
+        killall scdaemon gpg-agent
+
+    Or you might need to plug the key out and back in again.
 
 At this point the new key should be a good copy of the previous
 YubiKey. If you are following this procedure because you have lost