Page MenuHome GnuPG

Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys)
Open, LowPublic

Description

Since the YubiKey is a very important token used with GnuPG and both its OpenPGP and PIV applets are supported, it would be nice if we could use with GnuPG and Kleopatra all of the keys from the PIV applet, instead of just the four standard ones. The YubiKey 5 can store many more keys on the "retired" slots, but they are not accessible through GnuPG and Kleopatra.

Event Timeline

werner triaged this task as Low priority.Oct 6 2022, 6:44 PM
werner added a project: yubikey.
werner added a subscriber: werner.

The other key slots are claimed to be used for expired or archived keys as you rightfully mention. We need to figure out the real world semantic behind this before we can repurpose such keys.

The other key slots are claimed to be used for expired or archived keys as you rightfully mention. We need to figure out the real world semantic behind this before we can repurpose such keys.

I am using / planing to use these Slots for the following:

  • Have old keys like RSA1024 or other old keys that are still required for decryption of old messages stored more securely then keeping them on Disk
  • when moving from RSA to ECC: recover the old RSA keys to the retired key slot and create a new encryption key and upload it to 9D
  • Keep (potentially) compromised keys that may still be required to decrypt messages.