On Tue, Apr 2, 2024 at 5:12 PM Pierre-Elliott Bécue <p...@debian.org> wrote:
> If you have a master key on your laptop, when a yubikey is in, while > running gpg --edit-key your_main_key, you can use the "addcardkey" to > create a subkey on the Yubikey directly. > Yeah, seconded for sure. This is the configuration my Debian key is in -- it has an offline root key, which is stored on an LVM encrypted external drive, and when I need to use it (new yubikey, or updating expiry), I use an offline only box to mount the lvm drive, plug in the yubikey, and update the key, exporting the public key to load into my daily box. It's worked well, and this has been my workflow for a few years now (since 2019). It's not the easiest workflow (I've let my key expire twice because I couldn't get the offline box set up and key ceremony done in time) but it's worked well for me, and I'm especially sensitive about keeping private key material off my disks where I can. I'd rather eat the cost of the setup over exposing the project to additional keying material sitting around my disk. -- :wq
