My GPG setup consists of two Yubikey keys, each holding same set of keys in its internal storage. Reason behind this is that keys can’t be exported from the Yubikey (at least you shouldn’t be able to do that). There’s also the PIN protecting the usage of those keys. There are also additional security mechanisms making this setup quite more secure than keeping GPG key directly on the machine, but that’s beyond the scope of this article. ...
Background I use GPG for encrypting various things locally on my machines. Things like .authinfo.gpg which gets sourced by Emacs and things like that. In past I’ve used it even more when I was actively using Password Store as my password manager. But not to go too much into off-topic, let’s talk about the issue that’s been plaguing me ever since Fedora 33 and how I, finally, solved it. My GPG keys are saved on Yubikey (2 copies) which acts as a smart card. Once I import the key into my machine, in order to use it, Yubikey has to be plugged in (private key on the machine is just the referrence to the smart card location). Due to keys being on two Yubikeys, there’s a small gymnastic that has to be done if I plug in second Yubikey into the machine that already used the first one, but that topic is beyond the scope of this article, and will likely find a place of its own on this blog. ...