When I generate a new OpenPGP key on a YubiKey, it gives me the option to save a copy of the encryption key as a backup like so:
$ gpg --edit-card
Reader ...........: Yubico Yubikey NEO U2F CCID 00 00
Application ID ...: D2760001240102000006054943550000
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 05494355
Name of cardholder: [not set]
Language prefs ...: [not set]
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Admin commands are allowed
Make off-card backup of encryption key? (Y/n) Y
Which will result in the keys getting generated on my YubiKey and a file stored in my GNUPGHOME folder like
sk_5F91DF31AB07820C.gpg which is the encryption key.
My question is how do I import this key back into a usable form if I should ever loose the YubiKey?
I was expecting a way to create a new key on my local machine and then import this backup key as a new subkey, but I couldn't find a way to do that.
I see that there is an option under
gpg --edit-key called
bkuptocard, which seems to do what I want, but when I try doing that it seems that it only loads the key into the slot on the YubiKey, but doesn't actually make it available for decryption in gpg.
How can I utilize this backup key if I every loose my YubiKey?