OpenPGP smartcard restore

David Shaw dshaw at jabberwocky.com
Tue Jun 13 21:37:37 CEST 2006 

On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote:
> I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart
> cards (smartA and smartB) and I want to verify that I can restore my
> on-card generated private key should I loose the master card
> (smartA). I only want to verify that I can do it - not discuss the
> merits of on-card vs. off-card key generation.
> 
> I start with an empty ~/.gnupg
> 
> For smartA I have
> 
> (1) an on-card generated key
> (2) the backup file created ~/.gnupg/sk_X.gpg at key generation
> (3) a backup of ~/.gnupg/secring.gpg when the 
> (4) a file with the exported associated public key 
> (5) a test file encrypted with above public key which decrypts with smartA
> (6) the pass phrase used at key generation
> (7) second OpenPGP smartcard (smartB)
> 
> I then I imagine that I have lost my card (smartA), my computer hard disk has
> died and I have to restore to a fresh new gpg environment (i.e. no
> ~/.gnupg) and smartB
> 
> I then issues these commands 
> 
> gpg --list-keys 
> which creates ~/.gnupg and various files within it.
> 
> gpg --import public_key.asc 
> using (4) from my backups
> 
> gpg --list-keys 
> shows that the public key has been imported
> 
> I then copy my backup secring.gpg to ~/.gnugpg
> 
> gpg --edit-key KEYID 
> shows that the secret key is present
> 
> gpg --list-secret-keys 
> shows that the secret key is linked to card-no smartA
> 
> gpg --edit-key KEYID
> toggle
> bkuptocard sk_X.gpg
> 
> choose the (1) the signature 
> replace existing key yes
> enter pass phrase 
> save changes yes
> 
> Now 
> 
> gpg --list-keys 
> shows the key still linked to card-no smartA and not smartB
> 
> any action needing the private key using smartB results in gpg
> requesting that you put in smartA (which is lost...)

Try this: do everything you did above, but at the end, delete the
secret key stub:

  gpg --delete-secret-keys KEYID

(or gpg --edit-key, toggle, and delkey if you're doing just a subkey).

And now recreate the stub:

  gpg --card-edit

I don't have my card with me so I can't test this, but it should do
what you want.

David

More information about the Gnupg-users mailing list