How to create a backup card from pub+sec+sk (v1.1) to be able to decrypt - or import sk into the sec key to decrypt without card

Olav Seyfarth olav at
Sun Dec 13 19:33:32 CET 2009

Hash: RIPEMD160

Hi list,

I spent a lot of time trying to find out how to set up a second SmartCard from
the default card backup (public key, secret key stub, off-card sk_enc) in order
to be able to read my old messages again - since the first card was broken one
day: it would no longer decrypt (hardware error).

- - two OpenPGP SmartCards (V 1.1 !), one main card, one empty card to replace
  the (now broken) one
- - Key generated on-card on CARD_A using GnuPG 1.4.9 (on Windows XP), with
  off-card backup during creation -> file "sk_ENCKEY-KEYID.asc" (ASCII-armored)
- - Backup of public and secret key from the keyring after generation
  -> files "KEYID_pub.gpg" and "KEYID_sec.gpg"
- - meanwhile I use GnuPG 2.0.12 (on Windows 7)

What I did:
- - kill gpg-agent (and scdaemon)
- - move Homedir "<user-appdata>\gnupg" aside
- - gpg --dearmor sk_ENCKEY-KEYID.asc > sk_enc.gpg
- - gpg --import KEYID_pub.gpg KEYID_sec.gpg
- - insert CARD_B
- - gpg --edit-key KEYID
  bkuptocard sk_enc.gpg
  PIN (to decrypt sk_enc)
  Admin-PIN (to write to the card)
  y (to save)

Result: the encryption key is correctly written to the card but the keyring
doesn't refer to the new CARD_B but to CARD_a still.

I found
telling to delete the secret key and reimport it through the --card-edit

Yet this didn't work: it just didn't create a new secret key (since the main
key still refers to the old card I assume). I could also not just delete a
secret subkey since after "toggle" and "key 2" the delkey command asked me
to "toggle" (back to pubkeys) prior to being issued - I also tried to delete
the whole subkey (which worked), reimported the pubkey (with "fetch" in
- --card-edit but even then, no secret subkey was created from the card.

Maintainers, please provide a step-by-step guide on how to recover from card
failure or loss with the above prerequisites (which is the default way to set
up an OpenPGP card!) in the SmartCard Howto or the FAQ on .

Apart from the "create a backup card" scenario, I'd rather import sk_enc.gpg
into the secret key (in the keyring), revoke it and accept the risk that old
messages may no longer be 110% safe. How to acomplish this? It would prevent
the need to switch cards when reading old messages since I now use a V2.0 card
on a daily basis ...

- -- 
The Enigmail Project - OpenPGP Email Security For Mozilla Applications
Version: GnuPG v2.0.12 (MingW32)
Comment: Diese Email ist digital signiert/verschlüsselt
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list