How to create a backup card from pub+sec+sk (v1.1) to be able to decrypt - or import sk into the sec key to decrypt without card

Olav Seyfarth olav at mozilla-enigmail.org
Sun Dec 13 19:33:32 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi list,

I spent a lot of time trying to find out how to set up a second SmartCard from
the default card backup (public key, secret key stub, off-card sk_enc) in order
to be able to read my old messages again - since the first card was broken one
day: it would no longer decrypt (hardware error).

Prerequisites:
- - two OpenPGP SmartCards (V 1.1 !), one main card, one empty card to replace
  the (now broken) one
- - Key generated on-card on CARD_A using GnuPG 1.4.9 (on Windows XP), with
  off-card backup during creation -> file "sk_ENCKEY-KEYID.asc" (ASCII-armored)
- - Backup of public and secret key from the keyring after generation
  -> files "KEYID_pub.gpg" and "KEYID_sec.gpg"
- - meanwhile I use GnuPG 2.0.12 (on Windows 7)

What I did:
- - kill gpg-agent (and scdaemon)
- - move Homedir "<user-appdata>\gnupg" aside
- - gpg --dearmor sk_ENCKEY-KEYID.asc > sk_enc.gpg
- - gpg --import KEYID_pub.gpg KEYID_sec.gpg
- - insert CARD_B
- - gpg --edit-key KEYID
  toggle
  bkuptocard sk_enc.gpg
  PIN (to decrypt sk_enc)
  Admin-PIN (to write to the card)
  q
  y (to save)

Result: the encryption key is correctly written to the card but the keyring
doesn't refer to the new CARD_B but to CARD_a still.

I found http://lists.gnupg.org/pipermail/gnupg-users/2006-June/028865.html
telling to delete the secret key and reimport it through the --card-edit
command.

Yet this didn't work: it just didn't create a new secret key (since the main
key still refers to the old card I assume). I could also not just delete a
secret subkey since after "toggle" and "key 2" the delkey command asked me
to "toggle" (back to pubkeys) prior to being issued - I also tried to delete
the whole subkey (which worked), reimported the pubkey (with "fetch" in
- --card-edit but even then, no secret subkey was created from the card.

Maintainers, please provide a step-by-step guide on how to recover from card
failure or loss with the above prerequisites (which is the default way to set
up an OpenPGP card!) in the SmartCard Howto or the FAQ on gnupg.org .

Apart from the "create a backup card" scenario, I'd rather import sk_enc.gpg
into the secret key (in the keyring), revoke it and accept the risk that old
messages may no longer be 110% safe. How to acomplish this? It would prevent
the need to switch cards when reading old messages since I now use a V2.0 card
on a daily basis ...

Olav
- -- 
The Enigmail Project - OpenPGP Email Security For Mozilla Applications
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Diese Email ist digital signiert/verschlüsselt
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGbBAEBAwAGBQJLJTN4AAoJEKGX32tq4e9WSIgL+MgQPTiZxee5YKKcsnLZ5sEy
CROVPT5ONrLzUCMpDOHrwC1MBfCzvs8YiawPl+FnuI1aYG7v/utXH5qNb/F3SNVz
ErOhxs46DwXIZTgmrCKlxpFcZllxNf4g14EtKoaew9qYM8u1l2/xpA6eY4aeED+k
ssT6C1DqGg1ATUt3o0VxHGNbjgKJq72bJHwL+zgpvF/H+ETqWmDnpvgSXlWI3flz
jc28pZJMM6GTxUAPfGuCUhpv5dajycoFaVQkkjWscohofVLVDpoWMMD0XW4j2YR6
eFQmVC6FTseIafw6VCxgfZVHaStueAAbl5YCIE/RZXqJmhOcJ6sZcey9ZeZ5OXcS
6OoHJ0LRDX0ejG6MIbmDbJf59zghaLh8mEyEyw1s4cwhExyTsbmLw/ndoyO0ji4a
ANk9e6ArZvDVgiru83IiCIwf9Ec5vcgzVioIYGDu9WvWk701zAIGurwlrtTy4MUz
TfuBj5kTp3Rla2ZfhexFXiUbmdL9qe6DWVlXV+nu
=CKXf
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list