using a smartcard without keytocard

[Marco Steinacher]

Hauke Laging wrote:
> I have just bought a gnupg smartcard, copied my subkeys to it, and it works. I 
> have been using a key on several computers. Now I want the other systems to 
> use the smartcard, too, so that I can delete the private keys there. The 
> content of the smartcard is shown by --card-status and I could even use the 
> authentication key for an SSH connection.
> 
> For SSH connections gpg-agent looks at tha smartcard by default but it does 
> not for normal key lookup. I just get an error message (something like "no 
> private key found") if I delete the private keys.
> 
> Is there an "official" way to tell gpg to use the smartcard? Anything except 
> copying the keys to the card again (executing keytocard on all systems)?

I think deleting the the private key and issuing a 'gpg --card-status'
should be enough. With that, gpg should automatically generate the
secret key stubs which refer to the keys on that specific card.

(Alternatively, you could export the secret key stubs on the machine
where you have moved the keys to your card. An import these stubs on the
machines on which you want to use the card.)

> I had the idea that exporting the secret keys on the system which initialized 
> the smartcard might work. But for convenience I decided not to use the 
> smartcard at home so I imported the secret keys there...

I'm not sure what exactly you are getting at but if you have used the
keytocard command to transfer the keys to the card then the secret keys
in your keyring have been replaced by stubs. I.e. they are now only
stored on the smartcard and can't be retrieved anymore, unless you had a
copy stored elsewhere.

If you want to use the same keys without the smartcard at home, you have
to have a copy of the secret keys before you moved them to the card.
Make sure to import the real secret keys and not the stubs on that
machine. (I assume you have thought about the security implications of
doing so.)

> BTW: Does it make sense that the smartcard number is stored with the secret 
> key stub after the keytocard command? I haven't tried but I guess that copying 
> the same key to another card wouldn't work.

I think it just tells gnupg which card to use (or to request if it's not
inserted). In order to copy the same key to multiple cards you have to
make a copy of the secret keys before you move them to the first card,
because 'keytocard' will replace the secret keys by stubs as explained
above. Then you can re-import the secret keys from that copy and move
them to another card.

Marco

-- 
OpenPGP Key ID: 0x62937F7F


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: not available
URL: </pipermail/attachments/20100322/c9cbc910/attachment.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100322/c9cbc910/attachment-0001.pgp>