Migrating to Smartcards

Werner Koch wk at gnupg.org
Tue Aug 30 20:40:05 CEST 2011

On Tue, 30 Aug 2011 17:54, richard at r-selected.de said:

> a) I've bought two OpenPGP smartcards (v2). Their overprint says they
> support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes
> one change was to "Allow generation of card keys up to 4096 bit". Does
> that apply to the OpenPGP v2 card?


> b) As far as I know, the cards can only store subkeys, i.e. no primary
> key. That way, only decryption, singing and authenticaion will be
> possible. If I want to sign other keys, will I have to keep the
> primary key somewhere safe off-card?

The default is to create a complete new key.

> c) For convenience, I bought two cards which are supposed to store the
> same keys. I want to carry one card around with me every day for

You need to create the keys off-card and then export them to the card.
"keytocard" in the --edit-key menu is what you want.  

> problem is that the keytocard command can only be issued once, since
> it deletes the key from the computer. To copy the keys to both cards,

Don't run "save" after "keytocard" and the key should stay on the disk.

> keytocard, restore the backup, insert card #2, issue keytocard again.
> Will that cause any problems in later GnuPG use as the cards' IDs are

Possible.  It will be easy to disable the check or - if the second
card is used as a backup - to generate a new key -stub with the new
serial number.  It is not cryptographically locked.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list