Migrating to Smartcards
Werner Koch
wk at gnupg.org
Tue Aug 30 20:40:05 CEST 2011
On Tue, 30 Aug 2011 17:54, richard at r-selected.de said:
> a) I've bought two OpenPGP smartcards (v2). Their overprint says they
> support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes
> one change was to "Allow generation of card keys up to 4096 bit". Does
> that apply to the OpenPGP v2 card?
Yes.
> b) As far as I know, the cards can only store subkeys, i.e. no primary
> key. That way, only decryption, singing and authenticaion will be
> possible. If I want to sign other keys, will I have to keep the
> primary key somewhere safe off-card?
The default is to create a complete new key.
> c) For convenience, I bought two cards which are supposed to store the
> same keys. I want to carry one card around with me every day for
You need to create the keys off-card and then export them to the card.
"keytocard" in the --edit-key menu is what you want.
> problem is that the keytocard command can only be issued once, since
> it deletes the key from the computer. To copy the keys to both cards,
Don't run "save" after "keytocard" and the key should stay on the disk.
> keytocard, restore the backup, insert card #2, issue keytocard again.
> Will that cause any problems in later GnuPG use as the cards' IDs are
Possible. It will be easy to disable the check or - if the second
card is used as a backup - to generate a new key -stub with the new
serial number. It is not cryptographically locked.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list