Migrating to Smartcards

Martin Gollowitzer gollo at fsfe.org
Tue Aug 30 20:40:22 CEST 2011


Dear Richard,

* Richard <richard at r-selected.de> [110830 20:30, 
  mID <CA+WmQonz0AssSNXzh4FGQrofEvHqZ2Gj9XW5P0a0eq55mU--pA at mail.gmail.com>]:

> Hello,
> 
> for security reasons, I have decided to migrate my most important
> subkeys to smartcards. I have a number of questions regarding the
> transfer/migration.

I think this is a good decision.

> a) I've bought two OpenPGP smartcards (v2). Their overprint says they
> support "RSA with up to 3072 bit". In the GnuPG 2.0.18 release notes
> one change was to "Allow generation of card keys up to 4096 bit". Does
> that apply to the OpenPGP v2 card?

AFAIR, 3072 bit keys have to be generated on the card. If you use
off-card generation, you are limited to 2048 bits.

> b) As far as I know, the cards can only store subkeys, i.e. no primary
> key. That way, only decryption, singing and authenticaion will be
> possible. If I want to sign other keys, will I have to keep the
> primary key somewhere safe off-card?

Both is possible. IMHO the best way is to use subkeys. If you want to
sign a key, you can use the backup of your main key as long as you
follow the howto at [1] which I happen to be a co-author of.

> c) For convenience, I bought two cards which are supposed to store the
> same keys. I want to carry one card around with me every day for
> mobile use (I also bought an SCR3500 reader for that purpose) and
> leave the other one at home in the card reader on my desk. Now the
> problem is that the keytocard command can only be issued once, since
> it deletes the key from the computer. To copy the keys to both cards,
> I would have to backup my secret keys, insert card #1, issue
> keytocard, restore the backup, insert card #2, issue keytocard again.
> Will that cause any problems in later GnuPG use as the cards' IDs are
> different?

This should not be a problem if you follow the howto mentioned. You can
use a copy of your backup and transfer the keys to the second card. It
is however important to have the "right" secret keyring on the PC you
are using the card with as the ID of the card which has the subkeys is
being stored. 

I hope this is helpful for you, but if you have any questions, don't
hesitate to ask :-)

[1] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups

All the best, 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20110830/061f97c3/attachment.pgp>


More information about the Gnupg-users mailing list