smartcard: generate under --card-edit with off-card backup and bkuptocard/checkbkupkey under --key-edit

NIIBE Yutaka gniibe at
Thu Dec 24 04:31:36 CET 2015


I'm working the issue 2169:

Since I only do generating keys on card for testing purpose, I have
things to confirm for this use case.

# For myself, my practice is generating keys on host and doing
# keytocard.

While the support of checkbkupkey was removed, the two regressions
in 2.1 were fixed:

    * generating keys on card with off-card backup
    * bkuptocard

The checkbkupkey will be implemented again, if it's useful.  AIUC,
this command is for a user who wants to make sure if the backup file
can be used correctly with a passphrase remembered.  It would be just
simple to have another subcommand to recover a private subkey on host
from the backup (and a user will do "keytocard", if needed).

It seems that the scenario of bkuptocard is something like:

   (1) The smartcard was lost/broken.
   (2) But a user wants to read encrypted messages.
   (3) There is the public key (primary, subkeys) on host as well as
       the backup file for private key.
   (4) With new smartcard, a user recovers encryption key using the
       backup file for private key.

Is this correct?

Backup file is created on GnuPG's homedir.  So, I think that the commit
which assumes homedir for backup file makes sense:


If this is useful, I'd like to backport this to 2.0.

Currently, the private key stub is precondition for the subcommand

    N_("move a backup key to a smartcard")},

But I think that it is OK not to have the private key stub files on

Shall I remove KEYEDIT_NEED_SK flag from "cmds"?

More information about the Gnupg-devel mailing list