2.1.x regression (Re: gpg2 keytocard removes secret key)

NIIBE Yutaka gniibe at fsij.org
Wed Feb 18 01:26:30 CET 2015

On 02/18/2015 02:35 AM, micah anderson wrote:
> To move the secret key material to the card, removing it from the
> computer, you would simply do a 'keytocard' operation, and then quit and
> save. In order to keep the secret key material on the computer, you
> would do the same operation, but this time you would *not* save when you
> quit. There are a number of tutorials out there that describe this step
> as the way to do it.
> I discovered yesterday that this third method does not work with gpg2,
> when you do the 'keytocard' operation, the secret key material is
> removed, you do not have the ability to opt-out of the saving process.

Sorry, my badness.  It is obviously a regression of 2.1.x.  Note that
it works with 2.0, as gpg1.

An excuse.  From 2.0 to 2.1, there was a major architectural change
which moved private keys handling to gpg-agent.  Then, the feature of
"keytocard" was lost and it had been unimplemented (somehow longer)
during 2.1 development.  It was a kind of the last unimplemented
feature of 2.1 which blocked the release.  A year ago, I managed to
implement the feature back by the commits:


But I forgot about the third case.

No, this is not correct description.  Now, I can remember that I
clearly recognized this particular regression once or twice, and I
knew the exact reason.  But it was buried into under my unconscious
world.  Then, I made myself blind to this regression.

To support the third case, it would be required to add another command
(or two) in gpg-agent.  But, I think that it's worth to do that.


> Perhaps a giant warning asking you to confirm, would help people not
> lose their secret key material

this make sense now, at least.

> Fortunately, when I was doing this, I had backups... !


I opened the issue here to track:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150218/423fc069/attachment.sig>

More information about the Gnupg-devel mailing list