Storing key on multiple smartcards

NIIBE Yutaka gniibe at
Mon Apr 22 06:43:10 CEST 2019

Frederick Zhang <frederick888 at> wrote:
> That sounds great! I was thinking that working around the current shadow
> key logic might require fewer changes but removing serial numbers from
> shadow keys is indeed better.

Let me share some technical detail of GnuPG internal.

My plan (in master, towards 2.3) is:

(1) gpg-agent shadow key protocol fix/modification

Now, gpg-agent assumes one private key material resides in a single
smartcard.  This restriction should be relaxed.

While current flow from gpg-agent to scdaemon is:

  keygrip -> private key file -> shadow-info -> serial number + id_string

It should be possible, directly using keygrip to scdaemon:


Then, we don't need the serial number as shadow-info in private key file.

I think that this direct use of keygrip will simplify things in GnuPG.

Besides, current protocol in use is named "t1-v1", which is typo.

(2) scdaemon modification

Now, the way to specify a key is:

	serial number + id_string


	serial number +  "/" + fingerprint

where id_string is "OpenPGP.1", "OpenPGP.2", and  "OpenPGP.3".

I'd like to extend it using a keygrip to specify a key.

Once, those modifications will be done, it's more straightforward to
support different use cases with smartcard.  (Or, those modifications
themselves will solve some existing issues automatically.)

Some use cases will still remain.  Some day, I'd like to support a use
case where signing+encryption is done naturally.  That is, signing with
a signing key on inserted smartcard and encryption for a encryption key
on that card.

More information about the Gnupg-devel mailing list