Storing key on multiple smartcards

NIIBE Yutaka gniibe at
Tue May 7 03:21:41 CEST 2019


I merged the scdaemon change of mine to master.  Now,
PKSIGN/PKAUTH/PKDECRYPT command can be used with KEYGRIP directly, and
it is scdaemon which selects card (among possibly multiple cards).

Werner Koch <wk at> wrote:
> The information is also used to prompt the user to insert a specific
> card.  The serial number is a good way to identify a card because it is
> printed onto the card.  However some configurable way to name a card is
> also useful.
> I am currently working on recording all serial numbers used with a token
> based key in the shadow key info file.  The new format allows easy
> manual editing of that info and also allows to put a "Label:" line into
> the the file to be prompted with e.g. "The green token on my keyring".

Yes.  Support of label (and serial number) is orthogonal to ongoing
change of mine.

			*	*	*

My plan to change gpg-agent is: By gpg-agent's offering private key
information in a better way, gpg frontend can be modified to select
a key easier (so that user can have better UI).

Now, gpg-agent KEYINFO command is like this:

# KEYINFO [--[ssh-]list] [--data] [--ssh-fpr[=algo]] [--with-ssh] <keygrip>
# Return information about the key specified by the KEYGRIP.  If the
# key is not available GPG_ERR_NOT_FOUND is returned.  If the option
# --list is given the keygrip is ignored and information about all
# available keys are returned.  If --ssh-list is given information
# about all keys listed in the sshcontrol are returned.  With --with-ssh
# information from sshcontrol is always added to the info. Unless --data
# is given, the information is returned as a status line using the format:
#   KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
# KEYGRIP is the keygrip.
# TYPE is describes the type of the key:
#     'D' - Regular key stored on disk,
#     'T' - Key is stored on a smartcard (token),
#     'X' - Unknown type,
#     '-' - Key is missing.
# SERIALNO is an ASCII string with the serial number of the
#          smartcard.  If the serial number is not known a single
#          dash '-' is used instead.
# IDSTR is the IDSTR used to distinguish keys on a smartcard.  If it
#       is not known a dash is used instead.
# CACHED is 1 if the passphrase for the key was found in the key cache.
#        If not, a '-' is used instead.
# PROTECTION describes the key protection type:
#     'P' - The key is protected with a passphrase,
#     'C' - The key is not protected,
#     '-' - Unknown protection.
# FPR returns the formatted ssh-style fingerprint of the key.  It is only
#     printed if the option --ssh-fpr has been used.  If ALGO is not given
#     to that option the default ssh fingerprint algo is used.  Without the
#     option a '-' is printed.
# TTL is the TTL in seconds for that key or '-' if n/a.
# FLAGS is a word consisting of one-letter flags:
#       'D' - The key has been disabled,
#       'S' - The key is listed in sshcontrol (requires --with-ssh),
#       'c' - Use of the key needs to be confirmed,
#       '-' - No flags given.
# More information may be added in the future.

I'm going to modify this, to distinguish a key on card which is
inserted, and a key on card which is not inserted.  This can be either:

(1) For key on inserted card, add another flag into FLAGS (say, 'A' for


(2) Introduce new TYPE (say, 'O' for offline) and change the semantics
of 'T' meaning inserted card.

Currently, both of gpg frontend and gpg-agent need to have code of loop
for enumerating active cards.  Using KEYINFO command of scdaemon,
gpg-agent can merge card key information and disk key information.

More information about the Gnupg-devel mailing list