OpenPGP smartcard restore

[David Shaw]

On Tue, Jun 13, 2006 at 06:46:48PM +0100, Tristan Williams wrote:
> On 13Jun06 18:07, zvrba at globalnet.hr wrote:
> > On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote:
> > > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart
> > > cards (smartA and smartB) and I want to verify that I can restore my
> > > on-card generated private key should I loose the master card
> > > (smartA). I only want to verify that I can do it - not discuss the
> > > merits of on-card vs. off-card key generation.
> > > 
> > > I start with an empty ~/.gnupg
> > > 
> > > For smartA I have
> > > 
> > > (1) an on-card generated key
> > >
> > You can stop here. In order to use card B you need to transfer the PRIVATE
> > key from card A to card B. It is _impossible_ to export the private key
> > under any circumstances (minus backdoors/implementation bugs in the smart-
> > card software). Period. If you want to have the same private key on several
> > physical cards, your only option is off-card generation, with import of the
> > key afterwards.
> > 
> > 
> 
> Then it makes me wonder what is the purpose of the off card backup
> file sk_X.gpg created when the original private key was created via
> the on-card method? I can appreciate there might be reasons for not
> permitting export of the private key from the card but I did expect
> that restoring a private key using the backup file made at key
> creation time would be possible. It looks like I was wrong in that
> thought.

There is a little misunderstanding here.  When you generate a card key
with off-card backup, the key is not generated via the on-card method.
The key is generated like any other key, and then uploaded to the
card (and saved to the backup file).

The card does not allow reading a secret key off the card, so if you
really generated it on-card, there would be no way of making the
backup file.

David