OpenPGP smartcard restore

Tristan Williams home at tristanwilliams.com
Tue Jun 13 22:17:39 CEST 2006 

On 13 Jun 2006, at 20:37, David Shaw wrote:

> On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote:
>> I am experimenting with the OpenPGP smartcard. I have two OpenPGP  
>> smart
>> cards (smartA and smartB) and I want to verify that I can restore my
>> on-card generated private key should I loose the master card
>> (smartA). I only want to verify that I can do it - not discuss the
>> merits of on-card vs. off-card key generation.
>>
>> I start with an empty ~/.gnupg
>>
>> For smartA I have
>>
>> (1) an on-card generated key
>> (2) the backup file created ~/.gnupg/sk_X.gpg at key generation
>> (3) a backup of ~/.gnupg/secring.gpg when the
>> (4) a file with the exported associated public key
>> (5) a test file encrypted with above public key which decrypts  
>> with smartA
>> (6) the pass phrase used at key generation
>> (7) second OpenPGP smartcard (smartB)
>>
>> I then I imagine that I have lost my card (smartA), my computer  
>> hard disk has
>> died and I have to restore to a fresh new gpg environment (i.e. no
>> ~/.gnupg) and smartB
>>
>> I then issues these commands
>>
>> gpg --list-keys
>> which creates ~/.gnupg and various files within it.
>>
>> gpg --import public_key.asc
>> using (4) from my backups
>>
>> gpg --list-keys
>> shows that the public key has been imported
>>
>> I then copy my backup secring.gpg to ~/.gnugpg
>>
>> gpg --edit-key KEYID
>> shows that the secret key is present
>>
>> gpg --list-secret-keys
>> shows that the secret key is linked to card-no smartA
>>
>> gpg --edit-key KEYID
>> toggle
>> bkuptocard sk_X.gpg
>>
>> choose the (1) the signature
>> replace existing key yes
>> enter pass phrase
>> save changes yes
>>
>> Now
>>
>> gpg --list-keys
>> shows the key still linked to card-no smartA and not smartB
>>
>> any action needing the private key using smartB results in gpg
>> requesting that you put in smartA (which is lost...)
>
> Try this: do everything you did above, but at the end, delete the
> secret key stub:
>
>   gpg --delete-secret-keys KEYID
>
> (or gpg --edit-key, toggle, and delkey if you're doing just a subkey).
>
> And now recreate the stub:
>
>   gpg --card-edit
>
> I don't have my card with me so I can't test this, but it should do
> what you want.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

It works as you suggested.

gpg is now happy with smartB (and longer asks  for smartA). The file  
I encrypted with the public key is decrypted correctly.
gpg now references smartB not smartA when listing keys.

So what is in sk_X.gpg if it is not a standalone importable secret key?

Thanks and regards,

Tristan Williams

More information about the Gnupg-users mailing list